Azure DocumentDB read-write access to specific databases

Question

We were excited to see the announcement of Azure DocumentDB at the recent Azure Ignite.

Currently we are doing a small POC and we were able to successfully connected our Spring Boot application to the cluster using Microsoft Entra ID authentication. However, when trying to achieve database-level isolation (using both native DocumentDB users and Microsoft Entra ID identities), we encountered issues, even though the documentation clearly states this should be possible:

“Nonadministrative users typically hold restricted roles, such as read-only or read-write access to specific databases, but lack the ability to perform cluster-wide administrative actions.”

Further down, the documentation provides an example of registering a principal as a readWrite user on the sales database.

https://learn.microsoft.com/en-us/azure/documentdb/how-to-connect-role-based-access-control?pivots=rest-api#enable-microsoft-entra-id-authentication

However, when we attempt this via Azure CLI:

C:\Users\john.doe> az resource create --resource-group "rg-xxxxxxxxx" --name "xxxxxxx/users/<some-id>" --resource-type "Microsoft.DocumentDB/mongoxxxxx/usxxx" --location "germanywestcentral" --properties "{"identityProvider":{"type":"MicrosoftEntraID","properties":{"principalType":"User"}},"roles":[{"db":"customers","role":"readWrite"}]}" --latest-include-preview

(bad_request) Provided database for role assignment is not valid (allowed: 'admin', provided: 'customers').

We also tried creating a secondary native user with the administrative native user via mongosh:

[mongos] customers> db.createUser({

   user: "admin.customers", pwd: "secret",

   roles: [{ role: "readWrite", db: "customers" }]

})

MongoServerError[RoleNotFound]: The specified value for the role is invalid: 'readWrite'.

 

For comparison, we tested the same scenario on a MongoDB instance running in Docker, and there we were able to achieve this isolation successfully using db.createUser() with readWrite on the target database.

 

Although the documentation clearly states that database-level RBAC should be possible, our attempts to implement it have failed. Could you please clarify:

 

Is database-level RBAC fully supported in the current preview for Azure DocumentDB? Is this a known limitation of the preview or a potential bug or are we just doing something wrong?

Microsoft moderators note: Removed PII information for security Reasons.

 

Answer 1

Hi Anthony Slabinck,

Thanks for detailing the scenario, I understand how important database-level isolation is for your applications, especially when enforcing least‑privilege access with workload identities. You’re right that the documentation describes scenarios where non‑administrative users can hold restricted roles on specific databases. However, in the current Azure DocumentDB preview, role assignments are limited to the admin database. This means that while authentication with Microsoft Entra ID identities works, assigning readWrite directly on a database like customers isn’t yet supported.

When you’re designing for strict isolation. For now, the supported approach is to use cluster‑wide roles (e.g., readWriteAnyDatabase) scoped to admin.

If isolation is critical, we recommend either provisioning separate clusters per application or enforcing guardrails at the application layer until database‑level RBAC becomes available.

This is a limitation of the preview, not a misconfiguration on your side. Microsoft is actively expanding RBAC capabilities, and we’ll keep you updated as database‑level role support rolls out

Answer 2

Database-level role-based access control (RBAC) is indeed a feature that is intended to be supported in Azure DocumentDB, particularly when using Microsoft Entra ID for authentication. However, based on the error messages you are encountering, it appears that there may be some limitations or bugs in the current preview version of Azure DocumentDB regarding this functionality.

1. Role Assignment Issues: The error message you received when trying to assign the readWrite role to the customers database indicates that the provided database for role assignment is not valid. This could suggest that the customers database is not recognized in the context of your role assignment, or that there are restrictions in the preview version that are not well documented.
2. Role Creation Issues: The error from mongosh regarding the readWrite role being invalid also points to potential limitations in the role definitions available in the Azure DocumentDB environment compared to a standard MongoDB instance.

Given these issues, it is possible that database-level RBAC is not fully functional in the current preview of Azure DocumentDB, or that there are specific configurations or prerequisites that need to be met to enable this feature successfully.

To clarify your situation:

• Ensure that the customers database is created and accessible before attempting to assign roles to it.
• Check if there are any specific requirements or limitations mentioned in the Azure documentation regarding role assignments in the preview version.
• It may also be beneficial to reach out to Azure support or forums for insights on whether this is a known limitation or bug in the preview.

In summary, while database-level RBAC is intended to be supported, your experience suggests that there may be issues in the current preview version that could be affecting its functionality.