Security guidance for Azure Cosmos DB for NoSQL

APPLIES TO: NoSQL

Diagram of the current location ('Overview') in the sequence of the deployment guide.

Diagram of the sequence of the deployment guide including these locations, in order: Overview, Concepts, Prepare, Role-based access control, Network, and Reference. The 'Overview' location is currently highlighted.

When working with Azure Cosmos DB for NoSQL, it's important to ensure that authorized users and applications have access to data while preventing unintentional or unauthorized access.

While using keys and resource owner password credentials might seem like a convenient option, it isn't recommended due to several reasons. Firstly, these methods lack the robustness and flexibility provided by Microsoft Entra authentication. Microsoft Entra offers enhanced security features such as multifactor authentication and conditional access policies, which greatly reduce the risk of unauthorized access. By using Microsoft Entra, you can significantly enhance the security posture of your applications and protect sensitive data from potential threats.

Manage access

Role-based access control using Microsoft Entra gives you the ability to manage which users, devices, or workloads can access your data and to what extent they can access that data. Using fine-grained permissions in a role definition gives you the flexibility to enforce the security principal of "least privilege" while keeping data access simple and streamlined for development.

Grant access in production

In production applications, Microsoft Entra offers many identity types including, but not limited to:

  • Workload identities for specific application workloads
  • System-assigned managed identities native to an Azure service
  • User-assigned managed identities that can be flexibly reused between multiple Azure services
  • Service principals for custom and more sophisticated scenarios
  • Device identities for edge workloads

With these identities, you can grant specific production applications or workloads fine-grained access to query, read, or manipulate resources in Azure Cosmos DB.

Grant access in development

In development, Microsoft Entra offers the same level of flexibility to your developer's human identities. You can use the same role-based access control definitions and assignment techniques to grant your developers access to test, staging, or development database accounts.

Your security team has a single suite of tools to manage identities and permissions for your accounts across all of your environments.

Streamline authentication code

With the Azure SDK, the techniques used to access Azure Cosmos DB data programatically across many different scenarios:

  • If your application is in development or production
  • If you're using human, workload, managed, or device identities
  • If your team prefers using Azure CLI, Azure PowerShell, Azure Developer CLI, Visual Studio, or Visual Studio Code
  • If your team uses Python, JavaScript, TypeScript, .NET, Go, or Java

The Azure SDK provides an identity library that's compatible with many platforms, development language, and authentication techniques. Once you learn how to enable Microsoft Entra authentication, the technique remains the same across all of your scenarios. There's no need to build distinct authentication stacks for each environment.

Next step