- Azure Active Directory (AAD) integration (OAuth 2.0)
- Primary/secondary keys
- Resource Tokens (fine‑grained permissions)
- Managed Identity for Azure resources
Security Overview
On this page
Azure Cosmos DB provides a comprehensive security model that protects your data throughout its lifecycle. This includes built‑in authentication, fine‑grained access control, robust encryption mechanisms, network isolation, and extensive monitoring capabilities.
Authentication & Authorization
Supported authentication methods
Choose the method that best fits your compliance requirements. AAD is recommended for enterprise scenarios as it enables conditional access and MFA.
Example: Creating a Resource Token (Node.js)
const { CosmosClient } = require("@azure/cosmos");
const client = new CosmosClient({ endpoint, key });
const container = client.database(dbId).container(containerId);
const permission = {
id: "readPermission",
permissionMode: "read",
resource: `dbs/${dbId}/colls/${containerId}`
};
await container.permissions.create(permission);
const token = (await container.permissions.read(permission.id)).resource._token;
console.log(token);
Encryption at Rest & in Transit
All data stored in Azure Cosmos DB is encrypted at rest using Microsoft-managed keys (default) or customer‑managed keys (CMK) via Azure Key Vault.
Enable Customer‑Managed Keys (CMK)
- Create a Key Vault and generate a key.
- Assign the Cosmos DB managed identity
Key Vault Crypto Service Encryption Userrole. - Update the Cosmos DB account to use the CMK.
CLI example:
az keyvault key create --vault-name MyVault --name MyKey --protection software az cosmosdb update --name MyAccount --resource-group MyRG --key-uri $(az keyvault key show --vault-name MyVault --name MyKey --query key.kid -o tsv)
Data in transit is secured using TLS 1.2. Use HTTPS endpoints for all client connections.
Network Security
Control network access with the following features:
- Virtual Network (VNet) Service Endpoints – restrict access to specific VNets.
- Private Endpoints – expose the account via a private IP within your VNet.
- IP Firewall Rules – whitelist allowed public IP ranges.
Configure a Private Endpoint (Azure CLI)
az network private-endpoint create \ --resource-group MyRG \ --name myCosmosPE \ --vnet-name MyVNet \ --subnet MySubnet \ --private-connection-resource-id $(az cosmosdb show -g MyRG -n MyAccount --query id -o tsv) \ --group-id Sql
Auditing & Diagnostics
Enable diagnostic settings to stream logs to Azure Monitor, Log Analytics, or a storage account.
- Audit logs for data accesses and permission changes.
- Metrics for request latency, RU consumption, and throttling.
Set up diagnostics (Portal steps)
- Navigate to your Cosmos DB account → Diagnostic settings.
- Click Add diagnostic setting.
- Select the logs & metrics you need and choose a destination.
- Save.
Security Best Practices
- Prefer Azure AD authentication over master keys.
- Use resource tokens for least‑privilege access.
- Enable CMK for compliance workloads.
- Restrict network access with private endpoints.
- Rotate keys and credentials regularly.
- Monitor audit logs and set alerts on anomalous activity.