Role required to read/write data from cosmos DB (SQL API) from ADF?

Ashutosh Saini 31 Reputation points

We are trying to read/write data from Azure data factory, since local authentication is disabled in cosmos we are trying to access cosmos DB using managed identity.
However even with Cosmos DB Account Contributor role assigned to managed identity of ADF still getting the below auth error:

CosmosDbSqlApi operation Failed. ErrorMessage: Request blocked by Auth cosmosDB-02 : Request is blocked because principal [0000000] does not have required RBAC permissions to perform action [Microsoft.DocumentDB/databaseAccounts/readMetadata] on resource [/]. Learn more: ActivityId: abcd-xycz, Microsoft.Azure.Documents.Common/2.14.0, Windows/10.0.17763 cosmos-netstandard-sdk/3.19.3.

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,776 questions
Azure Cosmos DB
Azure Cosmos DB
An Azure NoSQL database service for app development.
1,058 questions
Azure Data Factory
Azure Data Factory
An Azure service for ingesting, preparing, and transforming data at scale.
7,174 questions
0 comments No comments
{count} votes

Accepted answer
  1. PRADEEPCHEEKATLA-MSFT 59,336 Reputation points Microsoft Employee

    Hello @Ashutosh Saini ,

    Thanks for the question and using MS Q&A platform.

    As per the error message it says that your principal [0000000] does not have required RBAC permissions to perform action [Microsoft.DocumentDB/databaseAccounts/readMetadata] on resource means don't have proper permissions to read Metadata.

    Grant the service principal proper permission. More specifically, create a role definition, and assign the role to the service principle via service principle object ID.

    To resolve this issue, you need the role "Cosmos DB Built-in Data Reader" and "Cosmos DB Built-in Data Contributor" created and assigned to the service principal.

    Azure Cosmos DB exposes two built-in role definitions:


    For more details, refer to Configure role-based access control with Azure Active Directory for your Azure Cosmos DB account.

    Hope this will help. Please let us know if any further queries.


    • Please don't forget to click on 130616-image.png or upvote 130671-image.png button whenever the information provided helps you. Original posters help the community find answers faster by identifying the correct answer. Here is how
    • Want a reminder to come back and check responses? Here is how to subscribe to a notification
    • If you are interested in joining the VM program and help shape the future of Q&A: Here is how you can be part of Q&A Volunteer Moderators
    2 people found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful