![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 44%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Azure Cosmos DB
An Azure NoSQL database service for app development.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 72%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 18%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVP%3C/text%3E%3C/svg%3E)
Hi Saurabh Sharma,
Thank you for reaching out to Microsoft Q&A.
- Cosmos DB Built-in Data Contributor role (data-plane)
Please go with the Cosmos DB Built-in Data Contributor role (data-plane) at the correct scope to update documents.
like: - Data-plane actions:
-
Microsoft.DocumentDB/databaseAccounts/read -
Microsoft.DocumentDB/databaseAccounts/listKeys/action -
Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/*(coversreplace,upsert,delete,readfor documents)
-
- CRUD operations on items within containers.
- Query execution on containers.
This role does NOT allow account-level management (control-plane) but enables full document-level operations.
reference: https://free.blessedness.top/azure/cosmos-db/how-to-setup-rbac#built-in-role-definitions
“Cosmos DB Operator” won’t let you modify documents — it’s a control-plane role (manage the account) and explicitly blocks data access and even the account keys/connection strings.
To update a document, you need a data-plane permission. The simplest built-in choice is Cosmos DB Built-in Data Contributor assigned at the right scope (account / database / container). That role includes the item actions needed to update (replace/upsert) documents, e.g. …/containers/items/replace, …/containers/items/upsert, and the usual CRUD/query actions.
Quick path (pick one):
Entra ID / RBAC (recommended) – Assign “Cosmos DB Built-in Data Contributor” to your user/app at the container (or db/account) scope. After that, connect with Entra ID and you can update documents.
Key-based auth (legacy) – Use a key that has write rights; note the Operator role cannot view or regenerate keys, by design. If you’re going this route, someone with a role that allows listKeys must fetch the key for you.
If you still get a 403 after the assignment, double-check the scope (container vs database), and that your client is actually using Entra ID (not an old connection string). The data-plane role’s ID for “Built-in Data Contributor” is listed in the docs if you prefer scripting assignments.
Hope that clarifies which permission you need.