add user in cosmosdb Azure DocumentDB (with MongoDB compatibility) with entra authentication

Hi Gajjala, Vinod Reddy

for Azure Cosmos DB (MongoDB API) you don’t use db.createUser()/mongosh to add Entra-authenticated users—everything is managed at the Azure level. Here’s a quick path you can follow:

Make sure Entra ID authentication is enabled

• In the Azure portal, go to your Cosmos DB for MongoDB vCore cluster → Settings → Authentication
  • Under Authentication methods, select both Native DocumentDB and Microsoft Entra ID → Save
    • Or use CLI:

     az resource patch \
    

--resource-group <rg>
--name <cluster>
--resource-type Microsoft.DocumentDB/mongoClusters
--properties '{"authConfig":{"allowedModes":["NativeAuth","MicrosoftEntraID"]}}'
--latest-include-preview ```

 Get the object ID of the Entra principal
 
 - For a user:
 
 ```dockerfile
 az ad user show --id ******@contoso.com --query objectId -o tsv
 ```
 
 - For a service principal:
 
 ```dockerfile
 az ad sp show --id <appId> --query objectId -o tsv
 ```
 
 - For a managed identity:
 
 ```dockerfile
 az identity show --resource-group <rg> --name <mi-name> --query principalId -o tsv
 ```
 
 Register that principal on your cluster with the right roles
 
 - Read-only on database “mydb”:
 
 ```json
 az resource create \

--resource-group <rg>
--name <cluster>/users/<object-id>
--resource-type Microsoft.DocumentDB/mongoClusters/users
--location <region>
--properties '{ "identityProvider":{"type":"MicrosoftEntraID","properties":{"principalType":"User"}}, "roles":[{"db":"mydb","role":"read"}] }'
--latest-include-preview ```

 - Read-write on “mydb”:
 
 ```json
 az resource create \

--resource-group <rg>
--name <cluster>/users/<object-id>
--resource-type Microsoft.DocumentDB/mongoClusters/users
--location <region>
--properties '{ "identityProvider":{"type":"MicrosoftEntraID","properties":{"principalType":"User"}}, "roles":[{"db":"mydb","role":"readWrite"}] }'
--latest-include-preview ```

 You can also do this via the portal under Settings → Authentication → + Add Microsoft Entra ID.
 
 Connect using MONGODB-OIDC When you spin up mongosh or MongoDB Compass, use a connection string like:
 
 ```yaml
 mongodb+srv://<object-id>@<cluster>.mongo.cosmos.azure.com/?tls=true

&authMechanism=MONGODB-OIDC &authMechanismProperties=ENVIRONMENT:azure,TOKEN_RESOURCE:https://ossrdbms-aad.database.windows.net ```

 Replace `<object-id>` with the same principal ID you registered. Cosmos will exchange your Azure AD token for MongoDB access.
 

I hope this helps. If you have any questions or concerns, please let us know—we're happy to assist further.

Reference docs:

• Configure Microsoft Entra ID authentication: https://learn.microsoft.com/azure/cosmos-db/mongodb/vcore/how-to-configure-entra-authentication
• Manage Entra ID users on the cluster: https://learn.microsoft.com/azure/cosmos-db/mongodb/vcore/how-to-configure-entra-authentication#manage-entra-id-users-on-the-cluster
• Connecting with OIDC (Compass/Mongosh): https://learn.microsoft.com/azure/documentdb/how-to-connect-role-based-access-control#connect-using-microsoft-entra-id-in-mongodb-compass-or-mongodb-shell

Hello @Gajjala, Vinod Reddy,

To add a user in Azure Cosmos DB (with MongoDB compatibility) and enable Microsoft Entra ID authentication, follow these steps:

1. Enable Microsoft Entra ID Authentication: Ensure that Microsoft Entra ID authentication is enabled on your Azure Cosmos DB cluster. This can typically be done through the Azure portal by navigating to your Cosmos DB account and enabling the authentication method in the settings. After enabling, both NativeAuth and MicrosoftEntraID should be listed as enabled methods. 1
2. Add Microsoft Entra ID Principals: You can add one or more Microsoft Entra ID principals (users, service principals, or managed identities) as administrator or non-administrator users. For non-administrative users, you can grant them specific roles such as readWrite or readAnyDatabase. Administrative users have full privileges, while non-administrative users can be granted either read-write or read-only permissions. 2
3. Register the User: Register the Microsoft Entra ID principal on the cluster. This is done by creating an Azure resource of type Microsoft.DocumentDB/mongoClusters/users with the naming format <cluster-name>/users/<principal-id>. 3
4. Assign Roles: For non-administrative users, you can assign roles like readWriteAnyDatabase for full read-write access or readAnyDatabase for read-only access. Note that the readWriteAnyDatabase and clusterAdmin roles must be assigned together for full read-write access. 4
5. Connect Using Microsoft Entra ID: Once the user is added and roles are assigned, they can connect to the Azure Cosmos DB cluster using a connection string that includes their Microsoft Entra ID credentials. The connection string format should include the mongodb+srv scheme and specify the authentication mechanism as MONGODB-OIDC

Connect to Azure DocumentDB using role-based access control and Microsoft Entra ID

If this answers your query, do click Accept Answer and Up-Vote for the same. And, if you have any further query do let us know.