Sündmused
Tehisintelektirakenduste ja agentide koostamine
17. märts, 21 - 21. märts, 10
Liituge sarjaga, et luua muude arendajate ja ekspertidega skaleeritavad tehisintellektilahendused, mis põhinevad reaalajas kasutusjuhtumitel.
Registreeruge koheDisable key-based authentication with Azure Cosmos DB for NoSQL
APPLIES TO: 
NoSQL
Diagram of the sequence of the deployment guide including these locations, in order: Overview, Concepts, Prepare, Role-based access control, Network, and Reference. The 'Prepare' location is currently highlighted.
This article covers the process of disabling key-based authorization (or resource owner password credential auth) for an Azure Cosmos DB for NoSQL account.
Disabling key-based authorization prevents your account from being used without the more secure Microsoft Entra authentication method. This procedure is a step that should be performed on new accounts in secure workloads. Alternatively, perform this procedure on existing accounts being migrated to a secure workload pattern.
- An Azure account with an active subscription. Create an account for free.
Use the Bash environment in Azure Cloud Shell. For more information, see Quickstart for Bash in Azure Cloud Shell.
If you prefer to run CLI reference commands locally, install the Azure CLI. If you're running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see How to run the Azure CLI in a Docker container.
If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see Sign in with the Azure CLI.
When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see Use extensions with the Azure CLI.
Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.
- If you choose to use Azure PowerShell locally:
- Install the latest version of the Az PowerShell module.
- Connect to your Azure account using the Connect-AzAccount cmdlet.
- If you choose to use Azure Cloud Shell:
- See Overview of Azure Cloud Shell for more information.
First, disable key-based authentication to your existing account so that applications are required to use Microsoft Entra authentication. Use az resource update to modify properties.disableLocalAuth of the existing account.
Azure CLI
az resource update \
--resource-group "<name-of-existing-resource-group>" \
--name "<name-of-existing-account>" \
--resource-type "Microsoft.DocumentDB/databaseAccounts" \
--set properties.disableLocalAuth=true
First, create a new account with key-based authentication disabled so that applications are required to use Microsoft Entra authentication.
Create a new Bicep file to deploy your new account with key-based authentication disabled. Name the file deploy-new-account.bicep.
Bicepmetadata description = 'Deploys a new Azure Cosmos DB account with key-based auth disabled.' @description('Name of the Azure Cosmos DB account.') param name string = 'csms-${uniqueString(resourceGroup().id)}' @description('Primary location for the Azure Cosmos DB account.') param location string = resourceGroup().location resource account 'Microsoft.DocumentDB/databaseAccounts@2024-05-15' = { name: name location: location kind: 'GlobalDocumentDB' properties: { databaseAccountOfferType: 'Standard' locations: [ { locationName: location } ] disableLocalAuth: true } }Use
az deployment group createto deploy the Bicep file with the new account.Azure CLIaz deployment group create \ --resource-group "<name-of-existing-resource-group>" \ --template-file deploy-new-account.bicep
First, disable key-based authentication to your existing account so that applications are required to use Microsoft Entra authentication. Use Get-AzResource and Set-AzResource to respectively read and update the existing account.
Azure PowerShell
$parameters = @{
ResourceGroupName = "<name-of-existing-resource-group>"
ResourceName = "<name-of-existing-account>"
ResourceType = "Microsoft.DocumentDB/databaseAccounts"
}
$resource = Get-AzResource @parameters
$resource.Properties.DisableLocalAuth = $true
$resource | Set-AzResource -Force
Attempt to use the Azure SDK to connect to Azure Cosmos DB for NoSQL using a resource-owner password credential (ROPC). This attempt should fail. If necessary, code samples for common programming languages are provided here.
C#
using Microsoft.Azure.Cosmos;
string connectionString = "AccountEndpoint=<nosql-endpoint>;AccountKey=<key>;";
CosmosClient client = new(connectionString);
Oluline
This code sample uses the Microsoft.Azure.Cosmos library from NuGet.
Lisaressursid
Koolitus
Moodul
Implement security in Azure Cosmos DB for NoSQL - Training
We will learn the different security models that Azure Cosmos DB uses.
Sertimine
Microsoft Certified: Azure Cosmos DB Developer Specialty - Certifications
Write efficient queries, create indexing policies, manage, and provision resources in the SQL API and SDK with Microsoft Azure Cosmos DB.
Dokumentatsioon
-
Create managed identities - Azure Cosmos DB for NoSQL
Review the steps required to create user-assigned or system-assigned managed identities for use with Azure hosting services that connect to Azure Cosmos DB for NoSQL.
-
Security overview and guidance - Azure Cosmos DB
Review the various areas of consideration and techniques available where it relates to Azure Cosmos DB security.
-
Use data plane role-based access control - Azure Cosmos DB for NoSQL
Grant access to run queries, manage entities, and perform operations using role-based access control, Microsoft Entra, and Azure Cosmos DB for NoSQL.