Cosmos DB: Enforcing RBAC as the only authentication method + Data Explorer in Azure Portal

asked 2023-01-16T13:53:06.6633333+00:00
Verschinin Valentin 0 Reputation points

Hello,

We have created a cosmos account (Serverless mode and SQL API) and enforced RBAC on the resource by setting "disableLocalAuth": true. We have set the sql-role to "Cosmos DB Built-in Data Contributor" (00000000-0000-0000-0000-000000000002) on the account level.

As a consequence, we are not able any more to use Data Explorer for Azure Portal. As error message we always get

"Local Authorization is disabled. Use an AAD token to authorize all requests."

If you open in the browser the developer mode, you see clearly that it tries to connect with
type%3dmaster%26ver%3d1.0%26sig%3d...

in the request header using the Master-Key ([https://learn.microsoft.com/en-us/rest/api/cosmos-db/access-control-on-cosmosdb-resources).

Is this a known or expected behavior? Seems that the Data Explorer doesn't support RBAC for cosmos db account.

Thanks a for your help. Best, Valentin

Azure Cosmos DB
Azure Cosmos DB
An Azure NoSQL database service for app development.
910 questions
{count} votes

1 answer

Sort by: Most helpful
  1. answered 2023-01-17T10:07:16.21+00:00
    ShaktiSingh-MSFT 4,671 Reputation points Microsoft Employee

    Hi @Verschinin Valentin ,

    The data explorer exposed in the Azure portal does not support the Azure Cosmos DB RBAC yet. To use your Azure AD identity when exploring your data, you must use the Azure Cosmos DB Explorer instead.

    When you access the Azure Cosmos DB Explorer with the specific ?feature.enableAadDataPlane=true query parameter and sign in, the following logic is used to access your data:

    1. A request to fetch the account's primary key is attempted on behalf of the identity signed in. If this request succeeds, the primary key is used to access the account's data.
    2. If the identity signed in isn't allowed to fetch the account's primary key, this identity is directly used to authenticate data access. In this mode, the identity must be assigned with proper role definitions to ensure data access.

    We recommend you to create a feedback request at Feedback Channel Azure Cosmos DB: Azure Cosmos DB so that the team will work upon it.

    If this answers your query, do click Accept Answer and Up-Vote for the same. And, if you have any further query do let us know.