Note
Access to this page requires authorization. You can try signing in or .
Access to this page requires authorization. You can try .
Microsoft.DocumentDB databaseAccounts/sqlRoleAssignments
- Latest
- 2026-04-01-preview
- 2026-03-15
- 2025-11-01-preview
- 2025-10-15
- 2025-05-01-preview
- 2025-04-15
- 2024-12-01-preview
- 2024-11-15
- 2024-09-01-preview
- 2024-08-15
- 2024-05-15
- 2024-05-15-preview
- 2024-02-15-preview
- 2023-11-15
- 2023-11-15-preview
- 2023-09-15
- 2023-09-15-preview
- 2023-04-15
- 2023-03-15
- 2023-03-15-preview
- 2023-03-01-preview
- 2022-11-15
- 2022-11-15-preview
- 2022-08-15
- 2022-08-15-preview
- 2022-05-15
- 2022-05-15-preview
- 2022-02-15-preview
- 2021-11-15-preview
- 2021-10-15
- 2021-10-15-preview
- 2021-07-01-preview
- 2021-06-15
- 2021-05-15
- 2021-04-15
- 2021-04-01-preview
- 2021-03-01-preview
- 2020-06-01-preview
Bicep resource definition
The databaseAccounts/sqlRoleAssignments resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2026-04-01-preview' = {
parent: resourceSymbolicName
name: 'string'
properties: {
principalId: 'string'
roleDefinitionId: 'string'
scope: 'string'
}
}
Property Values
Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments
| Name | Description | Value |
|---|---|---|
| name | The resource name | string (required) |
| parent | In Bicep, you can specify the parent resource for a child resource. You only need to add this property when the child resource is declared outside of the parent resource. For more information, see Child resource outside parent resource. |
Symbolic name for resource of type: databaseAccounts |
| properties | Properties to create and update an Azure Cosmos DB SQL Role Assignment. | SqlRoleAssignmentResource |
SqlRoleAssignmentResource
| Name | Description | Value |
|---|---|---|
| principalId | The unique identifier for the associated AAD principal in the AAD graph to which access is being granted through this Role Assignment. Tenant ID for the principal is inferred using the tenant associated with the subscription. | string |
| roleDefinitionId | The unique identifier for the associated Role Definition. | string |
| scope | The data plane resource path for which access is being granted through this Role Assignment. | string |
Usage Examples
Bicep Samples
A basic example of deploying Cosmos DB SQL Role Assignment.
param resourceName string = 'acctest0001'
param location string = 'westeurope'
resource sqlRoleDefinition 'Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions@2021-10-15' existing = {
name: '00000000-0000-0000-0000-000000000001'
parent: databaseAccount
}
resource databaseAccount 'Microsoft.DocumentDB/databaseAccounts@2021-10-15' = {
name: resourceName
location: location
kind: 'GlobalDocumentDB'
properties: {
capabilities: []
consistencyPolicy: {
defaultConsistencyLevel: 'Session'
maxIntervalInSeconds: 5
maxStalenessPrefix: 100
}
databaseAccountOfferType: 'Standard'
defaultIdentity: 'FirstPartyIdentity'
disableKeyBasedMetadataWriteAccess: false
disableLocalAuth: false
enableAnalyticalStorage: false
enableAutomaticFailover: false
enableFreeTier: false
enableMultipleWriteLocations: false
ipRules: []
isVirtualNetworkFilterEnabled: false
locations: [
{
failoverPriority: 0
isZoneRedundant: false
locationName: 'West Europe'
}
]
networkAclBypass: 'None'
networkAclBypassResourceIds: []
publicNetworkAccess: 'Enabled'
virtualNetworkRules: []
}
}
resource sqlRoleAssignment 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2021-10-15' = {
name: 'ff419bf7-f8ca-ef51-00d2-3576700c341b'
parent: databaseAccount
properties: {
principalId: cluster.identity.principalId
roleDefinitionId: sqlRoleDefinition.id
scope: databaseAccount.id
}
}
resource cluster 'Microsoft.Kusto/clusters@2023-05-02' = {
name: resourceName
location: location
sku: {
capacity: 1
name: 'Dev(No SLA)_Standard_D11_v2'
tier: 'Basic'
}
properties: {
enableAutoStop: true
enableDiskEncryption: false
enableDoubleEncryption: false
enablePurge: false
enableStreamingIngest: false
engineType: 'V2'
publicIPType: 'IPv4'
publicNetworkAccess: 'Enabled'
restrictOutboundNetworkAccess: 'Disabled'
trustedExternalTenants: []
}
}
resource database 'Microsoft.Kusto/clusters/databases@2023-05-02' = {
name: resourceName
location: location
parent: cluster
kind: 'ReadWrite'
properties: {}
}
Azure Verified Modules
The following Azure Verified Modules can be used to deploy this resource type.
| Module | Description |
|---|---|
| Cosmos DB - SQL Role Assignment | AVM Child Module for Cosmos DB - SQL Role Assignment |
Azure Quickstart Samples
The following Azure Quickstart templates contain Bicep samples for deploying this resource type.
| Bicep File | Description |
|---|---|
| Create an Azure Cosmos DB SQL Account with data plane RBAC | This template will create a SQL Cosmos account, a natively maintained Role Definition, and a natively maintained Role Assignment for an AAD identity. |
| Deploy Azure Data Explorer DB with Cosmos DB connection | Deploy Azure Data Explorer DB with Cosmos DB connection. |
ARM template resource definition
The databaseAccounts/sqlRoleAssignments resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments resource, add the following JSON to your template.
{
"type": "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments",
"apiVersion": "2026-04-01-preview",
"name": "string",
"properties": {
"principalId": "string",
"roleDefinitionId": "string",
"scope": "string"
}
}
Property Values
Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments
| Name | Description | Value |
|---|---|---|
| apiVersion | The api version | '2026-04-01-preview' |
| name | The resource name | string (required) |
| properties | Properties to create and update an Azure Cosmos DB SQL Role Assignment. | SqlRoleAssignmentResource |
| type | The resource type | 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments' |
SqlRoleAssignmentResource
| Name | Description | Value |
|---|---|---|
| principalId | The unique identifier for the associated AAD principal in the AAD graph to which access is being granted through this Role Assignment. Tenant ID for the principal is inferred using the tenant associated with the subscription. | string |
| roleDefinitionId | The unique identifier for the associated Role Definition. | string |
| scope | The data plane resource path for which access is being granted through this Role Assignment. | string |
Usage Examples
Azure Quickstart Templates
The following Azure Quickstart templates deploy this resource type.
| Template | Description |
|---|---|
| Create an Azure Cosmos DB SQL Account with data plane RBAC 👁 Deploy to Azure |
This template will create a SQL Cosmos account, a natively maintained Role Definition, and a natively maintained Role Assignment for an AAD identity. |
| Deploy Azure Data Explorer DB with Cosmos DB connection 👁 Deploy to Azure |
Deploy Azure Data Explorer DB with Cosmos DB connection. |
Terraform (AzAPI provider) resource definition
The databaseAccounts/sqlRoleAssignments resource type can be deployed with operations that target:
- Resource groups
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2026-04-01-preview"
name = "string"
parent_id = "string"
body = {
properties = {
principalId = "string"
roleDefinitionId = "string"
scope = "string"
}
}
}
Property Values
Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments
| Name | Description | Value |
|---|---|---|
| name | The resource name | string (required) |
| parent_id | The ID of the resource that is the parent for this resource. | ID for resource of type: databaseAccounts |
| properties | Properties to create and update an Azure Cosmos DB SQL Role Assignment. | SqlRoleAssignmentResource |
| type | The resource type | "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2026-04-01-preview" |
SqlRoleAssignmentResource
| Name | Description | Value |
|---|---|---|
| principalId | The unique identifier for the associated AAD principal in the AAD graph to which access is being granted through this Role Assignment. Tenant ID for the principal is inferred using the tenant associated with the subscription. | string |
| roleDefinitionId | The unique identifier for the associated Role Definition. | string |
| scope | The data plane resource path for which access is being granted through this Role Assignment. | string |
Usage Examples
Terraform Samples
A basic example of deploying Cosmos DB SQL Role Assignment.
terraform {
required_providers {
azapi = {
source = "Azure/azapi"
}
}
}
provider "azapi" {
skip_provider_registration = false
}
variable "resource_name" {
type = string
default = "acctest0001"
}
variable "location" {
type = string
default = "westeurope"
}
resource "azapi_resource" "resourceGroup" {
type = "Microsoft.Resources/resourceGroups@2020-06-01"
name = var.resource_name
location = var.location
}
resource "azapi_resource" "cluster" {
type = "Microsoft.Kusto/clusters@2023-05-02"
parent_id = azapi_resource.resourceGroup.id
name = var.resource_name
location = var.location
identity {
type = "SystemAssigned"
identity_ids = []
}
body = {
properties = {
enableAutoStop = true
enableDiskEncryption = false
enableDoubleEncryption = false
enablePurge = false
enableStreamingIngest = false
engineType = "V2"
publicIPType = "IPv4"
publicNetworkAccess = "Enabled"
restrictOutboundNetworkAccess = "Disabled"
trustedExternalTenants = [
]
}
sku = {
capacity = 1
name = "Dev(No SLA)_Standard_D11_v2"
tier = "Basic"
}
}
schema_validation_enabled = false
response_export_values = ["*"]
}
resource "azapi_resource" "databaseAccount" {
type = "Microsoft.DocumentDB/databaseAccounts@2021-10-15"
parent_id = azapi_resource.resourceGroup.id
name = var.resource_name
location = var.location
body = {
kind = "GlobalDocumentDB"
properties = {
capabilities = [
]
consistencyPolicy = {
defaultConsistencyLevel = "Session"
maxIntervalInSeconds = 5
maxStalenessPrefix = 100
}
databaseAccountOfferType = "Standard"
defaultIdentity = "FirstPartyIdentity"
disableKeyBasedMetadataWriteAccess = false
disableLocalAuth = false
enableAnalyticalStorage = false
enableAutomaticFailover = false
enableFreeTier = false
enableMultipleWriteLocations = false
ipRules = [
]
isVirtualNetworkFilterEnabled = false
locations = [
{
failoverPriority = 0
isZoneRedundant = false
locationName = "West Europe"
},
]
networkAclBypass = "None"
networkAclBypassResourceIds = [
]
publicNetworkAccess = "Enabled"
virtualNetworkRules = [
]
}
}
schema_validation_enabled = false
response_export_values = ["*"]
}
data "azapi_resource" "sqlRoleDefinition" {
type = "Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions@2021-10-15"
parent_id = azapi_resource.databaseAccount.id
name = "00000000-0000-0000-0000-000000000001"
response_export_values = ["*"]
}
resource "azapi_resource" "database" {
type = "Microsoft.Kusto/clusters/databases@2023-05-02"
parent_id = azapi_resource.cluster.id
name = var.resource_name
location = var.location
body = {
kind = "ReadWrite"
properties = {
}
}
schema_validation_enabled = false
response_export_values = ["*"]
}
resource "azapi_resource" "sqlRoleAssignment" {
type = "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2021-10-15"
parent_id = azapi_resource.databaseAccount.id
name = "ff419bf7-f8ca-ef51-00d2-3576700c341b"
body = {
properties = {
principalId = azapi_resource.cluster.output.identity.principalId
roleDefinitionId = data.azapi_resource.sqlRoleDefinition.id
scope = azapi_resource.databaseAccount.id
}
}
schema_validation_enabled = false
response_export_values = ["*"]
}
Feedback
Was this page helpful?