Articles

Authenticate to Cosmos DB with Azure Managed Identity (2026)

April 16, 2026 3 min read

Azure Managed Identity is the most secure and convenient way to authenticate your Azure services to Azure Cosmos DB, eliminating the need to manage credentials directly.

Let’s see it in action. Imagine a simple Python function that needs to read data from a Cosmos DB container. Instead of hardcoding a connection string with a primary key, we’ll configure it to use Managed Identity.

import os
from azure.cosmos import CosmosClient
from azure.identity import DefaultAzureCredential

# Get the Cosmos DB endpoint from environment variables
cosmos_endpoint = os.environ.get("COSMOS_ENDPOINT")
database_name = "my_database"
container_name = "my_container"

# Authenticate using DefaultAzureCredential which will automatically
# pick up Managed Identity when running on an Azure resource
credential = DefaultAzureCredential()
client = CosmosClient(cosmos_endpoint, credential=credential)

database = client.get_database_client(database_name)
container = database.get_container_client(container_name)

# Now you can perform operations like reading items
try:
    item = container.read_item(item="some_item_id", partition_key="some_partition_key")
    print(f"Successfully read item: {item}")
except Exception as e:
    print(f"Error reading item: {e}")

To make this work, you first need to enable Managed Identity for the Azure resource hosting your application (e.g., an Azure App Service, Azure Function, or Virtual Machine).

  1. Enable Managed Identity on the Azure Resource:

    • Go to your Azure resource in the Azure portal.
    • Under "Settings," select "Identity."
    • Choose "System assigned" and click "Save." Azure will create a Service Principal for this resource.

  2. Grant Permissions to the Cosmos DB Account:

    • Navigate to your Azure Cosmos DB account in the portal.
    • Under "Access control (IAM)," click "Add" > "Add role assignment."
    • Select a role that grants read access, such as "Cosmos DB Reader" or "Cosmos DB Data Reader." For write access, consider "Cosmos DB Operator" or a custom role.
    • In the "Members" tab, select "Managed identity" and click "+ Select members."
    • Choose your subscription, then select "Virtual Machine," "App Service," or the relevant resource type.
    • Select the specific Azure resource you enabled Managed Identity on.
    • Click "Review + assign."

  3. Configure Your Application:

    • Ensure your application code uses an Azure SDK that supports Managed Identity (like azure-identity for Python, Azure.Identity for .NET, etc.).
    • Set the COSMOS_ENDPOINT environment variable in your Azure resource’s application settings to your Cosmos DB account’s URI. The SDK, when using DefaultAzureCredential, will automatically detect the Managed Identity and use it to authenticate against Cosmos DB without needing any keys.

This setup means your application’s identity is managed by Azure Active Directory (Azure AD). When it requests access to Cosmos DB, Azure AD validates its identity (via the Managed Identity) and, if authorized by the role assignment, issues a token that Cosmos DB trusts. This completely bypasses the need to store or rotate Cosmos DB keys.

The core concept is that the Managed Identity acts as a Service Principal that Azure AD provisions and manages for you. You then grant this Service Principal permissions to your Cosmos DB account, just as you would a user or an application Service Principal. The DefaultAzureCredential class in the Azure SDK is a fantastic abstraction; it tries multiple authentication methods in a sensible order, including Managed Identity when running in an Azure environment, environment variables, and Visual Studio Code.

When you enable a system-assigned managed identity on an Azure resource, Azure automatically creates an identity for that resource in Azure AD. This identity has a unique Service Principal object. You then assign Azure RBAC roles (like "Cosmos DB Data Reader") to this Service Principal on your Cosmos DB account. The Azure SDK, using DefaultAzureCredential, detects it’s running on an Azure resource with a managed identity, obtains a token from Azure AD for that identity, and presents it to Cosmos DB. Cosmos DB then validates the token and grants access based on the assigned roles.

The most surprising thing most people don’t realize is that DefaultAzureCredential is often sufficient and you don’t need to explicitly specify ManagedIdentityCredential in your code, even though you’re using Managed Identity. It handles the logic of picking the right credential type based on the environment.

The next step you’ll likely encounter is handling data modeling and query optimization within Cosmos DB, specifically understanding the nuances of partitioning and indexing for performance.

Want structured learning?

Take the full Cosmos-db course →