MongoDB vCore clusters should use Microsoft Entra ID authentication#
Security · Cosmos DB · Rule · 2025_12 · Critical
MongoDB vCore clusters should have Microsoft Entra ID authentication enabled.
Description#
MongoDB vCore clusters support multiple authentication modes including native authentication (connection string) and Microsoft Entra ID authentication. Native authentication uses MongoDB credentials (username/password) that are embedded in connection strings and managed locally within the cluster.
Using Microsoft Entra ID authentication provides several security benefits:
- Centralized identity management - Single authoritative source for all user identities.
- MongoDB role-based permissions - Fine-grained access control using MongoDB's native role system with Entra ID identities.
- Enhanced security features - Multi-factor authentication, conditional access, and identity protection.
- Reduced complexity - Eliminates the need to manage separate database credentials.
- Audit and compliance - Centralized logging and monitoring of authentication events.
Microsoft Entra ID authentication should be enabled to ensure secure and centralized identity management for MongoDB vCore clusters.
Recommendation#
Consider enabling Microsoft Entra ID authentication on MongoDB vCore clusters.
Examples#
Configure with Azure template#
To deploy MongoDB vCore clusters that pass this rule:
- Set the
properties.authConfig.allowedModesarray to includeMicrosoftEntraID.
For example:
{
"type": "Microsoft.DocumentDB/mongoClusters",
"apiVersion": "2025-04-01-preview",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"properties": {
"serverVersion": "8.0",
"authConfig": {
"allowedModes": [
"NativeAuth",
"MicrosoftEntraID"
]
},
"compute": {
"tier": "M30"
},
"storage": {
"sizeGb": 128,
"type": "PremiumSSD"
}
}
}
Configure with Bicep#
To deploy MongoDB vCore clusters that pass this rule:
- Set the
properties.authConfig.allowedModesarray to includeMicrosoftEntraID.
For example:
resource mongoCluster 'Microsoft.DocumentDB/mongoClusters@2025-04-01-preview' = {
name: name
location: location
properties: {
serverVersion: '8.0'
authConfig: {
allowedModes: [
'NativeAuth'
'MicrosoftEntraID'
]
}
compute: {
tier: 'M30'
}
storage: {
sizeGb: 128
type: 'PremiumSSD'
}
}
}
Notes#
Important: For initial deployment, you must include both NativeAuth and MicrosoftEntraID in the allowedModes array.
Deploying with only MicrosoftEntraID will cause the deployment to fail as the initial setup process requires native authentication.
After deployment is complete and Entra ID users are configured, you can optionally remove NativeAuth for enhanced security.
Links#
- SE:05 Identity and access management
- Security: Level 1
- Microsoft Entra ID authentication with Azure Cosmos DB for MongoDB vCore
- Configure Microsoft Entra ID authentication for an Azure Cosmos DB for MongoDB vCore cluster
- Azure security baseline for Azure Cosmos DB
- IM-1: Use centralized identity and authentication system
- IM-3: Manage application identities securely and automatically
- Azure deployment reference