Enable Microsoft Defender for Azure Cosmos DB Accounts

Risk Level: Medium (should be achieved)

Ensure that Microsoft Defender for Cloud is enabled for your Azure Cosmos DB accounts in order to provide enhanced security by detecting threats, monitoring unusual activity, and offering recommendations to protect your data from vulnerabilities and breaches.

Security

Microsoft Defender for Cloud provides action-oriented recommendations and security alerts with details of the suspicious activity and guidance on how to mitigate the security threats. With Microsoft Defender for Azure Cosmos DB, you obtain an extra layer of security intelligence that detects unusual and potentially harmful activity in your Azure Cosmos DB accounts. This makes it easier to address threats, even without deep security expertise, and connects directly with your existing security monitoring systems.

Audit

To determine if Microsoft Defender for Cloud is enabled for your Azure Cosmos DB accounts, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Azure Cosmos DB account for Value, then choose Apply to list the Azure Cosmos DB accounts available in the selected subscription.

05 Click on the name (link) of the Azure Cosmos DB account that you want to examine.

06 In the resource navigation panel, under Settings, select Microsoft Defender for Cloud to access the Defender for Cloud recommendations available for the selected Cosmos DB account. If there are no recommendations listed on this page, instead the Enable Microsoft Defender for Azure Cosmos DB button button is dysplayed, Microsoft Defender for Cloud is not enabled for the selected Azure Cosmos DB account.

07 Repeat steps no. 5 and 6 for each Azure Cosmos DB account deployed in the selected Azure subscription.

08 Repeat steps no. 3 – 7 for each Azure subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run cosmosdb list command (Windows/macOS/Linux) with custom query filters to list the name and the associated resource group for each Azure Cosmos DB account available in the selected subscription:

az cosmosdb list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested Cosmos DB account names:

Name                          ResourceGroup
---------------------------   ------------------------------
cc-project5-cosmos-database   cloud-shell-storage-westeurope
cc-cosmos-prod-dba-account    cloud-shell-storage-westeurope

06 Run security atp cosmosdb show command (Windows/macOS/Linux) with the name of the Azure Cosmos DB account that you want to examine as the identifier parameter and custom output filters to determine if Microsoft Defender for Cloud is enabled at the resource level:

az security atp cosmosdb show
	--cosmosdb-account cc-project5-cosmos-database
	--resource-group cloud-shell-storage-westeurope
	--query 'isEnabled'

07 The command output should return the requested Defender for Cloud configuration status (true for enabled, false for disabled):

false

If the security atp cosmosdb show command output returns false, as shown in the example above, Microsoft Defender for Cloud is not enabled for the selected Azure Cosmos DB account.

08 Repeat steps no. 6 and 7 for each Azure Cosmos DB account available within the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that Microsoft Defender for Cloud is enabled for your Azure Cosmos DB accounts, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

05 Click on the name (link) of the Azure Cosmos DB account that you want to examine.

06 In the resource navigation panel, under Settings, select Microsoft Defender for Cloud, and click on the Enable Microsoft Defender for Azure Cosmos DB button button to enable Defender for Cloud (including Advanced Threat Protection) for the selected Azure Cosmos DB account.

07 Repeat steps no. 5 and 6 for each Azure Cosmos DB account that you want to configure, deployed in the selected Azure subscription.

08 Repeat steps no. 3 – 7 for each Azure subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

az cosmosdb list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested Cosmos DB account names:

Name                          ResourceGroup
---------------------------   ------------------------------
cc-project5-cosmos-database   cloud-shell-storage-westeurope
cc-cosmos-prod-dba-account    cloud-shell-storage-westeurope

06 Run security atp cosmosdb update command (OSX/Linux/UNIX) with the name of the Azure Cosmos DB account that you want to configure as the identifier parameter, to enable Microsoft Defender for Cloud at the resource level. This will enable Advanced Threat Protection for the selected Cosmos DB account:

az security atp cosmosdb update
	--cosmosdb-account cc-project5-cosmos-database
	--resource-group cloud-shell-storage-westeurope
	--is-enabled true

07 The command output should return the information available for Microsoft Defender for Azure Cosmos DB:

{
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDb/databaseAccounts/cc-project5-cosmos-database/providers/Microsoft.Security/advancedThreatProtectionSettings/current",
	"isEnabled": true,
	"name": "current",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"type": "Microsoft.Security/advancedThreatProtectionSettings"
}

08 Repeat steps no. 6 and 7 for each Azure Cosmos DB account that you want to configure, available within the selected subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

References

Azure Official Documentation
Overview of Microsoft Defender for Azure Cosmos DB
Microsoft Defender for Azure Cosmos DB
Enable Microsoft Defender for Azure Cosmos DB

Azure Command Line Interface (CLI) Documentation
az account list
az account set
az cosmosdb list
az security atp cosmosdb show
az security atp cosmosdb update

Publication date May 28, 2025

Audit

Using Azure Portal

Using Azure CLI

Remediation / Resolution

Using Azure Portal

Using Azure CLI

References

Related CosmosDB rules