Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Disable Key-Based Authentication for Azure Cosmos DB Accounts

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that key-based authentication is disabled for your Azure Cosmos DB accounts. This security best practice enforces the use of Microsoft Entra authentication, enhancing access security.

Security

Using access keys for authentication can create significant security vulnerabilities because of the potential leakage of secrets to source control systems and their exposure to the public. To achieve optimal security, it is recommended to disable key-based authentication for your Azure Cosmos DB accounts, enforcing your applications to use Microsoft Entra authentication instead. This method provides superior security and ease of use compared to shared access key authentication and allows secure connections via a user, service principal, or managed identity.

Audit

To determine if your Azure Cosmos DB accounts are using local authentication methods such as access keys for authentication, perform the following operations:

Getting the authentication configuration for Azure Cosmos DB accounts using Microsoft Azure Portal is not currently supported.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run cosmosdb list command (Windows/macOS/Linux) with custom output filters to list the ID of each Azure Cosmos DB account available in the selected subscription: 

az cosmosdb list
	--query '[*].id'

05 The command output should return the requested Azure Cosmos DB account IDs: 

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-project5-cosmos-database",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-cosmos-prod-dba-account"
]

06 Run cosmosdb show command (Windows/macOS/Linux) with the ID of the Azure Cosmos DB account that you want to examine as the identifier parameter and custom output filters to determine if local (key-based) authentication is disabled for the selected Cosmos DB account: 

az cosmosdb show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-project5-cosmos-database"
	--query "{disableLocalAuth:disableLocalAuth}"

07 The command output should return the requested configuration settings status: 

{
	"disableLocalAuth": false
}

If the cosmosdb show command output returns false for the "disableLocalAuth" configuration setting, as shown in the example above, key-based authentication is not disabled for the selected Azure Cosmos DB account.

08 Repeat steps no. 6 and 7 for each Azure Cosmos DB account available within the current Azure subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To disable local (key-based) authentication for your Azure Cosmos DB accounts so that clients or applications are required to use Microsoft Entra authentication, perform the following operations:

Disabling local authentication methods for Azure Cosmos DB accounts using Microsoft Azure Portal is not currently supported.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to access as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run resource update command (OSX/Linux/UNIX) with the ID of the Azure Cosmos DB account that you want to configure as the identifier parameter, to disable key-based authentication for the selected Azure Cosmos DB account: 

az resource update
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-project5-cosmos-database"
	--set properties.disableLocalAuth=true

05 The command output should return the configuration information available for the modified Azure Cosmos DB account: 

{
	"extendedLocation": null,
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-project5-cosmos-database",
	"identity": {
		"principalId": null,
		"tenantId": null,
		"type": "None",
		"userAssignedIdentities": null
	},
	"kind": "GlobalDocumentDB",
	"location": "West Europe",
	"managedBy": null,
	"name": "cc-project5-cosmos-database",
	"plan": null,

	...

	"properties": {
		"EnabledApiTypes": "Sql",
		"databaseAccountOfferType": "Standard",
		"defaultIdentity": "FirstPartyIdentity",
		"disableKeyBasedMetadataWriteAccess": false,
		"disableLocalAuth": true,
		"enableAnalyticalStorage": false,
		"enableAutomaticFailover": false,
		"enableBurstCapacity": false,
		"enableFreeTier": true,
		"enableMultipleWriteLocations": false,
		"enablePartitionKeyMonitor": false,
		"enablePartitionMerge": false,
		"enablePerRegionPerPartitionAutoscale": true,
	},
	"resourceGroup": "cloud-shell-storage-westeurope",
	"type": "Microsoft.DocumentDB/databaseAccounts"
}

06 Repeat steps no. 4 and 5 for each Azure Cosmos DB account that you want to configure, available within the selected subscription.

07 Repeat steps no. 3 – 6 for each Azure subscription created in your Microsoft Azure cloud account.

References

Publication date May 28, 2025

Related CosmosDB rules