Connect to Azure DocumentDB using role-based access control and Microsoft Entra ID

Azure DocumentDB supports Microsoft Entra ID alongside native DocumentDB authentication. Each cluster is created with native authentication enabled and one built-in administrative user.

Role-based access control provides a centralized mechanism to assign and enforce permissions through Microsoft Entra ID, ensuring that only authorized identities can perform operations on your clusters. This approach simplifies governance, supports least-privilege principles, and makes auditing straightforward—helping organizations maintain operational integrity and compliance as deployments grow. Managing access in Azure DocumentDB involves two distinct levels:

Azure role-based access for managing the cluster as an Azure resource (such as reading metadata, managing firewall rules, and configuring private endpoints)
DocumentDB access for reading and writing data within databases and collections on the cluster.

Enable Microsoft Entra ID to allow Microsoft Entra principals (users, service principals, or managed identities) to authenticate to the cluster. Microsoft Entra ID authentication is implemented using OpenID Connect (OIDC). Clients present an Entra-issued OIDC access token to the MongoDB driver. A cluster must have native authentication enabled; the supported configurations are native-only or native and Microsoft Entra ID authentication. Microsoft Entra ID can't be the sole authentication method.

Note

You can enable or change authentication methods on a cluster at any time after provisioning. Changing authentication methods does not require a cluster restart and is nondisruptive. When a cluster is created, native DocumentDB authentication must be enabled. You can disable native authentication after the cluster is finished provisioning.

Benefits of using Microsoft Entra ID for authentication include:

Uniform identity and sign-in across Azure services.
Centralized management of credentials, password policies, and rotation.
Support for passwordless and multifactor authentication methods from Microsoft Entra ID.
Token-based authentication for applications, eliminating stored passwords.

When Microsoft Entra ID authentication is enabled, you can register one or more Microsoft Entra principals as administrative or nonadministrative users on the cluster. Registered principals become Azure resources under Microsoft.DocumentDB/mongoClusters/users and are replicated into the database; mapping these principals to MongoDB database roles grants the corresponding database privileges. This form of authentication supports multiple principal types including; human users, service principals (apps), user-assigned and system-assigned managed identities.

Note

You can configure multiple Microsoft Entra ID identities and types of identities as administrators for a cluster at the same time. Microsoft Entra ID identity types include, but aren't limited to:

Human identities
User-assigned managed identities
System-assigned managed identities
Workload identities

All identity types can be administrators simultaneously.

Administrative users have full privileges to manage the cluster and its data. Nonadministrative users can be added for ongoing production tasks that don't require administrative privileges. Nonadministrative users typically hold restricted roles, such as read-only or read-write access to specific databases, but lack the ability to perform cluster-wide administrative actions.

Review the following considerations before you use this feature:

Authentication methods on the primary cluster and on the replica cluster are managed independently.
Microsoft Entra principals are persistent in the cluster metadata. If a principal is deleted from Microsoft Entra ID, the corresponding cluster user remains but can no longer obtain new tokens. Existing tokens remain valid until they expire (typically up to 90 minutes from the issuance of the token).
To immediately revoke access, remove the principal from the cluster (delete the users/<principal-id> resource) and drop any associated database roles; database administrators must handle transfer of ownership or cleanup for deleted principals.

Prerequisites

An Azure subscription
- If you don't have an Azure subscription, create a free account

An existing Azure DocumentDB cluster
- If you don't have a cluster, create a new cluster

One or more existing identities in Microsoft Entra ID.

Use the Bash environment in Azure Cloud Shell. For more information, see Get started with Azure Cloud Shell.
If you prefer to run CLI reference commands locally, install the Azure CLI. If you're running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see How to run the Azure CLI in a Docker container.
- If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see Authenticate to Azure using Azure CLI.
- When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see Use and manage extensions with the Azure CLI.
- Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.

Terraform 1.2.0 or later.

Manage Azure role-based access control

Azure role-based access control refers to the ability to manage resources for an Azure service without managing data. For example, role-based access for Azure DocumentDB clusters could include the ability to:

Read all account and resource metadata
Read and regenerate connection strings
Manage databases and collections
Modify account properties

Azure DocumentDB supports Azure role-based access control for mongoCluster resource type. The following actions for mongoCluster resource type are available in Azure role-based access control for individual assignments and custom role-based access control role creation:

	Description
`Microsoft.DocumentDB/mongoClusters/read`	Reads a `mongoCluster` resource or list all `mongoCluster` resources.
`Microsoft.DocumentDB/mongoClusters/write`	Create or Update the properties or tags of the specified `mongoCluster` resource.
`Microsoft.DocumentDB/mongoClusters/delete`	Deletes the specified `mongoCluster` resource.
`Microsoft.DocumentDB/mongoClusters/PrivateEndpointConnectionsApproval/action`	Manage a private endpoint connection of `mongoCluster` resource
`Microsoft.DocumentDB/mongoClusters/listConnectionStrings/action`	List connection strings for a given `mongoCluster` resource
`Microsoft.DocumentDB/mongoClusters/firewallRules/read`	Reads a firewall rule or lists all firewall rules for the specified `mongoCluster` resource.
`Microsoft.DocumentDB/mongoClusters/firewallRules/write`	Create or Update a firewall rule on a specified `mongoCluster` resource.
`Microsoft.DocumentDB/mongoClusters/firewallRules/delete`	Deletes an existing firewall rule for the specified `mongoCluster` resource.
`Microsoft.DocumentDB/mongoClusters/privateEndpointConnectionProxies/read`	Reads a private endpoint connection proxy for the specified `mongoCluster` resource.
`Microsoft.DocumentDB/mongoClusters/privateEndpointConnectionProxies/write`	Create or Update a private endpoint connection proxy on a specified `mongoCluster` resource.
`Microsoft.DocumentDB/mongoClusters/privateEndpointConnectionProxies/delete`	Deletes an existing private endpoint connection proxy for the specified `mongoCluster` resource.
`Microsoft.DocumentDB/mongoClusters/privateEndpointConnectionProxies/validate/action`	Validates private endpoint connection proxy for the specified `mongoCluster` resource.
`Microsoft.DocumentDB/mongoClusters/privateEndpointConnections/read`	Reads a private endpoint connection or lists all private endpoint connection for the specified `mongoCluster` resource.
`Microsoft.DocumentDB/mongoClusters/privateEndpointConnections/write`	Create or Update a private endpoint connection on a specified `mongoCluster` resource.
`Microsoft.DocumentDB/mongoClusters/privateEndpointConnections/delete`	Deletes an existing private endpoint connection for the specified `mongoCluster` resource.
`Microsoft.DocumentDB/mongoClusters/privateLinkResources/read`	Reads a private link resource or lists all private link resource for the specified `mongoCluster` resource.
`Microsoft.DocumentDB/mongoClusters/users/read`	Reads a user or lists all users for the specified `mongoCluster` resource.
`Microsoft.DocumentDB/mongoClusters/users/write`	Create or Update a user on a specified `mongoCluster` resource.
`Microsoft.DocumentDB/mongoClusters/users/delete`	Deletes an existing user for the specified `mongoCluster` resource.

Open a new terminal.
Sign in to Azure CLI.
Use az group show to get the metadata for your current resource group.
```
az group show \
    --name "<name-of-existing-resource-group>"
```
Observe the output of the previous command. Record the value of the id property for this resource group as it is required to use in the next step.
```
{
  "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/msdocs-identity-example",
  "location": "westus",
  "name": "msdocs-identity-example",
  "type": "Microsoft.Resources/resourceGroups"
}
```
Note

In this example, the id value would be /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/msdocs-identity-example. This example uses fictitious data and your identifier would be distinct from this example. This string is a truncated example of the output.
Create a new JSON file named role-definition.json. In the file, create this resource definition specifying the values listed here. For the AssignableScopes list, add the id property of the resource group recorded in the previous step.
```
{
  "Name": "Azure DocumentDB RBAC Owner",
  "IsCustom": true,
  "Description": "Can perform all Azure role-based access control actions for Azure DocumentDB clusters.",
  "Actions": [
    "Microsoft.DocumentDb/mongoClusters/*"
  ],
  "AssignableScopes": [
    "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/msdocs-identity-example"
  ]
}
```
Note

This example uses the /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/msdocs-identity-example value recorded from the previous step. Your actual resource identifier could be different.
Create a new role definition using az role definition create. Use the role-definition.json file as the input for the --role-definition argument.
```
az role definition create \
    --role-definition role-definition.json
```

Review the output from the definition creation command. The output contains the unique identifier of the role definition in the id property. Record this value as it is required to use in the assignment step later in this guide.

{
  "assignableScopes": [
    "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/msdocs-identity-example"
  ],
  "description": "Can perform all Azure role-based access control actions for Azure DocumentDB clusters.",
  "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/msdocs-identity-example/providers/Microsoft.Authorization/roleDefinitions/a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1",
  "name": "e4e4e4e4-ffff-aaaa-bbbb-c5c5c5c5c5c5",
  "permissions": [
    {
      "actions": [
        "Microsoft.DocumentDb/*"
      ]
    }
  ],
  "roleName": "Azure DocumentDB RBAC Owner",
  "roleType": "CustomRole"
}

Note

In this example, the id value would be /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/msdocs-identity-example/providers/Microsoft.Authorization/roleDefinitions/a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1. This example uses fictitious data and your identifier would be distinct from this example. This example is a subset of the typical JSON outputted from the deployment for clarity.

Open a new terminal.
Sign in to Azure CLI.

Create a new Bicep file to define your role definition. Name the file control-plane-role-definition.bicep. Add these actions to the definition:

	Description
*`Microsoft.DocumentDb/mongoClusters/`**	Enables all possible actions.

metadata description = 'Create RBAC definition for Azure role-based access control access to Azure DocumentDB.'

@description('Name of the role definition.')
param roleDefinitionName string = 'Azure DocumentDB RBAC Owner'

@description('Description of the role definition.')
param roleDefinitionDescription string = 'Can perform all Azure role-based access control actions for Azure DocumentDB clusters.'

resource definition 'Microsoft.Authorization/roleDefinitions@2022-04-01' = {
  name: guid(subscription().id, resourceGroup().id, roleDefinitionName)
  scope: resourceGroup()
  properties: {
    roleName: roleDefinitionName
    description: roleDefinitionDescription
    type: 'CustomRole'
    permissions: [
      {
        actions: [
          'Microsoft.DocumentDb/mongoClusters/*'
        ]
      }
    ]
    assignableScopes: [
      resourceGroup().id
    ]
  }
}

output definitionId string = definition.id

Deploy the Bicep template using az deployment group create. Specify the name of the Bicep template and Azure resource group.

az deployment group create \
    --resource-group "<name-of-existing-resource-group>" \
    --template-file control-plane-role-definition.bicep

Review the output from the deployment. The output contains the unique identifier of the role definition in the properties.outputs.definitionId.value property. Record this value as it is required to use in the assignment step later in this guide.
```
{
  "properties": {
    "outputs": {
      "definitionId": {
        "type": "String",
        "value": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/msdocs-identity-example/providers/Microsoft.Authorization/roleDefinitions/a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1"
      }
    }
  }
}
```
Note

In this example, the id value would be /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/msdocs-identity-example/providers/Microsoft.Authorization/roleDefinitions/a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1. This example uses fictitious data and your identifier would be distinct from this example. This example is a subset of the typical JSON outputted from the deployment for clarity.

Create a new Bicep file to define your role assignment. Name the file control-plane-role-assignment.bicep.

metadata description = 'Assign RBAC role for Azure role-based access control access to Azure DocumentDB.'

@description('Id of the role definition to assign to the targeted principal in the context of the cluster.')
param roleDefinitionId string

@description('Id of the identity/principal to assign this role in the context of the cluster.')
param identityId string

resource assignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid(subscription().id, resourceGroup().id, roleDefinitionId, identityId)
  scope: resourceGroup()
  properties: {
    roleDefinitionId: roleDefinitionId
    principalId: identityId
  }
}

Create a new Bicep parameters file named control-plane-role-assignment.bicepparam. In this parameters file; assign the previously recorded role definition identifiers to the roleDefinitionId parameter, and the unique identifier for your identity to the identityId parameter.
```
using './control-plane-role-assignment.bicep'

param roleDefinitionId = '<id-of-new-role-definition>'
param identityId = '<id-of-existing-identity>'
```

Deploy this Bicep template using az deployment group create.

az deployment group create \
    --resource-group "<name-of-existing-resource-group>" \
    --parameters control-plane-role-assignment.bicepparam \
    --template-file control-plane-role-assignment.bicep

Sign in to the Azure portal (https://portal.azure.com).
Enter Resource group in the global search bar.
Within Services, select Resource groups.
In the Resource groups pane, select your existing resource group.
Within the pane for the resource group, select Access control (IAM) in the service menu.
In the Access control (IAM) pane, select Add. Then select Add custom role.

Within the Basics pane, configure the following options, and then select Next:

	Value
Custom role name	`Azure DocumentDB RBAC Owner`
Description	`Can perform all Azure role-based access control actions for Azure DocumentDB clusters.`
Baseline permissions	Start from scratch

In the Permissions pane, select Add permissions. Then, search for DocumentDB in the permissions dialog. Finally, select the Microsoft.DocumentDB/mongoClusters option.
In the permissions dialog, select all Actions for Microsoft.DocumentDB/mongoClusters. Then, select Add to return to the *Permissions pane.
Back in the Permissions pane, observe the list of permissions. Then, select Review + create.
In the Review + create pane, review the specified options for the new role definition. Finally, select Create.
Wait for the portal to finish creating the role definition.
In the Access control (IAM) pane, select Add and then Add role assignment.
In the Role pane, search for Azure DocumentDB and then select the Azure DocumentDB RBAC Owner role created earlier in this guide. Then, select Next.

Tip

You can optionally filter the list of roles to only include custom roles.
In the Members pane, select the Select members option. In the members dialog, select the identity you wish to grant this level of access for your Azure DocumentDB clusters and then use the Select option to confirm your choice.
Back in the Members pane, review the selected member[s] and then select Review + assign.
In the Review + assign pane, review the specified options for the new role assignment. Finally, select Review + assign.
Wait for the portal to finish creating the role assignment.

Open a new terminal.
Sign in to Azure CLI.
Check your target Azure subscription.
```
az account show
```

Create a new Terraform file to define your role definition. Name the file control-plane-role-definition.tf. Add these actions to the definition:

	Description
*`Microsoft.DocumentDb/mongoClusters/`**	Enables all possible actions.

variable "role_definition_name" {
  type        = string
  description = "Name of the role definition."
  default     = "Azure DocumentDB RBAC Owner"
}

variable "role_definition_description" {
  type        = string
  description = "Description of the role definition."
  default     = "Can perform all Azure role-based access control actions for Azure DocumentDB clusters."
}

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~> 4.0"
    }
  }
}

provider "azurerm" {
  features {}
}

data "azurerm_client_config" "current" {}

data "azurerm_resource_group" "existing" {
  name = "<name-of-existing-resource-group>"
}

resource "azurerm_role_definition" "control_plane" {
  name               = var.role_definition_name
  scope              = data.azurerm_resource_group.existing.id
  description        = var.role_definition_description

  permissions {
    actions = [
      "Microsoft.DocumentDb/mongoClusters/*"
    ]
  }

  assignable_scopes = [
    data.azurerm_resource_group.existing.id
  ]
}

output "definition_id" {
  value = azurerm_role_definition.control_plane.id
}

Initialize the Terraform deployment.
```
terraform init --upgrade
```

Create an execution plan for the role definition and save it to a file named role-definition.tfplan.

ARM_SUBSCRIPTION_ID=$(az account show --query id --output tsv) terraform plan --out "role-definition.tfplan"

Apply the execution plan to deploy the role definition to Azure.

ARM_SUBSCRIPTION_ID=$(az account show --query id --output tsv) terraform apply "role-definition.tfplan"

Review the output from the deployment. The output contains the unique identifier of the role definition in the definition_id property. Record this value as it is required to use in the assignment step later in this guide.

Create a new Terraform file to define your role assignment. Name the file control-plane-role-assignment.tf.

variable "role_definition_id" {
  type        = string
  description = "Id of the role definition to assign to the targeted principal in the context of the cluster."
}

variable "identity_id" {
  type        = string
  description = "Id of the identity/principal to assign this role in the context of the cluster."
}

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~> 4.0"
    }
  }
}

provider "azurerm" {
  features {}
}

data "azurerm_resource_group" "existing" {
  name = "<name-of-existing-resource-group>"
}

resource "azurerm_role_assignment" "control_plane" {
  scope              = data.azurerm_resource_group.existing.id
  role_definition_id = var.role_definition_id
  principal_id       = var.identity_id
}

Create a new Terraform variables file named control-plane-role-assignment.tfvars. In this variables file; assign the previously recorded role definition identifiers to the role_definition_id variable, and the unique identifier for your identity to the identity_id variable.
```
role_definition_id = "<id-of-new-role-definition>"
identity_id        = "<id-of-existing-identity>"
```

Initialize and apply this Terraform configuration.

terraform init --upgrade

ARM_SUBSCRIPTION_ID=$(az account show --query id --output tsv) terraform plan --var-file="control-plane-role-assignment.tfvars" --out "role-assignment.tfplan"

ARM_SUBSCRIPTION_ID=$(az account show --query id --output tsv) terraform apply "role-assignment.tfplan"

Enable Microsoft Entra ID authentication

When you create an Azure DocumentDB cluster, the cluster is configured to solely use native authentication by default. To enable authentication using Microsoft Entra ID, turn on the Microsoft Entra ID authentication method and add Microsoft Entra ID identities to the cluster.

Get the details for the currently logged-in account using az ad signed-in-user.
```
az ad signed-in-user show
```

The command outputs a JSON response containing various fields.

{
  "@odata.context": "<https://graph.microsoft.com/v1.0/$metadata#users/$entity>",
  "businessPhones": [],
  "displayName": "Kai Carter",
  "givenName": "Kai",
  "id": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",
  "jobTitle": "Senior Sales Representative",
  "mail": "<kai@adventure-works.com>",
  "mobilePhone": null,
  "officeLocation": "Redmond",
  "preferredLanguage": null,
  "surname": "Carter",
  "userPrincipalName": "<kai@adventure-works.com>"
}

Tip

Record the value of the id field. In this example, that value would be aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb. This value can then be used in various scripts to grant your current account role-based access control permissions to Azure resources. If you're using a managed identity instead, you can obtain the id for that managed identity by using the az identity show command.

Enable Microsoft Entra ID authentication on the cluster by updating the cluster resource to include MicrosoftEntraID in the authConfig.allowedModes array:

az resource patch \
    --resource-group "<resource-group>" \
    --name "<cluster-name>" \
    --resource-type "Microsoft.DocumentDB/mongoClusters" \
    --properties '{"authConfig":{"allowedModes":["MicrosoftEntraID","NativeAuth"]}}' \
    --latest-include-preview

Note

Replace <resource-group> and <cluster-name> with your values.

Verify the change was applied by reading the authConfig property on the cluster using az resource show.
```
az resource show \
    --resource-group "<resource-group>" \
    --name "<cluster-name>" \
    --resource-type "Microsoft.DocumentDB/mongoClusters" \
    --query "properties.authConfig" \
    --latest-include-preview
```
Note

The output should include the allowedModes list. If Microsoft Entra ID was enabled successfully, the array contains both NativeAuth and MicrosoftEntraID.

(Optional) Get the unique identifier for the Microsoft Entra principal you plan to register on the cluster. You can obtain it with the Azure CLI using one of the following commands:
- Current signed-in identity
```
az ad signed-in-user show      
```
- Another human identity using friendly name
```
az ad user show \
  --id "<user-alias-and-domain>"
```
- Service principal using app identifier
```
az ad sp show \
  --id "<application-id>"
```
- Managed identity using resource group and name
```
az identity show \
  --resource-group "<resource-group>" \
  --name "<managed-identity-name>"      
```

Create a small Bicep template that updates the cluster authConfig to include Microsoft Entra ID (save as enable-entra-id.bicep):

param clusterName string
param location string = resourceGroup().location

resource cluster 'Microsoft.DocumentDB/mongoClusters@2025-09-01' = {
  name: clusterName
  location: location
  properties: {
    authConfig: {
      allowedModes: [
        'MicrosoftEntraID'
        'NativeAuth'
      ]
    }
  }
}

Deploy the template to update the cluster:

az deployment group create \
    --resource-group "<resource-group>" \
    --template-file enable-entra-id.bicep \
    --parameters clusterName="<cluster-name>"

Verify the authConfig property on the cluster by using az resource show.
```
az resource show \
    --resource-group "<resource-group>" \
    --name "<cluster-name>" \
    --resource-type "Microsoft.DocumentDB/mongoClusters" \
    --query "properties.authConfig" \
    --latest-include-preview
```
Note

The output should include the allowedModes list. If Microsoft Entra ID was enabled successfully, the array contains both NativeAuth and MicrosoftEntraID.

On the Home pane of the Azure portal, locate and select the Microsoft Entra ID option.

Tip

If this option isn't listed, select More services and then search for Microsoft Entra ID using the search term "Entra".
Within the Overview pane for the Microsoft Entra ID tenant, select Users inside the Manage section of the service menu.
In the list of users, select the identity (user) that you want to get more details about.

Note

This screenshot illustrates an example user named "Kai Carter" with a principal of kai@adventure-works.com.
On the details pane for the specific user, observe the value of the Object ID property.

Tip

Record the value of the Object ID property. In this example, that value would be aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb. This value can then be used in various scripts to grant your current account role-based access control permissions to Azure resources. The steps are similar if you're using a managed identity.
Navigate to the existing Azure DocumentDB cluster resource.
In the cluster menu, under Settings, select Authentication.
In the Authentication methods section, select Native DocumentDB and Microsoft Entra ID to enable Microsoft Entra ID authentication alongside native authentication.
Select Save to persist the change.
The Authentication methods section should now list both NativeAuth and MicrosoftEntraID as enabled methods.

(Optional) Get the unique identifier for the Microsoft Entra principal you plan to register on the cluster. You can obtain it with the Azure CLI using one of the following commands:
- Current signed-in identity
```
az ad signed-in-user show      
```
- Another human identity using friendly name
```
az ad user show \
  --id "<user-alias-and-domain>"
```
- Service principal using app identifier
```
az ad sp show \
  --id "<application-id>"
```
- Managed identity using resource group and name
```
az identity show \
  --resource-group "<resource-group>" \
  --name "<managed-identity-name>"      
```

Create a Terraform configuration file to enable Microsoft Entra ID authentication on your existing cluster. Save the file as enable-entra-id.tf:

variable "cluster_name" {
  type        = string
  description = "Name of the existing cluster"
}

variable "resource_group_name" {
  type        = string
  description = "Name of the existing resource group"
}

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~> 4.0"
    }
  }
}

provider "azurerm" {
  features {}
}

data "azurerm_resource_group" "existing" {
  name = var.resource_group_name
}

data "azurerm_mongo_cluster" "existing" {
  name                = var.cluster_name
  resource_group_name = data.azurerm_resource_group.existing.name
}

resource "azurerm_mongo_cluster" "enable_entra" {
  name                   = data.azurerm_mongo_cluster.existing.name
  resource_group_name    = data.azurerm_resource_group.existing.name
  location               = data.azurerm_mongo_cluster.existing.location
  administrator_username = data.azurerm_mongo_cluster.existing.administrator_username
  administrator_password = data.azurerm_mongo_cluster.existing.administrator_password
  shard_count            = data.azurerm_mongo_cluster.existing.shard_count
  compute_tier           = data.azurerm_mongo_cluster.existing.compute_tier
  high_availability_mode = data.azurerm_mongo_cluster.existing.high_availability_mode
  storage_size_in_gb     = data.azurerm_mongo_cluster.existing.storage_size_in_gb
  version                = data.azurerm_mongo_cluster.existing.version

  # Enable both Microsoft Entra ID and Native authentication
  authentication_enabled = true
}

Tip

For more information on options using the azurerm_mongo_cluster resource, see azurerm provider documentation in Terraform Registry.

Create a variables file named enable-entra-id.tfvars with your cluster details:

cluster_name        = "<cluster-name>"
resource_group_name = "<resource-group>"

Initialize and apply the Terraform configuration to enable Microsoft Entra ID authentication:

terraform init --upgrade

ARM_SUBSCRIPTION_ID=$(az account show --query id --output tsv) terraform plan --var-file="enable-entra-id.tfvars" --out "enable-entra.tfplan"

ARM_SUBSCRIPTION_ID=$(az account show --query id --output tsv) terraform apply "enable-entra.tfplan"

Verify the authConfig property on the cluster by using az resource show.
```
az resource show \
    --resource-group "<resource-group>" \
    --name "<cluster-name>" \
    --resource-type "Microsoft.DocumentDB/mongoClusters" \
    --query "properties.authConfig" \
    --latest-include-preview
```
Note

The output should include the allowedModes list. If Microsoft Entra ID was enabled successfully, the array contains both NativeAuth and MicrosoftEntraID.

Manage DocumentDB administrative Microsoft Entra ID identities and native users

When Microsoft Entra ID authentication is enabled on an Azure DocumetnDB cluster, you can add one or more Microsoft Entra ID principals as administrator users to that cluster. The Microsoft Entra ID administrator can be a Microsoft Entra ID user, a service principal, or a managed identity. Multiple Microsoft Entra ID administrators can be configured at any time.

Administrative Entra ID users are created as Azure entities under Microsoft.DocumentDB/mongoClusters/users and are replicated to the database.

Additionally, one or more nonadministrative Microsoft Entra ID users can be added to a cluster at any time once Microsoft Entra ID authentication is enabled. Nonadministrative users are often used for ongoing production tasks that don't require administrative privileges.

For Azure DocumentDB, this access is granted by registering Microsoft Entra principals on the cluster and mapping them to MongoDB database roles (for example, readWrite on a database or root on the admin database). Registered principals are created as Azure resources of type Microsoft.DocumentDB/mongoClusters/users whose names take the form <cluster-name>/users/<principal-id>.

Administrative users have full privileges to manage the cluster and its data, including complete user management capabilities. Nonadministrative users can be granted either read-write or read-only permissions on the cluster through specific MongoDB database roles. The readWriteAnyDatabase and clusterAdmin roles together grant full read-write permissions on the cluster, including privileges for database management and database operations. The readAnyDatabase role is used to grant read-only permissions on the cluster. You can't assign readWriteAnyDatabase and clusterAdmin roles separately - they must be granted together for full read-write access.

Nonadministrative (secondary) users and security principals are granted limited user management permissions on the cluster, as described in the following table:

Security provider	Role	CreateUser	DeleteUser	UpdateUser	ListUser
Microsoft Entra ID	Read-write (readWriteAnyDatabase, clusterAdmin)	❌	❌	❌	✔️
Microsoft Entra ID	Read-only (readAnyDatabase)	❌	❌	❌	✔️
Native DocumentDB	Read-write (readWriteAnyDatabase, clusterAdmin)	❌	❌	Only to change their own password	✔️
Native DocumentDB	Read-only (readAnyDatabase)	❌	❌	Only to change their own password	✔️

Get the unique identifier (object ID) of the Microsoft Entra principal you want to grant access to using one of the following commands:
- Current signed-in identity
```
az ad signed-in-user show      
```
- Another human identity using friendly name
```
az ad user show \
  --id "<user-alias-and-domain>"
```
- Service principal using app identifier
```
az ad sp show \
  --id "<application-id>"
```
- Managed identity using resource group and name
```
az identity show \
  --resource-group "<resource-group>" \
  --name "<managed-identity-name>"      
```

Register the principal on the cluster and map it to MongoDB database roles. The following example registers a principal as a readWrite user on the sales database:

az resource create \
    --resource-group "<resource-group>" \
    --name "<cluster-name>/users/<principal-id>" \
    --resource-type "Microsoft.DocumentDB/mongoClusters/users" \
    --location "<cluster-region>" \
    --properties '{"identityProvider":{"type":"MicrosoftEntraID","properties":{"principalType":"User"}},"roles":[{"db":"sales","role":"readWrite"}]}' \
    --latest-include-preview

Replace principalType with servicePrincipal for app/service principals or ManagedIdentity for managed identities.
To grant administrative privileges, use {"db":"admin","role":"root"} in the roles array.

List all registered principals and their mapped roles (cluster-level view):

az rest \
    --method "GET" \
    --url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.DocumentDB/mongoClusters/<cluster-name>/users?api-version=2025-09-01"

The response contains an array of user resources, each with identityProvider metadata and a roles array showing mapped database roles.

Get details for a specific registered principal (replace <principal-id>):

az resource show \
    --resource-group "<resource-group>" \
    --name "<cluster-name>/users/<principal-id>" \
    --resource-type "Microsoft.DocumentDB/mongoClusters/users" \
    --latest-include-preview

Remove a registered principal (revoke data-plane access):

az resource delete \
    --resource-group "<resource-group>" \
    --name "<cluster-name>/users/<principal-id>" \
    --resource-type "Microsoft.DocumentDB/mongoClusters/users" \
    --latest-include-preview

Create a Bicep file (for example register-principal.bicep) to register the principal and map database roles:

param clusterName string
param principalId string
param location string = resourceGroup().location
param principalType string = 'User'
param roles array = [
  {
    db: 'sales'
    role: 'readWrite'
  }
]

resource user 'Microsoft.DocumentDB/mongoClusters/users@2025-09-01' = {
  name: '${clusterName}/users/${principalId}'
  location: location
  properties: {
    identityProvider: {
      type: 'Microsoft.EntraID'
      properties: {
        principalType: principalType
      }
    }
    roles: roles
  }
}

Deploy the Bicep template to register the principal:

az deployment group create \
    --resource-group "<resource-group>" \
    --template-file register-principal.bicep \
    --parameters clusterName="<cluster-name>" principalId="<principal-id>"

List all registered principals for the cluster using the REST API (useful after Bicep deployment):

az rest \
    --method GET \
    --url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.DocumentDB/mongoClusters/<cluster-name>/users?api-version=2025-09-01"

Get details for a specific registered principal created by Bicep (replace <principal-id>):

az resource show \
    --resource-group "<resource-group>" \
    --name "<cluster-name>/users/<principal-id>" \
    --resource-type "Microsoft.DocumentDB/mongoClusters/users" \
    --latest-include-preview

Remove the principal by deleting the resource (or deploy a template without the user resource):

az resource delete \
    --resource-group "<resource-group>" \
    --name "<cluster-name>/users/<principal-id>" \
    --resource-type "Microsoft.DocumentDB/mongoClusters/users" \
    --latest-include-preview

Open the target Azure DocumentDB cluster in the Azure portal.
Under Settings, select Authentication.
In the Microsoft Entra ID authentication section, the portal lists the registered Microsoft Entra principals by object ID. Use this view to:
- Scan the list for expected object identifiers.
- Inspect the details for a single principal by selecting a listed entry (or use the portal's search feature).
- Use the Remove action next to an entry to immediately revoke that principal's data-plane access.
To get friendly names for object identifiers shown in the portal list, use the Users page within the Microsoft Entra ID section. Then, search by object ID or friendly name.

Get the unique identifier (object ID) of the Microsoft Entra principal you want to grant access to using one of the following commands:
- Current signed-in identity
```
az ad signed-in-user show      
```
- Another human identity using friendly name
```
az ad user show \
  --id "<user-alias-and-domain>"
```
- Service principal using app identifier
```
az ad sp show \
  --id "<application-id>"
```
- Managed identity using resource group and name
```
az identity show \
  --resource-group "<resource-group>" \
  --name "<managed-identity-name>"      
```

Create a Terraform file (for example register-principal.tf) to register the principal and map database roles using the AzAPI provider:

variable "cluster_name" {
  type        = string
  description = "Name of the existing cluster"
}

variable "resource_group_name" {
  type        = string
  description = "Name of the existing resource group"
}

variable "principal_id" {
  type        = string
  description = "Object ID of the Microsoft Entra principal"
}

variable "principal_type" {
  type        = string
  description = "Type of principal: User, ServicePrincipal, or ManagedIdentity"
  default     = "User"
}

variable "roles" {
  type = list(object({
    db   = string
    role = string
  }))
  description = "Database roles to assign"
  default = [
    {
      db   = "sales"
      role = "readWrite"
    }
  ]
}

terraform {
  required_providers {
    azapi = {
      source  = "azure/azapi"
      version = "~> 2.0"
    }
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~> 4.0"
    }
  }
}

provider "azurerm" {
  features {}
}

provider "azapi" {}

data "azurerm_resource_group" "existing" {
  name = var.resource_group_name
}

data "azurerm_mongo_cluster" "existing" {
  name                = var.cluster_name
  resource_group_name = var.resource_group_name
}

resource "azapi_resource" "mongo_cluster_user" {
  type      = "Microsoft.DocumentDB/mongoClusters/users@2025-09-01"
  name      = var.principal_id
  parent_id = data.azurerm_mongo_cluster.existing.id
  location  = data.azurerm_resource_group.existing.location

  body = {
    properties = {
      identityProvider = {
        type = "MicrosoftEntraID"
        properties = {
          principalType = var.principal_type
        }
      }
      roles = var.roles
    }
  }
}

Tip

For more information on the AzAPI provider, see Azure AzAPI Provider documentation.

Replace principalType with servicePrincipal for app/service principals or ManagedIdentity for managed identities.
To grant administrative privileges, use {"db":"admin","role":"root"} in the roles array.

Create a variables file named register-principal.tfvars:

cluster_name        = "<cluster-name>"
resource_group_name = "<resource-group>"
principal_id        = "<principal-id>"
principal_type      = "User"
roles = [
  {
    db   = "sales"
    role = "readWrite"
  }
]

Initialize and apply the Terraform configuration to register the principal:

terraform init --upgrade

ARM_SUBSCRIPTION_ID=$(az account show --query id --output tsv) terraform plan --var-file="register-principal.tfvars" --out "register-principal.tfplan"

ARM_SUBSCRIPTION_ID=$(az account show --query id --output tsv) terraform apply "register-principal.tfplan"

List all registered principals for the cluster using the REST API (useful after Terraform deployment):

az rest \
    --method GET \
    --url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.DocumentDB/mongoClusters/<cluster-name>/users?api-version=2025-09-01"

Get details for a specific registered principal created by Terraform (replace <principal-id>):

az resource show \
    --resource-group "<resource-group>" \
    --name "<cluster-name>/users/<principal-id>" \
    --resource-type "Microsoft.DocumentDB/mongoClusters/users" \
    --latest-include-preview

Remove the principal by destroying the Terraform resource:

ARM_SUBSCRIPTION_ID=$(az account show --query id --output tsv) terraform destroy --var-file="register-principal.tfvars"

Note

An Azure DocumentDB cluster is created with one built-in administrative native DocumentDB user. You can add more native administrative DocumentDB users after cluster provisioning is completed. Microsoft Entra ID administrative users added to the cluster are going to be in addition to native administrative DocumentDB users defined on the same cluster. All administrative Microsoft Entra ID identities are replicated to the database.

Nonadministrative Microsoft Entra ID identities are created in the database. When you list nonadministrative users in the database, the list contains all administrative and nonadministrative Microsoft Entra ID identities and all secondary (nonadministrative) native DocumentDB users.

Get cluster credentials

You can connect to the cluster using either a connection URI or a custom settings object from the driver for your preferred language. In either option, the scheme must be set to mongodb+srv to connect to the cluster. The host is at either the *.global.mongocluster.cosmos.azure.com or *.mongocluster.cosmos.azure.com domain depending on whether you're using the current cluster or global read-write endpoint. The +srv scheme and the *.global.* host ensures that your client is dynamically connected to the appropriate writable cluster in a multi-cluster configuration even if a region swap operation occurs. In a single-cluster configuration, you can use either connection string indiscriminately.

The tls setting must also be enabled. The remaining recommended settings are best practice configuration settings.

Option	Value
`scheme`	`mongodb+srv`
`host`	`<cluster-name>.global.mongocluster.cosmos.azure.com` or `<cluster-name>.mongocluster.cosmos.azure.com`
`tls`	`true`
`authMechanism`	`MONGODB-OIDC`
`retrywrites`	`false`
`maxIdleTimeMS`	`120000`

Important

Use the Azure portal to get the connection string.

Navigate to the Azure DocumentDB cluster.
Select the Connection strings navigation menu option.
Copy or record the value from the Connection string field.

Tip

Microsoft Entra ID connection strings are in the Microsoft Entra ID section.

Connect using Microsoft Entra ID in MongoDB Shell

Use a client device with the MongoDB Shell installed to connect to your Azure DocumentDB cluster using a Microsoft Entra ID identity.

Open a terminal on a client with MongoDB shell installed.
Get the name of your Azure DocumentDB cluster and the client ID for the target identity.

Connect by using the following connection string:

mongosh "mongodb+srv://<client-id>@<cluster-name>.global.mongocluster.cosmos.azure.com/?tls=true&authMechanism=MONGODB-OIDC&retrywrites=false&maxIdleTimeMS=120000"

Connect using Microsoft Entra ID in Visual Studio Code

Use Visual Studio Code with the DocumentDB extension to connect to your Azure DocumentDB cluster using a Microsoft Entra ID identity.

Important

When you authenticate to an Azure DocumentDB cluster using Microsoft Entra ID in Visual Studio Code with DocumentDB extension, shell functionality isn't supported. If you need to use MongoDB shell with Microsoft Entra ID authentication, use MongoDB Shell directly on a client machine.

Open Visual Studio Code.
Navigate the DocumentDB extension in the side bar.
In the Connections section, select + New Connection....
In the connection type dialog, select Connection String.

Use the following connection string:

mongodb+srv://<client-id>@<cluster-name>.global.mongocluster.cosmos.azure.com/?tls=true&authMechanism=MONGODB-OIDC&retrywrites=false&maxIdleTimeMS=120000

Wait for the automatic prompt to use Microsoft Entra ID authentication. Enter the appropriate credentials for your identity type.

Note

For example, if you're signing in using your own identity (a human identity), use the passwordless authentication experience.
Wait for the connection to finalize. A new DocumentDB entry is then added to the Connections section for the cluster.

Connect using Microsoft Entra ID in MongoDB Compass

Connect to your Azure DocumentDB cluster using a Microsoft Entra ID identity directly with the MongoDB Compass application.

Start the MongoDB Compass application.
Select + in the Connections menu to add a new connection.
Toggle the Edit Connection String setting to enable in the New Connection dialog.

Enter the following connection string into the URI input box.

mongodb+srv://<client-id>@<cluster-name>.global.mongocluster.cosmos.azure.com/?tls=true&authMechanism=MONGODB-OIDC&retrywrites=false&maxIdleTimeMS=120000

Now, open the Advanced Connection Options dialog.
In the General section, select mongodb+srv for the Connection String Scheme.
Next, navigate to the Authentication section.
Ensure that the OIDC option is selected.
Now, navigate to the OIDC Options section.
Ensure that the Consider Target Endpoint Trusted option is also selected.
Select Save & Connect.

Manage DocumentDB secondary (nonadministrative) Microsoft Entra ID identities

Sign in to the cluster with an administrative Microsoft Entra ID identity to perform management operations for nonadministrative Microsoft Entra ID identities.

Note

All management commands for nonadministrative users are supported for SecurityPrincipal and user principal types.

Add a nonadministrative Microsoft Entra ID identity with read-write permissions on the cluster using the createUser command:

db.runCommand(
  {
    createUser: "<entra-id-unique-identifier>",
    roles: [
      { role: "clusterAdmin", db: "admin" },
      { role: "readWriteAnyDatabase", db: "admin" }
    ],
    customData: { "IdentityProvider": { "type": "MicrosoftEntraID", "properties": { "principalType": "user" } } }
  }
)

Add a nonadministrative Microsoft Entra ID identity with read-only permissions on the cluster with createUser and a different set of roles.

db.runCommand(
  {
    createUser: "<entra-id-unique-identifier>",
    roles: [
      { role: "readAnyDatabase", db: "admin" }
    ],
    customData: { "IdentityProvider": { "type": "MicrosoftEntraID", "properties": { "principalType": "user" } } }
  }
)

Remove a nonadministrative Microsoft Entra ID identity from the cluster with the dropUser command.
```
db.runCommand(
  {
    dropUser: "<entra-id-unique-identifier>"
  }
)
```
List all Microsoft Entra ID and native DocumentDB users on the cluster using userInfo.
```
db.runCommand(
  {
    usersInfo: 1
  }
)
```
Note

All Microsoft Entra ID and native DocumentDB administrative users are replicated to the database. Because of this replication, the list of users include all administrative and nonadministrative Microsoft Entra ID and native DocumentDB users on the cluster.

Connect using Microsoft Entra ID in code

Validate that you correctly granted access using application code and the appropriate client library for your preferred language.

class AzureIdentityTokenCallback(OIDCCallback):
    def __init__(self, credential):
        self.credential = credential

    def fetch(self, context: OIDCCallbackContext) -> OIDCCallbackResult:
        token = self.credential.get_token(
            "https://ossrdbms-aad.database.windows.net/.default").token
        return OIDCCallbackResult(access_token=token)

clusterName = "<cluster-name>"

credential = DefaultAzureCredential()
authProperties = {"OIDC_CALLBACK": AzureIdentityTokenCallback(credential)}

client = MongoClient(
  f"mongodb+srv://{clusterName}.global.mongocluster.cosmos.azure.com/",
  connectTimeoutMS=120000,
  tls=True,
  retryWrites=True,
  authMechanism="MONGODB-OIDC",
  authMechanismProperties=authProperties
)

const AzureIdentityTokenCallback = async (params: OIDCCallbackParams, credential: TokenCredential): Promise<OIDCResponse> => {
  const tokenResponse: AccessToken | null = await credential.getToken(['https://ossrdbms-aad.database.windows.net/.default']);
  return {
      accessToken: tokenResponse?.token || '',
      expiresInSeconds: (tokenResponse?.expiresOnTimestamp || 0) - Math.floor(Date.now() / 1000)
  };
};

const clusterName: string = '<cluster-name>';

const credential: TokenCredential = new DefaultAzureCredential();

const client = new MongoClient(
    `mongodb+srv://${clusterName}.global.mongocluster.cosmos.azure.com/`, {
    connectTimeoutMS: 120000,
    tls: true,
    retryWrites: true,
    authMechanism: 'MONGODB-OIDC',
    authMechanismProperties: {
        OIDC_CALLBACK: (params: OIDCCallbackParams) => AzureIdentityTokenCallback(params, credential),
        ALLOWED_HOSTS: ['*.azure.com']
    }
  }
);

string tenantId = "<microsoft-entra-tenant-id>";
string clusterName = "<cluster-name>";

DefaultAzureCredential credential = new();
AzureIdentityTokenHandler tokenHandler = new(credential, tenantId);

MongoUrl url = MongoUrl.Create($"mongodb+srv://{clusterName}.global.mongocluster.cosmos.azure.com/");
MongoClientSettings settings = MongoClientSettings.FromUrl(url);
settings.UseTls = true;
settings.RetryWrites = false;
settings.MaxConnectionIdleTime = TimeSpan.FromMinutes(2);
settings.Credential = MongoCredential.CreateOidcCredential(tokenHandler);
settings.Freeze();

MongoClient client = new(settings);

internal sealed class AzureIdentityTokenHandler(
    TokenCredential credential,
    string tenantId
) : IOidcCallback
{
    private readonly string[] scopes = ["https://ossrdbms-aad.database.windows.net/.default"];

    public OidcAccessToken GetOidcAccessToken(OidcCallbackParameters parameters, CancellationToken cancellationToken)
    {
        AccessToken token = credential.GetToken(
            new TokenRequestContext(scopes, tenantId: tenantId),
            cancellationToken
        );

        return new OidcAccessToken(token.Token, token.ExpiresOn - DateTimeOffset.UtcNow);
    }

    public async Task<OidcAccessToken> GetOidcAccessTokenAsync(OidcCallbackParameters parameters, CancellationToken cancellationToken)
    {
        AccessToken token = await credential.GetTokenAsync(
            new TokenRequestContext(scopes, parentRequestId: null, tenantId: tenantId),
            cancellationToken
        );

        return new OidcAccessToken(token.Token, token.ExpiresOn - DateTimeOffset.UtcNow);
    }
}

Feedback

Was this page helpful?

Last updated on 2025-11-18

Share via

Connect to Azure DocumentDB using role-based access control and Microsoft Entra ID

Prerequisites

Manage Azure role-based access control

Enable Microsoft Entra ID authentication

Manage DocumentDB administrative Microsoft Entra ID identities and native users

Get cluster credentials

Connect using Microsoft Entra ID in MongoDB Shell

Connect using Microsoft Entra ID in Visual Studio Code

Connect using Microsoft Entra ID in MongoDB Compass

Manage DocumentDB secondary (nonadministrative) Microsoft Entra ID identities

Connect using Microsoft Entra ID in code

Related content

Feedback

Additional resources