Cosmos DB NoSQL API account access keys are enabled

Security · Cosmos DB · Rule · 2024_06 · Critical

Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret.

Description

Every request to a Cosmos DB Account resource must be authenticated. Cosmos DB supports authenticating requests using either Entra ID (previously Azure AD) identities or local authentication. Local authentication uses account keys that are granted permissions to the entire Cosmos DB Account.

Using Entra ID provides consistency as a single authoritative source which:

• Increases clarity and reduces security risks from human errors and configuration complexity.
• Allows granting of permissions using role-based access control (RBAC).
• Provides support for advanced identity security and governance features.

Disabling local authentication ensures that Entra ID is used exclusively for authentication. Any subsequent requests to the resource using account keys will be rejected.

This rule applies only to Cosmos DB accounts using the NoSQL API. Enforcing role-based access control as the only authentication method is currently only supported for the NoSQL API.

Recommendation

Consider disabling local authentication on Cosmos DB NoSQL API accounts and using Entra ID.

Examples

Configure with Bicep

To deploy database accounts that pass this rule:

• Set the properties.disableLocalAuth property to true.

For example:

Azure Bicep snippet

resource account 'Microsoft.DocumentDB/databaseAccounts@2025-04-15' = {
  name: name
  location: location
  kind: 'GlobalDocumentDB'
  properties: {
    disableLocalAuth: true
    locations: [
      {
        locationName: location
        failoverPriority: 0
        isZoneRedundant: true
      }
    ]
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/document-db/database-account:<version>

To use the latest version:

br/public:avm/res/document-db/database-account:0.9.0

---

• What is Azure Verified Modules?
• Usage and parameters for this module

Configure with Azure template

To deploy database accounts that pass this rule:

• Set the properties.disableLocalAuth property to true.

For example:

Azure Template snippet

{
  "type": "Microsoft.DocumentDB/databaseAccounts",
  "apiVersion": "2025-04-15",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "kind": "GlobalDocumentDB",
  "properties": {
    "disableLocalAuth": true,
    "locations": [
      {
        "locationName": "[parameters('location')]",
        "failoverPriority": 0,
        "isZoneRedundant": true
      }
    ]
  }
}

Notes

This rule has been renamed from Azure.Cosmos.DisableLocalAuth. The alias Azure.Cosmos.DisableLocalAuth is deprecated and will be removed in a future release.

Links

• SE:05 Identity and access management
• Connect to Azure Cosmos DB for NoSQL using role-based access control and Microsoft Entra ID
• Azure security baseline for Azure Cosmos DB
• IM-1: Use centralized identity and authentication system
• Azure deployment reference

Comments