Role-based access control with Azure AD now in preview

Thomas Weiss

The public preview of role-based access control (RBAC) for the Azure Cosmos DB Core (SQL) API was announced today at Microsoft Ignite. With RBAC in Azure Cosmos DB, you can now:

  • Authenticate your data requests with an Azure Active Directory (AD) identity.
  • Authorize your data requests with a fine-grained, role-based permission model.
  • Audit your diagnostic logs to retrieve the Azure AD identity used when accessing your data.

What is RBAC?

The concepts exposed by the Azure Cosmos DB RBAC should look very familiar to anyone who has used Azure RBAC before.

  • Our new permission model exposes a set of actions that map to database operations (like writing a document or executing a query).
  • You can create role definitions by assembling a list of actions that a role should allow.
  • You associate your role definitions with Azure AD identities through role assignments. Roles can be assigned at the Azure Cosmos DB account, database or container levels.

Role-based access control concepts
Example of role definition and assignment

The granularity of the permission model lets you control very precisely what a client is allowed to do. Some examples of custom role definitions:

  • A read-only role that can only fetch documents by their ID, but not run queries or read from the change feed.
  • A role that can only insert new documents to an Azure Cosmos DB container, but not read, replace or delete documents.

Find the complete list of available actions.

Managing your role

To create your role definitions and assignments, you can use new PowerShell cmdlets or Azure CLI commands. Here is a PowerShell example, showing how to create a read-only role and assign it to an Azure AD identity:

No more primary keys!

Once your role definitions and assignments have been created, you can start using an Azure AD identity instead of your Azure Cosmos DB account’s primary key. When initializing the SDK, just replace the primary key with a TokenCredential instance that will resolve to the desired identity:
This is currently supported in our .NET and Java SDKs, with broader support coming soon.

Advanced auditing of data requests

When you use the Azure Cosmos DB RBAC, the logging of your data plane requests gets augmented with identity and authorization information. For each data operation received by your Azure Cosmos DB account, you can query:
  • The Azure AD identity used to authenticate the request.
  • The ID of the role assignment used to authorize the request.
| where ResourceProvider == "MICROSOFT.DOCUMENTDB"
    and Category == "DataPlaneRequests"
    and ResourceId == "<yourAccountResourceId>"
    and OperationName == 'Query'
| summarize by aadPrincipalId_g, aadAppliedRoleAssignmentId_g

Getting started

You can start using role-based access control today to tighten the access control to your Azure Cosmos DB resources. Just head to the detailed documentation of the Azure Cosmos DB RBAC to get started!

New to Azure Cosmos DB?


Discussion is closed. Login to edit/delete existing comments.

Feedback usabilla icon