How to connect to Cosmos DB for Mongo using managed identity

Question

How to connect to Cosmos DB for Mongo using managed identity

Flavio Duarte 20

I deployed Cosmos DB for Mongo and I can connect using the connection string in Python (for instance).

Now I'd like to connect using a user managed identity similar to it is done with Object Storage:

cred = DefaultAzureCredentials()
client = MongoClient(account_url=url, credential=cred) # should MongoClient for CosmosDB

I couldn't make this simple code work, despite have assigned "DocumentDB Account Contributor" to my user managed identity, which has more privileges that I wanted since it has control plane privileges and not just data plane.

I have tried variations of the above code based on what I found out there without success. At some point I got this error that kinda tells me it is possible to do what I'm trying to do:
To connect to Azure Cosmos DB for MongoDB (RU-based account) using a Managed Identity, you'll need to use Azure AD-based authentication instead of the traditional connection string with a username/password. As of mid-2024, Azure Cosmos DB for MongoDB vCore supports Azure AD-based authentication, but MongoDB API (RU-based) support is more limited and requires extra configuration.

Could you help with an example (python) connecting to Cosmos DB for Mongo along with the setup steps that need to be done?

Regards,

Flavio Duarte

Flavio Duarte 20 Reputation points

2025-08-01T08:22:51.14+00:00

@Mahesh Kurva
Thanks for the quick reply.
Unfortunately for reasons beyond me, I constraint with Cosmos DB For Mongo (RU).

Is there a similar workflow for RU (without relying on the keys)?

Regards,
Flavio
Mahesh Kurva 6,850 Reputation points Microsoft External Staff Moderator

2025-08-01T15:56:37.7+00:00
Hi Flavio Duarte,

Thanks for getting back to me.

Unfortunately, Cosmos DB for MongoDB (RU-based accounts) does not support Azure AD or managed identity authentication for direct access.

The only supported method is using the Cosmos DB account key in the connection string.

However, for better security, we recommend this workaround:

Store the Cosmos DB key in Azure Key Vault.

Let your app use managed identity to securely fetch the key at runtime.

Use the key to connect to Cosmos DB (still key-based, but no keys in code).

This keeps credentials out of your app code while still working within RU-based limitations.

For full Azure AD support, including managed identity access, Cosmos DB for MongoDB vCore is required. I hope this information helps. Please do let us know if you have any further queries.
Mahesh Kurva 6,850 Reputation points Microsoft External Staff Moderator

2025-08-04T01:55:04.8666667+00:00

Hi Flavio Duarte,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Mahesh Kurva 6,850 Reputation points Microsoft External Staff Moderator

2025-08-05T02:33:09.9166667+00:00

Hi Flavio Duarte,

Just checking in to see if the below answer helped. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Flavio Duarte 20 Reputation points

2025-08-05T13:11:53.3733333+00:00

Thanks for the explanation.

Accepted answer

0 additional answers

Your answer

Flavio Duarte 20 Reputation points

2025-08-01T08:22:51.14+00:00

@Mahesh Kurva
Thanks for the quick reply.
Unfortunately for reasons beyond me, I constraint with Cosmos DB For Mongo (RU).

Is there a similar workflow for RU (without relying on the keys)?

Regards,
Flavio
Mahesh Kurva 6,850 Reputation points Microsoft External Staff Moderator

2025-08-01T15:56:37.7+00:00

Hi Flavio Duarte,

Thanks for getting back to me.

Unfortunately, Cosmos DB for MongoDB (RU-based accounts) does not support Azure AD or managed identity authentication for direct access.

The only supported method is using the Cosmos DB account key in the connection string.

However, for better security, we recommend this workaround:

Store the Cosmos DB key in Azure Key Vault.

Let your app use managed identity to securely fetch the key at runtime.

Use the key to connect to Cosmos DB (still key-based, but no keys in code).

This keeps credentials out of your app code while still working within RU-based limitations.

For full Azure AD support, including managed identity access, Cosmos DB for MongoDB vCore is required. I hope this information helps. Please do let us know if you have any further queries.
Mahesh Kurva 6,850 Reputation points Microsoft External Staff Moderator

2025-08-04T01:55:04.8666667+00:00

Hi Flavio Duarte,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Mahesh Kurva 6,850 Reputation points Microsoft External Staff Moderator

2025-08-05T02:33:09.9166667+00:00

Hi Flavio Duarte,

Just checking in to see if the below answer helped. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Flavio Duarte 20 Reputation points

2025-08-05T13:11:53.3733333+00:00

Thanks for the explanation.

Answer 1

Mahesh Kurva 6,850 Microsoft External Staff Moderator

Hi Flavio Duarte,

Greetings!!

Azure Cosmos DB for MongoDB vCore using a User Assigned Managed Identity in Python

Use Cosmos DB for MongoDB vCore, not RU-based.
Enable Microsoft Entra ID authentication on the cluster.
Assign dbOwner role to the Managed Identity in Entra ID.
UseDefaultAzureCredential() in your Python app.
Implement OIDC callback .

For more information, please refer the documents:

Build a Python console app with Azure Cosmos DB for MongoDB vCore

Microsoft Entra ID authentication with Azure Cosmos DB for MongoDB vCore.

Hope this helps. Do let us know if you any further queries.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Mahesh Kurva 6,850 Reputation points Microsoft External Staff Moderator

2025-08-06T01:13:54.7733333+00:00

Hi Flavio Duarte,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Share via

How to connect to Cosmos DB for Mongo using managed identity

0 additional answers

Your answer