{"id":11003,"date":"2025-11-20T08:00:35","date_gmt":"2025-11-20T16:00:35","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/cosmosdb\/?p=11003"},"modified":"2025-11-14T09:44:23","modified_gmt":"2025-11-14T17:44:23","slug":"announcing-private-preview-safe-account-key-rotation-using-account-key-usage-metadata","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/cosmosdb\/announcing-private-preview-safe-account-key-rotation-using-account-key-usage-metadata\/","title":{"rendered":"Announcing Private Preview: Safe Account Key rotation using Account Key Usage Metadata"},"content":{"rendered":"

Account Key Usage Metadata is a new security and observability feature that helps Azure Cosmos DB customers avoid service disruptions during key rotations. <\/span>It provides visibility <\/span>when each account key was last used<\/span><\/b>, allowing teams to make informed decisions before rotating or <\/span>migrating to Entra ID.<\/span><\/b>\u00a0<\/span><\/p>\n

This feature addresses a common challenge of rotating a key that appears unused but is still actively relied upon by critical applications\u2014leading to unexpected outages.<\/span><\/p>\n

How Does It Work?<\/span><\/span>\u00a0<\/span><\/h2>\n

In the <\/span><\/span>private preview<\/span><\/span>,<\/span> o<\/span>n your Azure Cosmos DB account, y<\/span>ou<\/span> can view the <\/span><\/span>last usage timestamp<\/span><\/span><\/strong> for each key. This timestamp reflects the most recent operation that used the key.<\/span><\/span>\u00a0<\/span><\/p>\n

\"Image<\/a><\/p>\n

To <\/span>identify<\/span> w<\/span>hich applications are using the key<\/span>, <\/span>you<\/span> can <\/span><\/span>enable diagnostic <\/span>logging, which <\/span><\/span>provides detailed telemetry including user agents and operation types.<\/span><\/span>\u00a0<\/span><\/p>\n

Why Is It Important?<\/span>\u00a0<\/span><\/h2>\n
    \n
  • Prevents outages or disruption to your applications<\/span><\/b>: Avoids accidental rotation of actively used keys.<\/span>\u00a0<\/span><\/li>\n
  • Improve security hygiene<\/span><\/b>: Encourages safe and intentional key rotation.<\/span>\u00a0<\/span><\/li>\n<\/ul>\n

    This is especially valuable for:<\/span>\u00a0<\/span><\/p>\n

      \n
    • Disable local authentication<\/strong>: Provides confidence that keys are no longer in use before migrating to Entra ID.<\/span>\u00a0<\/span><\/li>\n
    • Infrequently used keys<\/span><\/b>: Monthly or yearly jobs that still depend on keys.<\/span>\u00a0<\/span><\/li>\n
    • Shared keys across teams<\/span><\/b>: Where visibility is often limited.<\/span>\u00a0<\/span><\/li>\n<\/ul>\n

      How to Onboard and Use It<\/span>\u00a0<\/span><\/h2>\n