Configure Microsoft Entra ID authentication for an Azure Cosmos DB for MongoDB vCore cluster

In this article, you learn how to configure Microsoft Entra ID authentication for an Azure Cosmos DB for MongoDB vCore. The steps in this guide configure an existing Azure Cosmos DB for MongoDB vCore cluster to use Microsoft Entra ID authentication with your human identity (currently signed-in account) or a Microsoft Entra ID security principal such as managed identity. Microsoft Entra ID authentication enables secure and seamless access to your database by using your organization's existing identities. This guide goes through the steps to set up authentication, register users or service principals, and validate the configuration.

When you create an Azure Cosmos DB for MongoDB vCore cluster, cluster is configured to use native authentication by default. To enable authentication using Entra ID, turn on the Entra ID authentication method and add Entra ID users to the cluster.

Prerequisites

  • The latest version of the Azure CLI in Azure Cli.

    • If you prefer to run CLI reference commands locally, sign in to the Azure CLI by using the az login command.

Get identity metadata

Get unique identifier for Entra ID user management

First, get the unique identifier used to manage Entra ID principals on the cluster.

  1. Get the details for the currently logged-in account using az ad signed-in-user.

    az ad signed-in-user show
    
  2. Get the details for another account using az ad user show.

    az ad user show --id kai@adventure-works.com
    
  3. The command outputs a JSON response containing various fields.

    {
      "@odata.context": "<https://microsoftgraph.chinacloudapi.cn/v1.0/$metadata#users/$entity>",
      "businessPhones": [],
      "displayName": "Kai Carter",
      "givenName": "Kai",
      "id": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",
      "jobTitle": "Senior Sales Representative",
      "mail": "<kai@adventure-works.com>",
      "mobilePhone": null,
      "officeLocation": "Redmond",
      "preferredLanguage": null,
      "surname": "Carter",
      "userPrincipalName": "<kai@adventure-works.com>"
    }
    
  4. Record the value of the id property. This property is the unique identifier for your principal and is sometimes referred to as the principal ID. You use this value in the next series of steps.

Get friendly name using unique identifier

When you need to get a friendly name using unique identifier, follow these steps.

  1. Get the details for another account using az ad user show.

    az ad user show --id aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb
    
  2. The command outputs a JSON response containing various fields.

    {
      "@odata.context": "<https://microsoftgraph.chinacloudapi.cn/v1.0/$metadata#users/$entity>",
      "businessPhones": [],
      "displayName": "Kai Carter",
      "givenName": "Kai",
      "id": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",
      "jobTitle": "Senior Sales Representative",
      "mail": "<kai@adventure-works.com>",
      "mobilePhone": null,
      "officeLocation": "Redmond",
      "preferredLanguage": null,
      "surname": "Carter",
      "userPrincipalName": "<kai@adventure-works.com>"
    }
    
  3. Note the value of the mail and displayName properties.

Manage cluster authentication methods

Use the following steps to enable Microsoft Entra ID authentication method on your existing cluster. Then, add an Entra ID user mapped to your signed-in identity to the cluster. You can have native DocumentDB authentication only or native DocumentDB and Microsoft Entra ID authentication methods enabled on the cluster.

  1. On the cluster sidebar, under Settings, select Authentication.

  2. In Authentication methods section, select Native DocumentDB and Microsoft Entra ID to enable Microsoft Entra ID authentication.

    Screenshot that shows how to enable Microsoft Entra ID authentication method on an existing cluster.

  3. Select Save to confirm the authentication method changes.

    Screenshot that shows the location of Save button for confirmation of the authentication method changes on an existing cluster.

View authentication methods enabled on the cluster

Follow these steps to see authentication methods currently enabled on the cluster.

  1. On the cluster sidebar, under Settings, select Authentication.

  2. In the Authentication methods section, check authentication methods currently enabled on the cluster.

    Screenshot that shows how view authentication methods currently enabled on the cluster.

Manage Entra ID users on the cluster

Follow these steps to add or remove administrative Entra ID users to cluster.

  1. Select a cluster with Microsoft Entra ID authentication method enabled.

  2. On the cluster sidebar, under Settings, select Authentication.

  3. To add administrative Entra ID users:

    1. In the Microsoft Entra ID authentication section, select +Add Microsoft Entra ID to open the side panel that allows to add Entra ID users and security principals to the cluster.

      Screenshot that shows how to open the side panel that allows to add Microsoft Entra ID users and security principals to the cluster.

    2. In the Select Microsoft Entra ID roles side panel, select one or more Entra ID users and confirm your choice by selecting Select.

      Screenshot that shows how to select and add administrative Microsoft Entra ID users and security principals to the cluster.

    Note

    When administrative Microsoft Entra ID users are added to the cluster, their identifiers in aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb format not human readable names such as kai@adventure-works.com are added to the cluster.

  4. Select Save to confirm the authentication method changes.

  5. To remove administrative Entra ID users from the cluster:

    1. Get Entra ID identifiers for the users to be removed from the cluster.

    2. In the Microsoft Entra ID authentication section, select Remove next to the user's identifier to remove that user from the cluster.

    Screenshot that shows location of the Remove icon used to remove Microsoft Entra ID users and security principals from the cluster.

    Important

    User is removed from the cluster right after Remove is selected.

View Entra ID users on the cluster

When you view administrative users on a cluster, there's always one native built-in administrative user created during cluster provisioning and all administrative Entra ID users added to the cluster listed.

Follow these steps to see all administrative Entra ID users added to cluster.

  1. Select a cluster with Microsoft Entra ID authentication method enabled.

  2. On the cluster sidebar, under Settings, select Authentication.

  3. In the Microsoft Entra ID authentication section, find the list of object IDs (unique identifiers) for the administrative Entra ID users added to the cluster.

    Screenshot that shows how to view the list of administrative Microsoft Entra ID users on the cluster.

  4. To get friendly names using a unique identifier, follow these steps.

Note

An Azure Cosmos DB for MongoDB vCore cluster is created with one built-in native DocumentDB user. You can add more native DocumentDB users after cluster provisioning is completed. Microsoft Entra ID users added to the cluster are going to be in addition to native DocumentDB users defined on the same cluster.

Connect to the cluster

You can connect to the cluster using either a connection URI or a custom settings object from the driver for your preferred language. In either option, the scheme must be set to mongodb+srv to connect to the cluster. The host is at either the *.global.mongocluster.cosmos.azure.com or *.mongocluster.cosmos.azure.com domain depending on whether you're using the current cluster or global read-write endpoint. The +srv scheme and the *.global.* host ensures that your client is dynamically connected to the appropriate writable cluster in a multi-cluster configuration even if a region swap operation occurs. In a single-cluster configuration, you can use either connection string indiscriminately.

The tls setting must also be enabled. The remaining recommended settings are best practice configuration settings.

Option Value
scheme mongodb+srv
host <cluster-name>.global.mongocluster.cosmos.azure.com or <cluster-name>.mongocluster.cosmos.azure.com
tls true
authMechanism MONGODB-OIDC
retrywrites false
maxIdleTimeMS 120000

On the cluster properties page in the Azure portal, under Settings, open Connection strings. The Connection strings page contains connection strings for the authentication methods enabled on the cluster. Microsoft Entra ID connection strings are in the Microsoft Entra ID section.

  • Global

    mongodb+srv://<cluster-name>.global.mongocluster.cosmos.azure.com/?tls=true&authMechanism=MONGODB-OIDC&retrywrites=false&maxIdleTimeMS=120000
    
  • Cluster

    mongodb+srv://<cluster-name>.mongocluster.cosmos.azure.com/?tls=true&authMechanism=MONGODB-OIDC&retrywrites=false&maxIdleTimeMS=120000