Key Benefits of Enabling Entra ID of Azure Cosmos DB<\/h2>\nEliminates account keys<\/h4>\n
Account keys grant full, unrestricted access to all databases, containers, and items. If leaked, they create immediate high\u2011severity exposure. Disabling local authentication removes these long\u2011lived primary and secondary keys. All access flows through Microsoft Entra ID, significantly reducing the attack surface<\/p>\n
Fine\u2011grained, least\u2011privilege data\u2011plane roles<\/h4>\n
Cosmos DB\u2019s native data plane RBAC delivers precise, operations-scoped permissions so every identity gets only the actions it truly needs, nothing more. By eliminating broad, all\u2011powerful keys and replacing them with tightly bounded, auditable role assignments, it dramatically reduces lateral movement risk and enforces clear, least\u2011privilege access boundaries aligned with Zero Trust.<\/p>\n
Zero Trust Controls and governance with Azure RBAC<\/h4>\n
Once local auth is disabled, all access must flow through Azure RBAC or Cosmos DB\u2019s native data\u2011plane RBAC roles. This ensures every user, app, or managed identity has explicit permissions rather than \u201cgod\u2011mode\u201d keys.<\/p>\n
Clear separation of duties<\/h4>\n
Instead of everyone sharing account keys, teams get purpose\u2011built roles:<\/p>\n
- \n
- Operators manage account\u2011level settings<\/li>\n
- Developers build apps with scoped data access<\/li>\n
- Security teams audit activity through Azure Monitor and Entra ID logs<\/li>\n<\/ul>\n
How to Get Started<\/h2>\n
Step 1 \u2014 Disable Local Authentication<\/h3>\n
Disabling key\u2011based authentication forces all callers to authenticate using Entra ID. You can do this for new accounts or existing accounts.<\/p>\n
For a New Cosmos DB Account (Azure Portal)<\/h4>\n
- \n
- Go to Create Azure Cosmos DB Account<\/strong>.<\/li>\n
- Navigate to the Security<\/strong> tab.<\/li>\n
- Under Key-based authentication<\/strong>, select Disable<\/strong>.<\/li>\n
- Complete the remaining steps and deploy.<\/li>\n<\/ol>\n
![\"Key](\"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-content\/uploads\/sites\/52\/2026\/02\/Key-based-auth-1024x210.png\")
<\/a><\/p>\n<\/h4>\n
<\/h4>\n
<\/h4>\n
<\/h4>\n
<\/h4>\n
For an Existing Cosmos DB Account (Azure CLI)<\/h4>\n
az resource update --resource-group \"<name-of-existing-resource-group>\" --name \"<name-of-existing-account>\" --resource-type \"Microsoft.DocumentDB\/databaseAccounts\" --set properties.disableLocalAuth=true<\/code><\/pre>\nStep 2 \u2014 Configure Control Plane RBAC<\/h3>\n
Control plane roles govern management operations such as creating databases or adjusting account\u2011level settings. These apply to ARM operations, not data access. Common built-in roles include:<\/p>\n
- \n
- Cosmos DB Operator<\/li>\n
- Cosmos DB Account Reader<\/li>\n
- DocumentDB Account Contributor<\/li>\n<\/ul>\n
Assign a Built-in Role (Azure Portal)<\/strong><\/h4>\n
- \n
- Navigate to Access control (IAM)<\/strong><\/li>\n
- Click on Add<\/strong> > Add role assignment<\/strong><\/li>\n
- In the search bar, type in Cosmos DB Operator<\/strong>, select and choose Next<\/strong>.<\/li>\n
- Click Select members<\/strong> and search for the user to assign the role.<\/li>\n
- Lastly, Review + assign.<\/strong><\/li>\n<\/ul>\n
Assign a Built-in Role (Azure CLI)<\/strong><\/h4>\n
Built-in role can also be assigned using Azure CLI<\/p>\n
az role assignment create\u00a0--assignee <principal-id-or-upn>\u00a0--role \"Cosmos DB Operator\"\u00a0--scope \/subscriptions\/<sub-id>\/resourceGroups\/<rg>\/providers\/Microsoft.DocumentDB\/databaseAccounts\/<account><\/code><\/pre>\nStep 3 \u2014 Configure Native Data Plane RBAC<\/h3>\n
Data plane RBAC determines who can read, write, or delete items within a database or container.<\/p>\n
Built\u2011in data plane roles include:<\/p>\n
- \n
- Cosmos DB Built-in Data Reader <\/strong>(id – <\/strong>00000000-0000-0000-0000-000000000001)<\/li>\n
- Cosmos DB Built-in Data Contributor <\/strong>(id – <\/strong>00000000-0000-0000-0000-000000000002)<\/li>\n<\/ul>\n
a. Assign a Built-in data plane role (Azure CLI)<\/strong><\/h4>\n
Use the role definition id of the built\u2011in role to create the appropriate role assignment, Cosmos DB Built-in Data Contributor<\/em> role in this example.<\/p>\n
az cosmosdb sql role assignment create --resource-group \u201c<rg>\u201d --account-name \u201c<accountname>\u201d --role-definition-id \u201c00000000-0000-0000-0000-000000000002\u201d --principal-id \u201c<principal-id>\u201d --scope \/subscriptions\/<sub-id>\/resourceGroups\/<rg>\/providers\/Microsoft.DocumentDB\/databaseAccounts\/<account><\/code><\/pre>\nb. List All Role Assignments (Optional)<\/strong><\/h4>\n
Run this to confirm\/validate role assignments.<\/p>\n
az cosmosdb sql role assignment list --resource-group \u201c<rg>\u201d --account-name \u201c<accountname>\u201d<\/code><\/pre>\nConclusion<\/h2>\n
Moving to Microsoft Entra ID is one of the most impactful steps you can take to strengthen Azure Cosmos DB security. By eliminating account keys and adopting modern RBAC for both the control and data plane, you reduce risk, improve auditability, and align with Zero Trust best practices. Identity\u2011driven access is the new default. With these capabilities, Cosmos DB gives customers a cleaner, more secure foundation for cloud\u2011native applications.<\/p>\n
References<\/h2>\n
- \n
- Connect to Azure Cosmos DB for NoSQL using role-based access control and Microsoft Entra ID<\/a><\/li>\n
- Azure permissions for Databases: Microsoft.DocumentDB<\/a><\/li>\n
- Azure Cosmos DB for NoSQL data plane security reference: Built-in actions<\/a><\/li>\n<\/ul>\n
About Azure Cosmos DB<\/strong><\/h2>\n
Azure Cosmos DB is a fully managed and serverless NoSQL and vector database for modern app development, including AI applications. With its SLA-backed speed and availability as well as instant dynamic scalability, it is ideal for real-time NoSQL and MongoDB applications that require high performance and distributed computing over massive volumes of NoSQL and vector data.<\/p>\n
To stay in the loop on Azure Cosmos DB updates, follow us on\u00a0X<\/a>,\u00a0YouTube<\/a>, and\u00a0LinkedIn<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"
Strengthen Identity Security and Eliminate Account Keys Identity is becoming the new security perimeter. As organizations modernize their cloud applications, long\u2011lived secrets and shared keys introduce unnecessary risk. Azure Cosmos DB now fully supports Microsoft Entra ID for both control plane and data plane access, giving customers a secure, passwordless, least\u2011privilege alternative to legacy key\u2011based […]<\/p>\n","protected":false},"author":188311,"featured_media":11845,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1980,1918,667],"tags":[499,1963,668],"class_list":["post-11843","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure-cosmos-db","category-rbac","category-security","tag-azure-cosmos-db","tag-entra-id","tag-security"],"acf":[],"blog_post_summary":"
Strengthen Identity Security and Eliminate Account Keys Identity is becoming the new security perimeter. As organizations modernize their cloud applications, long\u2011lived secrets and shared keys introduce unnecessary risk. Azure Cosmos DB now fully supports Microsoft Entra ID for both control plane and data plane access, giving customers a secure, passwordless, least\u2011privilege alternative to legacy key\u2011based […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/posts\/11843","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/users\/188311"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/comments?post=11843"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/posts\/11843\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/media\/11845"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/media?parent=11843"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/categories?post=11843"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/tags?post=11843"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- Azure permissions for Databases: Microsoft.DocumentDB<\/a><\/li>\n
- Cosmos DB Built-in Data Contributor <\/strong>(id – <\/strong>00000000-0000-0000-0000-000000000002)<\/li>\n<\/ul>\n
- Click on Add<\/strong> > Add role assignment<\/strong><\/li>\n
- Navigate to Access control (IAM)<\/strong><\/li>\n
- Navigate to the Security<\/strong> tab.<\/li>\n
- Go to Create Azure Cosmos DB Account<\/strong>.<\/li>\n
![\"Key](\"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-content\/uploads\/sites\/52\/2026\/02\/Key-based-auth.png\")
<\/a><\/p>\n