Share via

Azure DocumentDB read-write access to specific databases

Anthony Slabinck 0 Reputation points
2025-11-20T12:34:28.25+00:00

We were excited to see the announcement of Azure DocumentDB at the recent Azure Ignite.

Currently we are doing a small POC and we were able to successfully connected our Spring Boot application to the cluster using Microsoft Entra ID authentication. However, when trying to achieve database-level isolation (using both native DocumentDB users and Microsoft Entra ID identities), we encountered issues, even though the documentation clearly states this should be possible:

“Nonadministrative users typically hold restricted roles, such as read-only or read-write access to specific databases, but lack the ability to perform cluster-wide administrative actions.”

Further down, the documentation provides an example of registering a principal as a readWrite user on the sales database.

https://learn.microsoft.com/en-us/azure/documentdb/how-to-connect-role-based-access-control?pivots=rest-api#enable-microsoft-entra-id-authentication

However, when we attempt this via Azure CLI:

C:\Users\john.doe> az resource create --resource-group "rg-johndoe-sbx" --name "mongojohndoe/users/<some-id>" --resource-type "Microsoft.DocumentDB/mongoClusters/users" --location "germanywestcentral" --properties "{"identityProvider":{"type":"MicrosoftEntraID","properties":{"principalType":"User"}},"roles":[{"db":"customers","role":"readWrite"}]}" --latest-include-preview

(bad_request) Provided database for role assignment is not valid (allowed: 'admin', provided: 'customers').

We also tried creating a secondary native user with the administrative native user via mongosh:

[mongos] customers> db.createUser({

   user: "admin.customers", pwd: "secret",

   roles: [{ role: "readWrite", db: "customers" }]

})

MongoServerError[RoleNotFound]: The specified value for the role is invalid: 'readWrite'.

 

For comparison, we tested the same scenario on a MongoDB instance running in Docker, and there we were able to achieve this isolation successfully using db.createUser() with readWrite on the target database.

 

Although the documentation clearly states that database-level RBAC should be possible, our attempts to implement it have failed. Could you please clarify:

 

Is database-level RBAC fully supported in the current preview for Azure DocumentDB? Is this a known limitation of the preview or a potential bug or are we just doing something wrong?

 

Azure Cosmos DB
Azure Cosmos DB
An Azure NoSQL database service for app development.
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2025-11-20T12:34:49.7333333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Database-level role-based access control (RBAC) is indeed a feature that is intended to be supported in Azure DocumentDB, particularly when using Microsoft Entra ID for authentication. However, based on the error messages you are encountering, it appears that there may be some limitations or bugs in the current preview version of Azure DocumentDB regarding this functionality.

    1. Role Assignment Issues: The error message you received when trying to assign the readWrite role to the customers database indicates that the provided database for role assignment is not valid. This could suggest that the customers database is not recognized in the context of your role assignment, or that there are restrictions in the preview version that are not well documented.
    2. Role Creation Issues: The error from mongosh regarding the readWrite role being invalid also points to potential limitations in the role definitions available in the Azure DocumentDB environment compared to a standard MongoDB instance.

    Given these issues, it is possible that database-level RBAC is not fully functional in the current preview of Azure DocumentDB, or that there are specific configurations or prerequisites that need to be met to enable this feature successfully.

    To clarify your situation:

    • Ensure that the customers database is created and accessible before attempting to assign roles to it.
    • Check if there are any specific requirements or limitations mentioned in the Azure documentation regarding role assignments in the preview version.
    • It may also be beneficial to reach out to Azure support or forums for insights on whether this is a known limitation or bug in the preview.

    In summary, while database-level RBAC is intended to be supported, your experience suggests that there may be issues in the current preview version that could be affecting its functionality.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.