In this article, you learn how to configure Microsoft Entra ID authentication for an Azure Cosmos DB for MongoDB vCore. The steps in this guide configure an existing Azure Cosmos DB for MongoDB vCore cluster to use Microsoft Entra ID authentication with your human identity (currently signed-in account) or a Microsoft Entra ID security principal such as managed identity. Microsoft Entra ID authentication enables secure and seamless access to your database by using your organization's existing identities. This guide goes through the steps to set up authentication, register users or service principals, and validate the configuration.
When you create an Azure Cosmos DB for MongoDB vCore cluster, cluster is configured to use native authentication by default. To enable authentication using Entra ID, turn on the Entra ID authentication method and add Entra ID users to the cluster.
Prerequisites
- An existing Azure Cosmos DB for MongoDB (vCore) cluster.
Get unique identifier for Entra ID user management
First, get the unique identifier used to manage Entra ID principals on the cluster.
- Get the details for the currently logged-in account using - az ad signed-in-user.
 - az ad signed-in-user show
 
- Get the details for another account using - az ad user show.
 - az ad user show --id kai@adventure-works.com
 
- The command outputs a JSON response containing various fields. - {
  "@odata.context": "<https://microsoftgraph.chinacloudapi.cn/v1.0/$metadata#users/$entity>",
  "businessPhones": [],
  "displayName": "Kai Carter",
  "givenName": "Kai",
  "id": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",
  "jobTitle": "Senior Sales Representative",
  "mail": "<kai@adventure-works.com>",
  "mobilePhone": null,
  "officeLocation": "Redmond",
  "preferredLanguage": null,
  "surname": "Carter",
  "userPrincipalName": "<kai@adventure-works.com>"
}
 
- Record the value of the - idproperty. This property is the unique identifier for your principal and is sometimes referred to as the principal ID. You use this value in the next series of steps.
 
Get friendly name using unique identifier
When you need to get a friendly name using unique identifier, follow these steps.
- Get the details for another account using - az ad user show.
 - az ad user show --id aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb
 
- The command outputs a JSON response containing various fields. - {
  "@odata.context": "<https://microsoftgraph.chinacloudapi.cn/v1.0/$metadata#users/$entity>",
  "businessPhones": [],
  "displayName": "Kai Carter",
  "givenName": "Kai",
  "id": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",
  "jobTitle": "Senior Sales Representative",
  "mail": "<kai@adventure-works.com>",
  "mobilePhone": null,
  "officeLocation": "Redmond",
  "preferredLanguage": null,
  "surname": "Carter",
  "userPrincipalName": "<kai@adventure-works.com>"
}
 
- Note the value of the - mailand- displayNameproperties.
 
Manage cluster authentication methods
Use the following steps to enable Microsoft Entra ID authentication method on your existing cluster. Then, add an Entra ID user mapped to your signed-in identity to the cluster. You can have native DocumentDB authentication only or native DocumentDB and Microsoft Entra ID authentication methods enabled on the cluster.
- On the cluster sidebar, under Settings, select Authentication. 
- In Authentication methods section, select Native DocumentDB and Microsoft Entra ID to enable Microsoft Entra ID authentication. - 
  
 
- Select Save to confirm the authentication method changes. - 
  
 
- To enable Microsoft Entra ID on the cluster, update the existing cluster with an HTTP - PATCHoperation by adding the- MicrosoftEntraIDvalue to- allowedModesin the- authConfigproperty.
 - az resource patch \
    --resource-group "<resource-group-name>" \
    --name "<cluster-name>" \
    --resource-type "Microsoft.DocumentDB/mongoClusters" \
    --properties "{\"authConfig\":{\"allowedModes\":[\"MicrosoftEntraID\",\"NativeAuth\"]}}" \
    --latest-include-preview
 
- To disable Microsoft Entra ID authentication method on the cluster, update the existing cluster with an HTTP - PATCHoperation by overwriting the current values in- allowedModesin the- authConfigproperty with- NativeAuth.
 - az resource patch \
    --resource-group "<resource-group-name>" \
    --name "<cluster-name>" \
    --resource-type "Microsoft.DocumentDB/mongoClusters" \
    --properties "{\"authConfig\":{\"allowedModes\":[\"NativeAuth\"]}}" \
    --latest-include-preview
 
You can use the Azure REST API directly or wrapped into az rest from Azure CLI environment.
- Use this command to add Microsoft Entra ID authentication method to the cluster: - az rest \
    --method "PUT" \
    --url "https://management.chinacloudapi.cn/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.DocumentDB/mongoClusters/<cluster-name>?api-version=2025-07-01-preview" \
    --body "{\"location\":\"<cluster-region>\",\"properties\":{\"authConfig\":{\"allowedModes\":[\"MicrosoftEntraID\",\"NativeAuth\"]}}}"
 
- Use this command to remove Microsoft Entra ID authentication method from the cluster and leave only native DocumentDB authentication method enabled: - az rest \
    --method "PUT" \
    --url "https://management.chinacloudapi.cn/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.DocumentDB/mongoClusters/<cluster-name>?api-version=2025-07-01-preview" \
    --body "{\"location\":\"<cluster-region>\",\"properties\":{\"authConfig\":{\"allowedModes\":\"NativeAuth\"}}}"
 
 
View authentication methods enabled on the cluster
Follow these steps to see authentication methods currently enabled on the cluster.
- On the cluster sidebar, under Settings, select Authentication. 
- In the Authentication methods section, check authentication methods currently enabled on the cluster. - 
  
 
- Get the - authConfigproperty from your existing cluster using- az resource show.
 - az resource show \
    --resource-group "<resource-group-name>" \
    --name "<cluster-name>" \
    --resource-type "Microsoft.DocumentDB/mongoClusters" \
    --query "properties.authConfig" \
    --latest-include-preview
 
- Observe the output. If Microsoft Entra ID authentication isn't configured, the output includes only the - NativeAuthvalue in the- allowedModesarray.
 - {
  "authConfig": {
    "allowedModes": [
        "NativeAuth"
  ] }
}
 
- If Microsoft Entra ID authentication is enabled on the cluster, the output includes both the - NativeAuthand- MicrosoftEntraIDvalues in the- allowedModesarray.
 - {
  "authConfig": {
    "allowedModes": [
        "NativeAuth",
        "MicrosotEntraID"
          ] }
}
 
- Use this command to check authentication methods currently enabled on the cluster: - az rest \
    --method "GET" \
    --url "https://management.chinacloudapi.cn/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.DocumentDB/mongoClusters/<cluster-name>?api-version=2025-07-01-preview" 
 
- Observe the output. If Microsoft Entra ID authentication isn't configured, the output includes only the - NativeAuthvalue in the- allowedModesarray.
 - {
  "authConfig": {
    "allowedModes": [
        "NativeAuth"
  ] }
}
 
- If Microsoft Entra ID authentication is enabled on the cluster, the output includes both the - NativeAuthand- MicrosoftEntraIDvalues in the- allowedModesarray.
 - {
  "authConfig": {
    "allowedModes": [
        "NativeAuth",
        "MicrosotEntraID"
          ] }
    }
 
 
Manage Entra ID users on the cluster
Follow these steps to add or remove administrative Entra ID users to cluster.
- Select a cluster with Microsoft Entra ID authentication method enabled. 
- On the cluster sidebar, under Settings, select Authentication. 
- To add administrative Entra ID users: - 
- In the Microsoft Entra ID authentication section, select +Add Microsoft Entra ID to open the side panel that allows to add Entra ID users and security principals to the cluster. - 
  
 
- In the Select Microsoft Entra ID roles side panel, select one or more Entra ID users and confirm your choice by selecting Select. - 
  
 
 - 
- Note - When administrative Microsoft Entra ID users are added to the cluster, their identifiers in - aaaaaaaa-0000-1111-2222-bbbbbbbbbbbbformat not human readable names such as- kai@adventure-works.comare added to the cluster.
 
 
- Select Save to confirm the authentication method changes. 
- To remove administrative Entra ID users from the cluster: - 
- Get Entra ID identifiers for the users to be removed from the cluster. 
- In the Microsoft Entra ID authentication section, select Remove next to the user's identifier to remove that user from the cluster. 
 - 
  
 - 
- Important - User is removed from the cluster right after Remove is selected. 
 
- Get the unique ID of the user or service principal that needs to be added to or removed from the cluster. 
- To add administrative Entra ID users, use - az resource create. This command creates a new resource of type- Microsoft.DocumentDB/mongoClusters/users. Compose the name of the resource by concatenating the name of the parent cluster and the principal ID of your identity.
 - az resource create \
    --resource-group "<resource-group-name>" \
    --name "<cluster-name>/users/<principal-id>" \
    --resource-type "Microsoft.DocumentDB/mongoClusters/users" \
    --location "<cluster-region>" \
    --properties "{\"identityProvider\":{\"type\":\"MicrosoftEntraID\",\"properties\":{\"principalType\":\"User\"}},\"roles\":[{\"db\":\"admin\",\"role\":\"root\"}]}" \
    --latest-include-preview
 - 
- Tip - For example, if your parent resource is named - example-clusterand your principal ID was- aaaaaaaa-bbbb-cccc-1111-222222222222, the name of the resource would be:
 - "example-cluster/users/aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb"
 - Also, if you're registering a service principal, like a managed identity, you would replace the - identityProvider.properties.principalTypeproperty's value with- ServicePrincipal.
 
 
- To remove administrative Entra ID users, use - az resource delete. This command deletes resource of type- Microsoft.DocumentDB/mongoClusters/users. Compose the name of the resource by concatenating the name of the parent cluster and the principal ID of your identity.
 - az resource delete \
    --resource-group "<resource-group-name>" \
    --name "<cluster-name>/users/<principal-id>" \
    --resource-type "Microsoft.DocumentDB/mongoClusters/users" \
    --latest-include-preview
 
- Get the unique ID of the user or service principal that needs to be added to or removed from the cluster. 
- To add administrative Entra ID users to the cluster, use PUT Azure REST API call with this - az restcommand:
 - az rest \
    --method "PUT" \
    --url "https://management.chinacloudapi.cn/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.DocumentDB/mongoClusters/<cluster-name>/users/<principal-id>?api-version=2025-07-01-preview" \
    --body "{\"location\":\"<cluster-region>\",\"properties\":{\"identityProvider\":{\"type\":\"MicrosoftEntraID\",\"properties\":{\"principalType\":\"User\"}},\"roles\":[{\"db\":\"admin\",\"role\":\"root\"}]}}"
 - 
- Tip - For example, if your parent resource is named - example-clusterand your principal ID was- aaaaaaaa-bbbb-cccc-1111-222222222222, the name of the resource would be:
 - "example-cluster/users/aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb"
 - Also, if you're registering a service principal, like a managed identity, you would replace the - identityProvider.properties.principalTypeproperty's value with- ServicePrincipal.
 
 
- To remove administrative Entra ID users from the cluster, use DELETE Azure REST API call with this - az restcommand:
 - az rest \
    --method "DELETE" \
    --url "https://management.chinacloudapi.cn/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.DocumentDB/mongoClusters/<cluster-name>/users/<principal-id>?api-version=2025-07-01-preview" 
 
 
View Entra ID users on the cluster
When you view administrative users on a cluster, there's always one native built-in administrative user created during cluster provisioning and all administrative Entra ID users added to the cluster listed.
Follow these steps to see all administrative Entra ID users added to cluster.
- Select a cluster with Microsoft Entra ID authentication method enabled. 
- On the cluster sidebar, under Settings, select Authentication. 
- In the Microsoft Entra ID authentication section, find the list of object IDs (unique identifiers) for the administrative Entra ID users added to the cluster. - 
  
 
- To get friendly names using a unique identifier, follow these steps. 
Use commands on the REST APIs tab to list administrative users on the cluster.
- Use this command to list all administrative users on the cluster: - az rest \
    --method "GET" \
    --url "https://management.chinacloudapi.cn/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.DocumentDB/mongoClusters/<cluster-name>/users?api-version=2025-07-01-preview" 
 
- Observe the output. The output includes an array of administrative user accounts on the cluster. This array has one built-in native administrative users and all administrative Entra ID user and service principals added to the cluster. - {
  "id": "/subscriptions/<subscription-id>>/resourceGroups/<resource-group-name>>/providers/Microsoft.DocumentDB/mongoClusters/<cluser-name>>/users/<user's-unique-id>",
  "name": "user's-unique-id",
  "properties": {
    "identityProvider": {
      "properties": {
        "entraTenant": "entra-tenant-id",
        "principalType": "User"
      },
      "type": "MicrosoftEntraID"
    },
    ...
    "user": "user's-unique-id"
  },
    ...
  "type": "Microsoft.DocumentDB/mongoClusters/users"
}
 
- If Microsoft Entra ID authentication is enabled on the cluster, the output includes both the - NativeAuthand- MicrosoftEntraIDvalues in the- allowedModesarray.
 - {
  "authConfig": {
    "allowedModes": [
        "NativeAuth",
        "MicrosotEntraID"
          ] }
    }
 
 
Note
An Azure Cosmos DB for MongoDB vCore cluster is created with one built-in native DocumentDB user. You can add more native DocumentDB users after cluster provisioning is completed. Microsoft Entra ID users added to the cluster are going to be in addition to native DocumentDB users defined on the same cluster.
 
Connect to the cluster
You can connect to the cluster using either a connection URI or a custom settings object from the driver for your preferred language. In either option, the scheme must be set to mongodb+srv to connect to the cluster. The host is at either the *.global.mongocluster.cosmos.azure.com or *.mongocluster.cosmos.azure.com domain depending on whether you're using the current cluster or global read-write endpoint. The +srv scheme and the *.global.* host ensures that your client is dynamically connected to the appropriate writable cluster in a multi-cluster configuration even if a region swap operation occurs. In a single-cluster configuration, you can use either connection string indiscriminately.
The tls setting must also be enabled. The remaining recommended settings are best practice configuration settings.
| Option | Value | 
| scheme | mongodb+srv | 
| host | <cluster-name>.global.mongocluster.cosmos.azure.comor<cluster-name>.mongocluster.cosmos.azure.com | 
| tls | true | 
| authMechanism | MONGODB-OIDC | 
| retrywrites | false | 
| maxIdleTimeMS | 120000 | 
On the cluster properties page in the Azure portal, under Settings, open Connection strings. The Connection strings page contains connection strings for the authentication methods enabled on the cluster. Microsoft Entra ID connection strings are in the Microsoft Entra ID section.
- Global - mongodb+srv://<cluster-name>.global.mongocluster.cosmos.azure.com/?tls=true&authMechanism=MONGODB-OIDC&retrywrites=false&maxIdleTimeMS=120000
 
- Cluster - mongodb+srv://<cluster-name>.mongocluster.cosmos.azure.com/?tls=true&authMechanism=MONGODB-OIDC&retrywrites=false&maxIdleTimeMS=120000
 
const AzureIdentityTokenCallback = async (params: OIDCCallbackParams, credential: TokenCredential): Promise<OIDCResponse> => {
    const tokenResponse: AccessToken | null = await credential.getToken(['https://ossrdbms-aad.database.chinacloudapi.cn/.default']);
    return {
        accessToken: tokenResponse?.token || '',
        expiresInSeconds: (tokenResponse?.expiresOnTimestamp || 0) - Math.floor(Date.now() / 1000)
    };
};
const clusterName: string = '<azure-cosmos-db-mongodb-vcore-cluster-name>';
const credential: TokenCredential = new DefaultAzureCredential();
const client = new MongoClient(
    `mongodb+srv://${clusterName}.global.mongocluster.cosmos.azure.com/`, {
    connectTimeoutMS: 120000,
    tls: true,
    retryWrites: true,
    authMechanism: 'MONGODB-OIDC',
    authMechanismProperties: {
        OIDC_CALLBACK: (params: OIDCCallbackParams) => AzureIdentityTokenCallback(params, credential),
        ALLOWED_HOSTS: ['*.azure.com']
    }
}
);
class AzureIdentityTokenCallback(OIDCCallback):
    def __init__(self, credential):
        self.credential = credential
    def fetch(self, context: OIDCCallbackContext) -> OIDCCallbackResult:
        token = self.credential.get_token(
            "https://ossrdbms-aad.database.chinacloudapi.cn/.default").token
        return OIDCCallbackResult(access_token=token)
clusterName = "<azure-cosmos-db-mongodb-vcore-cluster-name>"
credential = DefaultAzureCredential()
authProperties = {"OIDC_CALLBACK": AzureIdentityTokenCallback(credential)}
client = MongoClient(
    f"mongodb+srv://{clusterName}.global.mongocluster.cosmos.azure.com/",
    connectTimeoutMS=120000,
    tls=True,
    retryWrites=True,
    authMechanism="MONGODB-OIDC",
    authMechanismProperties=authProperties
)
string tenantId = "<microsoft-entra-tenant-id>";
string clusterName = "<azure-cosmos-db-mongodb-vcore-cluster-name>";
DefaultAzureCredential credential = new();
AzureIdentityTokenHandler tokenHandler = new(credential, tenantId);
MongoUrl url = MongoUrl.Create($"mongodb+srv://{clusterName}.global.mongocluster.cosmos.azure.com/");
MongoClientSettings settings = MongoClientSettings.FromUrl(url);
settings.UseTls = true;
settings.RetryWrites = false;
settings.MaxConnectionIdleTime = TimeSpan.FromMinutes(2);
settings.Credential = MongoCredential.CreateOidcCredential(tokenHandler);
settings.Freeze();
MongoClient client = new(settings);
internal sealed class AzureIdentityTokenHandler(
    TokenCredential credential,
    string tenantId
) : IOidcCallback
{
    private readonly string[] scopes = ["https://ossrdbms-aad.database.chinacloudapi.cn/.default"];
    public OidcAccessToken GetOidcAccessToken(OidcCallbackParameters parameters, CancellationToken cancellationToken)
    {
        AccessToken token = credential.GetToken(
            new TokenRequestContext(scopes, tenantId: tenantId),
            cancellationToken
        );
        return new OidcAccessToken(token.Token, token.ExpiresOn - DateTimeOffset.UtcNow);
    }
    public async Task<OidcAccessToken> GetOidcAccessTokenAsync(OidcCallbackParameters parameters, CancellationToken cancellationToken)
    {
        AccessToken token = await credential.GetTokenAsync(
            new TokenRequestContext(scopes, parentRequestId: null, tenantId: tenantId),
            cancellationToken
        );
        return new OidcAccessToken(token.Token, token.ExpiresOn - DateTimeOffset.UtcNow);
    }
}
 
Related content