Restrict user access to data operations in Azure Cosmos DB
March 21, 2025 ยท View on GitHub
SYNOPSIS
Use Entra ID identities for management place operations in Azure Cosmos DB.
DESCRIPTION
Cosmos DB provides two authorization options for interacting with the database:
- Entra ID identities (previously known as Azure AD). Can be used to authorize account and resource management operations.
- Keys and resource tokens. Can be used to authorize resource management and data operations.
Resource management operations include management of databases, indexes, and containers. By default, keys are permitted to perform resource management operations. You can restrict these operations to Azure Resource Manager (ARM) calls only.
RECOMMENDATION
Consider limiting key and resource tokens to data plane operations only. Use Microsoft Entra ID identities for authorizing account and resource management operations.
EXAMPLES
Configure with Azure template
To deploy Cosmos DB accounts that pass this rule:
- Set the
Properties.disableKeyBasedMetadataWriteAccessproperty totrue.
For example:
{
"type": "Microsoft.DocumentDB/databaseAccounts",
"apiVersion": "2023-04-15",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"properties": {
"enableFreeTier": false,
"consistencyPolicy": {
"defaultConsistencyLevel": "Session"
},
"databaseAccountOfferType": "Standard",
"locations": [
{
"locationName": "[parameters('location')]",
"failoverPriority": 0,
"isZoneRedundant": true
}
],
"disableKeyBasedMetadataWriteAccess": true
}
}
Configure with Bicep
To deploy Cosmos DB accounts that pass this rule:
- Set the
Properties.disableKeyBasedMetadataWriteAccessproperty totrue.
For example:
resource account 'Microsoft.DocumentDB/databaseAccounts@2023-04-15' = {
name: name
location: location
properties: {
enableFreeTier: false
consistencyPolicy: {
defaultConsistencyLevel: 'Session'
}
databaseAccountOfferType: 'Standard'
locations: [
{
locationName: location
failoverPriority: 0
isZoneRedundant: true
}
]
disableKeyBasedMetadataWriteAccess: true
}
}
Configure with Azure Policy
To address this issue at runtime use the following policies:
- Azure Cosmos DB key based metadata write access should be disabled
/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5