How to use Azure Cosmos DB REST (Data plane) API with AAD RBAC?

James G Foster 46 Reputation points

I am attempting to make a REST request following these instructions which states "The Azure Cosmos DB RBAC is currently supported with the 2021-03-15 version of REST API." Yet when I make a request I get the response "Invalid API version. Ensure a valid x-ms-version header value is passed."

According to this the "latest version" is 2017-02-22 but there are a number of more recent versions, the most recent of which is 2018-12-31. If I switch to 2018-12-31 I get the error "Request blocked by Auth hts : Provided token does not have a valid signature. Please ensure that the AAD token is not being modified before use." I'm pretty sure the token is valid since I can decode it here.

Following is the relevant Dart code:

   Future<String> getCollections() async {  
       await waitForInitialization();  
       var url = 'https://$$databaseName/colls/';  
       var uri = Uri.parse(url);  
       var headers = {  
         'Authorization': 'type=aad&ver=1.0&sig=$_token',  
         'Content-Type': 'application/json',  
         'x-ms-version': '2021-03-15',  
       var response;  
       try {  
         response = await http.get(uri, headers: headers);  
       } catch (e) {  
         throw StateError(e.toString());  
       if (response.statusCode != 200) {  
         throw StateError(response.body);  
       return response.body;  
Azure Cosmos DB
Azure Cosmos DB
An Azure NoSQL database service for app development.
1,438 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,396 questions
{count} votes

Accepted answer
  1. Saurabh Sharma 23,671 Reputation points Microsoft Employee

    Hi @James G Foster ,

    I have checked the REST call with .NET code and it works fine with the above scope and with "x-ms-version" as "2018-12-31".
    Also, please make sure that you are providing RBAC permissions as mentioned over here
    I have assigned "Cosmos DB Built-in Data Contributor" role for my testing and it worked as expected.


    Also, here is how my token payload looks like -

    I having internal discussion with the products team as it looks like the version mentioned in the documentation is incorrect. Please let me know if you have any questions.


0 additional answers

Sort by: Most helpful