Share via

Unable to Connect Azure Cosmos DB(Mongo db vcore) using Microsoft Entra ID in MongoDB Shell

Harikant Kumar 20 Reputation points
2025-11-20T13:26:41.4166667+00:00

Hi I have a Azure Cosmos DB(Mongo db vcore) and enabled the Microsoft Entraid authentication and have added one of AAD user

Now I am trying to connect using mongosh or Mongo compass but it does not work.

From mongsh I get error "MongoInvalidArgumentError: Host 'XXXXXXXXXXX-000.global.mongocluster.cosmos.azure.com:10260' is not valid for OIDC authentication with ALLOWED_HOSTS of '.mongodb.net,.mongodb-qa.net,.mongodb-dev.net,.mongodbgov.net,localhost,127.0.0.1,::1'"

From Mongo compass, I have enabled option Consider Target Endpoint Trusted so I am not getting the above error, but Compass never open browser to authenticate user and it say "The token provided is not valid. Did not find a valid JWT token in the payload."

Reference documents https://learn.microsoft.com/en-us/azure/documentdb/how-to-connect-role-based-access-control?pivots=rest-api

Azure Cosmos DB
Azure Cosmos DB
An Azure NoSQL database service for app development.
Answer accepted by question author
  1. Manoj Kumar Boyini 1,250 Reputation points Microsoft External Staff Moderator
    2025-11-20T14:37:43.1+00:00

    Hi Harikant Kumar,

    Thank you for reaching out to Microsoft QA! Thank you for confirming your setup and for following the official documentation.

    The issue you are experiencing is due to a limitation in the current versions of mongosh and MongoDB Compass they do not yet support Microsoft Entra ID (OIDC) authentication for Azure Cosmos DB for MongoDB vCore endpoints. The error about the host not being valid for OIDC authentication, and the lack of a browser prompt in Compass, are both caused by missing support in these tools for Cosmos DB’s specific OIDC flow and hostname.

    At this time, the only officially supported way to connect with Microsoft Entra ID is through application code using supported SDKs (like .NET, Node.js, or Python) that use Azure identity libraries and can correctly acquire and pass OIDC tokens to Cosmos DB. Neither mongosh nor Compass currently has the capability to complete the required OIDC authentication with Cosmos DB for MongoDB vCore.

    There is no workaround available in the shell or in Compass until developers add this support in a future update. This limitation is documented and known by both Microsoft and the MongoDB community.

    Helpful References:

    1. https://learn.microsoft.com/en-us/azure/documentdb/troubleshoot-common-issues
    2. https://learn.microsoft.com/en-us/azure/documentdb/how-to-connect-role-based-access-control?pivots=rest-api

    Hope this helps. Do let us know if you have any further queries.

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2025-11-20T13:27:12.2966667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    To resolve the connection issues you're experiencing with Azure Cosmos DB (MongoDB vCore) using Microsoft Entra ID, consider the following points:

    1. Host Validation Error: The error message you received indicates that the host you're trying to connect to is not included in the allowed hosts for OIDC authentication. Ensure that your Azure Cosmos DB endpoint is correctly configured and that it matches the allowed hosts specified in your Azure settings. You may need to add your specific host to the allowed hosts list in your Azure configuration.
    2. MongoDB Compass Authentication: Since you're not seeing the browser prompt for authentication in MongoDB Compass, ensure that you have the Consider Target Endpoint Trusted option enabled. If you still encounter the JWT token error, verify that your Microsoft Entra ID setup is correct and that the user has the necessary permissions to access the Azure Cosmos DB instance. Additionally, check if the token being generated is valid and correctly formatted.
    3. Connection String: Make sure that you are using the correct connection string format for both mongosh and MongoDB Compass. The connection string should look like this: 
         mongodb+srv://<client-id>@<cluster-name>.global.mongocluster.cosmos.azure.com/?tls=true&authMechanism=MONGODB-OIDC&retrywrites=false&maxIdleTimeMS=120000
      Replace <client-id> and <cluster-name> with your actual values.
    4. Local Environment: If you are running the MongoDB Shell or Compass from a local environment, ensure that your local firewall settings allow outbound connections to the Azure Cosmos DB endpoint.

    If these steps do not resolve your issues, consider checking the Azure documentation for any updates or additional troubleshooting steps related to Microsoft Entra ID authentication.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.