{"id":11896,"date":"2026-04-29T11:13:59","date_gmt":"2026-04-29T18:13:59","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/cosmosdb\/?p=11896"},"modified":"2026-04-30T10:56:50","modified_gmt":"2026-04-30T17:56:50","slug":"announcing-the-private-preview-of-cosmos-db-azure-rbac-integration","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/cosmosdb\/announcing-the-private-preview-of-cosmos-db-azure-rbac-integration\/","title":{"rendered":"Announcing the Private Preview of Cosmos DB Azure RBAC Integration"},"content":{"rendered":"<h2>Introduction<\/h2>\n<p>Managing access to Azure resources often means dealing with two separate permission models: one for management operations and another for data access. For Azure Cosmos DB customers, this split can increase complexity, slow down onboarding, and create confusion around governance and security boundaries.<\/p>\n<p>Today, we\u2019re excited to announce the private preview of Integrated Azure RBAC for Cosmos DB, a major step toward a unified, intuitive permissions experience across Azure. This new capability brings Cosmos DB data plane authorization directly into Azure RBAC, allowing customers to manage both management and data access using a single, familiar permissions model. With this integration, access management becomes simpler and clearer while remaining easy to operationalize across development, test, and production environments.<\/p>\n<h2>What\u2019s New<\/h2>\n<h3>Unified Role Management in the Azure Portal<\/h3>\n<p>Cosmos DB data plane roles now appear alongside existing Azure RBAC roles in the Azure portal. This unified view allows administrators to manage permissions from a single, consistent place using the same workflows they already know.<\/p>\n<h3>New Built\u2011in Roles<\/h3>\n<p>Two new roles have been introduced for operations:<\/p>\n<ul>\n<li>Cosmos DB Data Reader &#8211; Allows Cosmos DB data plane read access<\/li>\n<li>Cosmos DB Data Contributor &#8211; Allows Cosmos DB data plane read and write access<\/li>\n<\/ul>\n<h3>Consistent Entra ID Experience Across Azure<\/h3>\n<p>Applications and developers authenticating with Microsoft Entra ID can now use the same identity, role assignment, and governance patterns they already rely on across Azure services. There\u2019s no separate permission model to learn or maintain, Cosmos DB data access follows established Azure RBAC conventions.<\/p>\n<h2>Why It Matters<\/h2>\n<ul>\n<li>Faster time to production through a single authorization model<\/li>\n<li>Fewer security misconfigurations caused by split permission systems<\/li>\n<li>Stronger governance using consistent Entra ID identities and auditing<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h2>How It Works<\/h2>\n<p>When you opt for the private preview, you\u2019ll see the following experience:<\/p>\n<ol>\n<li>Create or open an existing Azure Cosmos DB account.<\/li>\n<li>Navigate to <strong>Access Control (IAM)<\/strong> in the Azure portal.<\/li>\n<li>Cosmos DB data plane RBAC roles appear directly within the existing role assignment UI.<\/li>\n<li>Assign <em><strong>Cosmos DB Data Reader<\/strong><\/em> or <strong><em>Cosmos DB Data Contributor<\/em><\/strong> just like any other Azure role.<\/li>\n<li>Applications and users authenticating with Microsoft Entra ID gain data access based on their assigned role.<\/li>\n<\/ol>\n<p>There\u2019s no new permission system to learn since everything follows established Azure RBAC patterns. Existing data plane authorization mechanisms will continue to work, allowing customers to adopt Integrated Azure RBAC incrementally without breaking existing applications<\/p>\n<h2>Limitations in Private Preview<\/h2>\n<p>To ensure quality and safety during the preview:<\/p>\n<ul>\n<li>Access experience will be available only via feature flag<\/li>\n<li>Role definition, scope support and UX may evolve as we gather customer feedback<\/li>\n<li>Not recommended for production workloads<\/li>\n<li>Custom roles are currently not supported<\/li>\n<\/ul>\n<h2>Join the Private Preview<\/h2>\n<p>We are looking to partner with early adopters to validate the experience and shape the final release. This private preview is ideal for customers who want to simplify Cosmos DB access governance and align data authorization with existing Azure RBAC practices.<\/p>\n<p>If you&#8217;re interested in participating in the private preview, sign up using our request form, and our team will reach out with next steps.<\/p>\n<ul>\n<li>Sign up at <a href=\"https:\/\/aka.ms\/CosmosDB-RbacPreview\">https:\/\/aka.ms\/CosmosDB-RbacPreview<\/a><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Introduction Managing access to Azure resources often means dealing with two separate permission models: one for management operations and another for data access. For Azure Cosmos DB customers, this split can increase complexity, slow down onboarding, and create confusion around governance and security boundaries. Today, we\u2019re excited to announce the private preview of Integrated Azure [&hellip;]<\/p>\n","protected":false},"author":188311,"featured_media":12139,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1980,14,1918],"tags":[499,1913,668],"class_list":["post-11896","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure-cosmos-db","category-core-sql-api","category-rbac","tag-azure-cosmos-db","tag-rbac","tag-security"],"acf":[],"blog_post_summary":"<p>Introduction Managing access to Azure resources often means dealing with two separate permission models: one for management operations and another for data access. For Azure Cosmos DB customers, this split can increase complexity, slow down onboarding, and create confusion around governance and security boundaries. Today, we\u2019re excited to announce the private preview of Integrated Azure [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/posts\/11896","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/users\/188311"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/comments?post=11896"}],"version-history":[{"count":1,"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/posts\/11896\/revisions"}],"predecessor-version":[{"id":12176,"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/posts\/11896\/revisions\/12176"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/media\/12139"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/media?parent=11896"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/categories?post=11896"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/tags?post=11896"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}