Authenticate to Cosmos DB in Microsoft Fabric from Azure host services (preview)

Cosmos DB in Microsoft Fabric primarily relies on Microsoft Entra ID authentication and built-in data plane roles to manage authentication and authorization. In this guide, you use Microsoft Entra ID and your signed-in account to connect to a Cosmos DB in Fabric database.

Prerequisites

• An existing Fabric capacity

  • If you don't have Fabric capacity, start a Fabric trial.

• An existing Cosmos DB database in Fabric

  • If you don't have one already, create a new Cosmos DB database in Fabric.

• An identity with the Read permission for the database in Fabric

  • For more information on Fabric permissions, see access controls.

• Azure CLI

  • If you don't already have it, install Azure CLI.

Retrieve Cosmos DB endpoint

First, get the endpoint for the Cosmos DB database in Fabric. This endpoint is required to connect using the Azure SDK.

1. Open the Fabric portal (https://app.fabric.microsoft.com).

2. Navigate to your existing Cosmos DB database.

3. Select the Settings option in the menu bar for the database.

   

4. In the settings dialog, navigate to the Connection section. Then, copy the value of the Endpoint for Cosmos DB NoSQL database field. You use this value in later step[s].

   

Authenticate to Azure CLI

Now, authenticate to the Azure CLI. The Azure SDK can use various different authentication mechanisms to verify your identity, but the Azure CLI is the most universal and frictionless option across various developer languages.

1. In your local development environment, open a terminal.

2. Authenticate to Azure CLI using az login.

   az login
   

3. Follow the interactive steps to perform multifactor authentication (MFA) and select your subscription.

4. Verify that your account is logged in successfully by querying your identity.

   az ad signed-in-user show
   

5. Observe the output of the previous command. The id field contains the principal (object) ID of the currently signed-in identity.

   {
     "@odata.context": "<https://graph.microsoft.com/v1.0/$metadata#users/$entity>",
     "businessPhones": [],
     "displayName": "Kai Carter",
     "givenName": "Kai",
     "id": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",
     "jobTitle": "Senior Sales Representative",
     "mail": "<kai@adventure-works.com>",
     "mobilePhone": null,
     "officeLocation": "Redmond",
     "preferredLanguage": null,
     "surname": "Carter",
     "userPrincipalName": "<kai@adventure-works.com>"
   }
   

   Note

   In Microsoft Entra ID terms, this identity is referred to as your human identity. It's a type of identity that can connect to databases among many different types including, but not limited to:

   • Managed identities (system or user-assigned)
   • Workload identities
   • Application identities
   • Device identities

   While these steps focus on using your human identity to connect to the database in Fabric, the steps are similar if you're connecting using a different identity type. For more information about identities, see identity fundamentals.

Connect using Azure SDK

Finally, use the Azure SDK to connect to the Cosmos DB database in Fabric using the endpoint and your identity. The Azure SDK ships with a unified identity library that automatically handles authentication on your behalf. This step uses the AzureCliCredential type, which automatically finds the right identity type based on your environment.

from azure.cosmos import CosmosClient
from azure.identity import DefaultAzureCredential

endpoint = "<cosmos-db-fabric-endpoint>"

credential = DefaultAzureCredential()

client = CosmosClient(endpoint, credential=credential)

container = client.get_database_client("<database-name>").get_container_client("<container-name>")

nosql = "SELECT TOP 10 VALUE item.id FROM items AS item"

results = container.query_items(
    query=nosql,
    enable_cross_partition_query=True,
)

items = [item for item in results]

for item in items:
    print(item)

import { Container, CosmosClient, CosmosClientOptions } from '@azure/cosmos'
import { TokenCredential, AzureCliCredential } from '@azure/identity'

run();

async function run() {
    let endpoint: string = '<cosmos-db-fabric-endpoint>';

    let credential: TokenCredential = new AzureCliCredential();

    let options: CosmosClientOptions = {
        endpoint: endpoint,
        aadCredentials: credential
    };

    const client: CosmosClient = new CosmosClient(options);

    const container: Container = client.database('<database-name>').container('<container-name>');

    const nosql = 'SELECT TOP 10 VALUE item.id FROM items AS item';

    const querySpec = {
        query: nosql
    }

    let response = await container.items.query(querySpec).fetchAll();
    for (let item of response.resources) {
        console.log(item);
    }
}

using Azure.Identity;
using Microsoft.Azure.Cosmos;

string endpoint = "<cosmos-db-fabric-endpoint>";
AzureCliCredential credential = new();
CosmosClient client = new(endpoint, credential);

Container container = client
    .GetDatabase("<database-name>")
    .GetContainer("<container-name>");

string sql = "SELECT TOP 10 VALUE item.id FROM items AS item";

QueryDefinition query = new(sql);

FeedIterator<string> iterator = container.GetItemQueryIterator<string>(query);

while (iterator.HasMoreResults)
{
    FeedResponse<string> response = await iterator.ReadNextAsync();
    foreach (var item in response)
    {
        Console.WriteLine(item);
    }
}

Related content

• Learn about Cosmos DB in Microsoft Fabric
• Manage authorization in Cosmos DB in Microsoft Fabric