Configure Microsoft Entra ID authentication for an Azure Cosmos DB for MongoDB vCore cluster

2025-10-23
Applies to: ✅ MongoDB (vCore)

In this article, you learn how to configure Microsoft Entra ID authentication for an Azure Cosmos DB for MongoDB vCore. The steps in this guide configure an existing Azure Cosmos DB for MongoDB vCore cluster to use Microsoft Entra ID authentication with your human identity (currently signed-in account) or a Microsoft Entra ID security principal such as managed identity. Microsoft Entra ID authentication enables secure and seamless access to your database by using your organization's existing identities. This guide goes through the steps to set up authentication, register users or service principals, and validate the configuration.

When you create an Azure Cosmos DB for MongoDB vCore cluster, cluster is configured to use native authentication by default. To enable authentication using Entra ID, turn on the Entra ID authentication method and add Entra ID users to the cluster.

Prerequisites

An existing Azure Cosmos DB for MongoDB (vCore) cluster.
- If you don't have an Azure subscription, create an account for free.
- If you have an existing Azure subscription, create a new Azure Cosmos DB for MongoDB vCore cluster.

The latest version of the Azure CLI in Azure Cloud Shell.
- If you prefer to run CLI reference commands locally, sign in to the Azure CLI by using the az login command.

Get identity metadata

Get unique identifier for Entra ID user management

First, get the unique identifier used to manage Entra ID principals on the cluster.

Get the details for the currently logged-in account using az ad signed-in-user.
```
az ad signed-in-user show
```
Get the details for another account using az ad user show.
```
az ad user show --id kai@adventure-works.com
```

The command outputs a JSON response containing various fields.

{
  "@odata.context": "<https://graph.microsoft.com/v1.0/$metadata#users/$entity>",
  "businessPhones": [],
  "displayName": "Kai Carter",
  "givenName": "Kai",
  "id": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",
  "jobTitle": "Senior Sales Representative",
  "mail": "<kai@adventure-works.com>",
  "mobilePhone": null,
  "officeLocation": "Redmond",
  "preferredLanguage": null,
  "surname": "Carter",
  "userPrincipalName": "<kai@adventure-works.com>"
}

Record the value of the id property. This property is the unique identifier for your principal and is sometimes referred to as the principal ID. You use this value in the next series of steps.

Get friendly name using unique identifier

When you need to get a friendly name using unique identifier, follow these steps.

Get the details for another account using az ad user show.

az ad user show --id aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb

The command outputs a JSON response containing various fields.

{
  "@odata.context": "<https://graph.microsoft.com/v1.0/$metadata#users/$entity>",
  "businessPhones": [],
  "displayName": "Kai Carter",
  "givenName": "Kai",
  "id": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",
  "jobTitle": "Senior Sales Representative",
  "mail": "<kai@adventure-works.com>",
  "mobilePhone": null,
  "officeLocation": "Redmond",
  "preferredLanguage": null,
  "surname": "Carter",
  "userPrincipalName": "<kai@adventure-works.com>"
}

Note the value of the mail and displayName properties.

Get unique identifier for an Entra ID service principal

To use a managed identity in your application or to log in using Entra ID credentials in tools like the MongoDB shell or Compass, you need to retrieve the principalID and the clientID of the managed identity.

Get the details for the managed identity using a GET REST API call. Replace variables that start with $ sign with the actual values.

az rest --method "GET" --url "https://management.azure.com/subscriptions/$subscription-id/resourcegroups/$resource-group-name/providers/microsoft.managedidentity/userassignedidentities/$managed-identity-name?api-version=2024-11-30"

The command outputs a JSON response containing various fields.

{
  "location": "eastus",
  "name": "managed-identity-name",
  "properties": {
    "clientId": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",
    "isolationScope": "None",
    "principalId": "cccccccc-0000-1111-2222-bbbbbbbbbbbb",
    "tenantId": "dddddddd-0000-1111-2222-bbbbbbbbbbbb"
  },
  "tags": {},
  "type": "Microsoft.ManagedIdentity/userAssignedIdentities"
}

Note the clientID and principalId values in the output.
1. Use principalId to add the managed identity to your cluster as an Entra ID entity.
2. Use clientID to connect to the cluster via MongoDB Shell or Compass or in your application code using Entra ID authentication.

Manage cluster authentication methods

Use the following steps to change authentication methods on your existing cluster. Then, add an Entra ID user mapped to your signed-in identity to the cluster. You can have the following authentication methods enabled on your cluster:

Native DocumentDB authentication method only
Native DocumentDB and Microsoft Entra ID authentication methods
Microsoft Entra ID authentication method

Important

When cluster is created, you have to have native DocumentDB authentication method enabled and specify native administrative user credentials. You can disable native DocumentDB authentication method once new cluster finishes provisioning.

On the cluster sidebar, under Settings, select Authentication.
In Authentication methods section, select Native DocumentDB and Microsoft Entra ID to enable Microsoft Entra ID authentication.
Select Save to confirm the authentication method changes.

Note

If you need to disable native DocumentDB authentication method on your cluster, use Azure CLI or REST API calls.

To enable Microsoft Entra ID on the cluster, update the existing cluster with an HTTP PATCH operation by adding the MicrosoftEntraID value to allowedModes in the authConfig property.

az resource patch \
    --resource-group "<resource-group-name>" \
    --name "<cluster-name>" \
    --resource-type "Microsoft.DocumentDB/mongoClusters" \
    --properties "{\"authConfig\":{\"allowedModes\":[\"MicrosoftEntraID\",\"NativeAuth\"]}}" \
    --latest-include-preview

To disable Microsoft Entra ID authentication method on the cluster, update the existing cluster with an HTTP PATCH operation by overwriting the current values in allowedModes in the authConfig property with NativeAuth.

az resource patch \
    --resource-group "<resource-group-name>" \
    --name "<cluster-name>" \
    --resource-type "Microsoft.DocumentDB/mongoClusters" \
    --properties "{\"authConfig\":{\"allowedModes\":[\"NativeAuth\"]}}" \
    --latest-include-preview

To disable native DocumentDB authentication method and enable Microsoft Entra ID on the cluster, update the existing cluster with an HTTP PATCH operation by adding only the MicrosoftEntraID value to allowedModes in the authConfig property.

az resource patch \
    --resource-group "<resource-group-name>" \
    --name "<cluster-name>" \
    --resource-type "Microsoft.DocumentDB/mongoClusters" \
    --properties "{\"authConfig\":{\"allowedModes\":[\"MicrosoftEntraID\"]}}" \
    --latest-include-preview

You can use the Azure REST API directly or wrapped into az rest from Azure CLI environment.

Use this command to add Microsoft Entra ID authentication method to the cluster:

az rest \
    --method "PUT" \
    --url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.DocumentDB/mongoClusters/<cluster-name>?api-version=2025-09-01" \
    --body "{\"location\":\"<cluster-region>\",\"properties\":{\"authConfig\":{\"allowedModes\":[\"MicrosoftEntraID\",\"NativeAuth\"]}}}"

Use this command to remove Microsoft Entra ID authentication method from the cluster and leave only native DocumentDB authentication method enabled:

az rest \
    --method "PUT" \
    --url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.DocumentDB/mongoClusters/<cluster-name>?api-version=2025-09-01" \
    --body "{\"location\":\"<cluster-region>\",\"properties\":{\"authConfig\":{\"allowedModes\":\"NativeAuth\"}}}"

Use this command to remove native DocumentDB authentication method and add Microsoft Entra ID authentication method to the cluster:

az rest \
    --method "PUT" \
    --url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.DocumentDB/mongoClusters/<cluster-name>?api-version=2025-09-01" \
    --body "{\"location\":\"<cluster-region>\",\"properties\":{\"authConfig\":{\"allowedModes\":[\"MicrosoftEntraID\"]}}}"

Tip

If you're using the Azure Cloud Shell, you can upload/download files directly to the shell. For more information, see managed files in Azure Cloud Shell.

View authentication methods enabled on the cluster

Follow these steps to see authentication methods currently enabled on the cluster.

On the cluster sidebar, under Settings, select Authentication.
In the Authentication methods section, check authentication methods currently enabled on the cluster.

Get the authConfig property from your existing cluster using az resource show.

az resource show \
    --resource-group "<resource-group-name>" \
    --name "<cluster-name>" \
    --resource-type "Microsoft.DocumentDB/mongoClusters" \
    --query "properties.authConfig" \
    --latest-include-preview

Observe the output. If Microsoft Entra ID authentication isn't configured, the output includes only the NativeAuth value in the allowedModes array.
```
{
  "authConfig": {
    "allowedModes": [
        "NativeAuth"
  ] }
}
```
If Microsoft Entra ID authentication is enabled on the cluster, the output includes both the NativeAuth and MicrosoftEntraID values in the allowedModes array.
```
{
  "authConfig": {
    "allowedModes": [
        "NativeAuth",
        "MicrosotEntraID"
          ] }
}
```

Use this command to check authentication methods currently enabled on the cluster:

az rest \
    --method "GET" \
    --url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.DocumentDB/mongoClusters/<cluster-name>?api-version=2025-09-01"

Observe the output. If Microsoft Entra ID authentication isn't configured, the output includes only the NativeAuth value in the allowedModes array.
```
{
  "authConfig": {
    "allowedModes": [
        "NativeAuth"
  ] }
}
```
If Microsoft Entra ID authentication is enabled on the cluster, the output includes both the NativeAuth and MicrosoftEntraID values in the allowedModes array.
```
{
  "authConfig": {
    "allowedModes": [
        "NativeAuth",
        "MicrosotEntraID"
          ] }
    }
```

Manage administrative Entra ID users on the cluster

Follow these steps to add administrative Entra ID users to cluster or remove administrative Entra ID users from it.

Select a cluster with Microsoft Entra ID authentication method enabled.
On the cluster sidebar, under Settings, select Authentication.
To add administrative Entra ID users:
1. In the Microsoft Entra ID authentication section, select +Add Microsoft Entra ID to open the side panel that allows to add Entra ID users and security principals to the cluster.
2. In the Select Microsoft Entra ID roles side panel, select one or more Entra ID users and confirm your choice by selecting Select.
Note

When administrative Microsoft Entra ID users are added to the cluster, their identifiers in aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb format not human readable names such as kai@adventure-works.com are added to the cluster.
Select Save to confirm the authentication method changes.
To remove administrative Entra ID users from the cluster:
1. Get Entra ID identifiers for the users to be removed from the cluster.
2. In the Microsoft Entra ID authentication section, select Remove next to the user's identifier to remove that user from the cluster.
Important

User is removed from the cluster right after Remove is selected.

Get the unique ID of the user or service principal that needs to be added to or removed from the cluster.
To add administrative Entra ID users, use az resource create. This command creates a new resource of type Microsoft.DocumentDB/mongoClusters/users. Compose the name of the resource by concatenating the name of the parent cluster and the principal ID of your identity.
```
az resource create \
    --resource-group "<resource-group-name>" \
    --name "<cluster-name>/users/<principal-id>" \
    --resource-type "Microsoft.DocumentDB/mongoClusters/users" \
    --location "<cluster-region>" \
    --properties "{\"identityProvider\":{\"type\":\"MicrosoftEntraID\",\"properties\":{\"principalType\":\"User\"}},\"roles\":[{\"db\":\"admin\",\"role\":\"root\"}]}" \
    --latest-include-preview
```
Tip

For example, if your parent resource is named example-cluster and your principal ID was aaaaaaaa-bbbb-cccc-1111-222222222222, the name of the resource would be:
```
"example-cluster/users/aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb"
```
Also, if you're registering a service principal, like a managed identity, you would replace the identityProvider.properties.principalType property's value with ServicePrincipal.
To remove administrative Entra ID users, use az resource delete. This command deletes resource of type Microsoft.DocumentDB/mongoClusters/users. Compose the name of the resource by concatenating the name of the parent cluster and the principal ID of your identity.
```
az resource delete \
    --resource-group "<resource-group-name>" \
    --name "<cluster-name>/users/<principal-id>" \
    --resource-type "Microsoft.DocumentDB/mongoClusters/users" \
    --latest-include-preview
```

Get the unique ID of the user or service principal that needs to be added to or removed from the cluster.

To add administrative Entra ID users to the cluster, use PUT Azure REST API call with this az rest command:

az rest \
    --method "PUT" \
    --url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.DocumentDB/mongoClusters/<cluster-name>/users/<principal-id>?api-version=2025-09-01" \
    --body "{\"location\":\"<cluster-region>\",\"properties\":{\"identityProvider\":{\"type\":\"MicrosoftEntraID\",\"properties\":{\"principalType\":\"User\"}},\"roles\":[{\"db\":\"admin\",\"role\":\"root\"}]}}"

Tip

For example, if your parent resource is named example-cluster and your principal ID was aaaaaaaa-bbbb-cccc-1111-222222222222, the name of the resource would be:

"example-cluster/users/aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb"

Also, if you're registering a service principal, like a managed identity, you would replace the identityProvider.properties.principalType property's value with ServicePrincipal.

To remove administrative Entra ID users from the cluster, use DELETE Azure REST API call with this az rest command:

az rest \
    --method "DELETE" \
    --url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.DocumentDB/mongoClusters/<cluster-name>/users/<principal-id>?api-version=2025-09-01"

View administrative Entra ID users on the cluster

When you view administrative users on a cluster, there's always one native built-in administrative user created during cluster provisioning and all administrative Entra ID users added to the cluster listed. All administrative Entra ID users are replicated to the database.

Non-administrative Entra ID users are created in the database. When you list non-administrative users in the database, the list contains all administrative and non-administrative Entra ID users and all secondary (non-administrative) native DocumentDB users.

Follow these steps to see all administrative Entra ID users added to cluster.

Select a cluster with Microsoft Entra ID authentication method enabled.
On the cluster sidebar, under Settings, select Authentication.
In the Microsoft Entra ID authentication section, find the list of object IDs (unique identifiers) for the administrative Entra ID users added to the cluster.
To get friendly names using a unique identifier, follow these steps.

Use this command to list all administrative users on the cluster:

az rest \
    --method "GET" \
    --url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.DocumentDB/mongoClusters/<cluster-name>/users?api-version=2025-09-01"

Observe the output. The output includes an array of administrative user accounts on the cluster. This array has one built-in native administrative users and all administrative Entra ID user and service principals added to the cluster.

{
  "id": "/subscriptions/<subscription-id>>/resourceGroups/<resource-group-name>>/providers/Microsoft.DocumentDB/mongoClusters/<cluser-name>>/users/<user's-unique-id>",
  "name": "user's-unique-id",
  "properties": {
    "identityProvider": {
      "properties": {
        "entraTenant": "entra-tenant-id",
        "principalType": "User"
      },
      "type": "MicrosoftEntraID"
    },
    ...
    "user": "user's-unique-id"
  },
    ...
  "type": "Microsoft.DocumentDB/mongoClusters/users"
}

Note

An Azure Cosmos DB for MongoDB vCore cluster is created with one built-in native DocumentDB user. You can add more native DocumentDB users after cluster provisioning is completed. Microsoft Entra ID users added to the cluster are going to be in addition to native DocumentDB users defined on the same cluster.

Manage non-administrative Entra ID users on the cluster

To perform management operations for non-administrative Entra ID security principals such as users, you need to log in to the cluster with an administrative Entra ID user. You can do it from your application code or from the tools like MongoDB shell and Compass.

All management commands for non-administrative users are supported for SecurityPrincipal and user principal types.

To add a non-administrative Entra ID user with read-write permissions on the cluster, use the following createUser command:

db.runCommand(
    {
        createUser:"user's-Entra-ID-identifier",
        roles : [
            { role:"clusterAdmin",db:"admin" },
            { role:"readWriteAnyDatabase", db:"admin" }
        ],
 	    customData:{"IdentityProvider":{"type":"MicrosoftEntraID", "properties":{"principalType":"user"}}}
    }
)

To add a non-administrative Entra ID user with read-only permissions on the cluster, use the following createUser command:

db.runCommand(
    {
        createUser:"user's-Entra-ID-identifier",
        roles : [
            { role:"readAnyDatabase", db:"admin" }
        ],
 	    customData:{"IdentityProvider":{"type":"MicrosoftEntraID", "properties":{"principalType":"user"}}}
    }
)

To remove a non-administrative Entra ID user from the cluster, use dropUser command:
```
db.runCommand(
    {
        dropUser:"user's-Entra-ID-identifier"
    }
)
```
To list all Entra ID and native DocumentDB users on the cluster, use userInfo command:
```
db.runCommand(
    {
        usersInfo:1
    }
)
```
Note

All Entra ID and native DocumentDB administrative users are replicated to the database. Because of this replication, the list of users include all administrative and non-administrative Entra ID and native DocumentDB users on the cluster.

Connect to the cluster

You can connect to the cluster using either a connection URI or a custom settings object from the driver for your preferred language. In either option, the scheme must be set to mongodb+srv to connect to the cluster. The host is at either the *.global.mongocluster.cosmos.azure.com or *.mongocluster.cosmos.azure.com domain depending on whether you're using the current cluster or global read-write endpoint. The +srv scheme and the *.global.* host ensures that your client is dynamically connected to the appropriate writable cluster in a multi-cluster configuration even if a region swap operation occurs. In a single-cluster configuration, you can use either connection string indiscriminately.

The tls setting must also be enabled. The remaining recommended settings are best practice configuration settings.

Option	Value
scheme	`mongodb+srv`
host	`<cluster-name>.global.mongocluster.cosmos.azure.com` or `<cluster-name>.mongocluster.cosmos.azure.com`
`tls`	`true`
`authMechanism`	`MONGODB-OIDC`
`retrywrites`	`false`
`maxIdleTimeMS`	`120000`

On the cluster properties page in the Azure portal, under Settings, open Connection strings. The Connection strings page contains connection strings for the authentication methods enabled on the cluster. Microsoft Entra ID connection strings are in the Microsoft Entra ID section.

Global

mongodb+srv://<cluster-name>.global.mongocluster.cosmos.azure.com/?tls=true&authMechanism=MONGODB-OIDC&retrywrites=false&maxIdleTimeMS=120000

Cluster

mongodb+srv://<cluster-name>.mongocluster.cosmos.azure.com/?tls=true&authMechanism=MONGODB-OIDC&retrywrites=false&maxIdleTimeMS=120000

const AzureIdentityTokenCallback = async (params: OIDCCallbackParams, credential: TokenCredential): Promise<OIDCResponse> => {
    const tokenResponse: AccessToken | null = await credential.getToken(['https://ossrdbms-aad.database.windows.net/.default']);
    return {
        accessToken: tokenResponse?.token || '',
        expiresInSeconds: (tokenResponse?.expiresOnTimestamp || 0) - Math.floor(Date.now() / 1000)
    };
};

const clusterName: string = '<azure-cosmos-db-mongodb-vcore-cluster-name>';

const credential: TokenCredential = new DefaultAzureCredential();

const client = new MongoClient(
    `mongodb+srv://${clusterName}.global.mongocluster.cosmos.azure.com/`, {
    connectTimeoutMS: 120000,
    tls: true,
    retryWrites: true,
    authMechanism: 'MONGODB-OIDC',
    authMechanismProperties: {
        OIDC_CALLBACK: (params: OIDCCallbackParams) => AzureIdentityTokenCallback(params, credential),
        ALLOWED_HOSTS: ['*.azure.com']
    }
}
);

class AzureIdentityTokenCallback(OIDCCallback):
    def __init__(self, credential):
        self.credential = credential

    def fetch(self, context: OIDCCallbackContext) -> OIDCCallbackResult:
        token = self.credential.get_token(
            "https://ossrdbms-aad.database.windows.net/.default").token
        return OIDCCallbackResult(access_token=token)

clusterName = "<azure-cosmos-db-mongodb-vcore-cluster-name>"

credential = DefaultAzureCredential()
authProperties = {"OIDC_CALLBACK": AzureIdentityTokenCallback(credential)}

client = MongoClient(
    f"mongodb+srv://{clusterName}.global.mongocluster.cosmos.azure.com/",
    connectTimeoutMS=120000,
    tls=True,
    retryWrites=True,
    authMechanism="MONGODB-OIDC",
    authMechanismProperties=authProperties
)

string tenantId = "<microsoft-entra-tenant-id>";
string clusterName = "<azure-cosmos-db-mongodb-vcore-cluster-name>";

DefaultAzureCredential credential = new();
AzureIdentityTokenHandler tokenHandler = new(credential, tenantId);

MongoUrl url = MongoUrl.Create($"mongodb+srv://{clusterName}.global.mongocluster.cosmos.azure.com/");
MongoClientSettings settings = MongoClientSettings.FromUrl(url);
settings.UseTls = true;
settings.RetryWrites = false;
settings.MaxConnectionIdleTime = TimeSpan.FromMinutes(2);
settings.Credential = MongoCredential.CreateOidcCredential(tokenHandler);
settings.Freeze();

MongoClient client = new(settings);

internal sealed class AzureIdentityTokenHandler(
    TokenCredential credential,
    string tenantId
) : IOidcCallback
{
    private readonly string[] scopes = ["https://ossrdbms-aad.database.windows.net/.default"];

    public OidcAccessToken GetOidcAccessToken(OidcCallbackParameters parameters, CancellationToken cancellationToken)
    {
        AccessToken token = credential.GetToken(
            new TokenRequestContext(scopes, tenantId: tenantId),
            cancellationToken
        );

        return new OidcAccessToken(token.Token, token.ExpiresOn - DateTimeOffset.UtcNow);
    }

    public async Task<OidcAccessToken> GetOidcAccessTokenAsync(OidcCallbackParameters parameters, CancellationToken cancellationToken)
    {
        AccessToken token = await credential.GetTokenAsync(
            new TokenRequestContext(scopes, parentRequestId: null, tenantId: tenantId),
            cancellationToken
        );

        return new OidcAccessToken(token.Token, token.ExpiresOn - DateTimeOffset.UtcNow);
    }
}

Use Entra ID with Visual Studio Code, MongoDB shell, and MongoDB Compass

You can use Entra ID authentication in various tools including Visual Studio Code with DocumentDB extension, MongoDB shell, and MongoDB Compass tools. In Visual Studio Code, you can authenticate to your cluster using the current user logged in to Visual Studio Code.

An Azure managed identity is used to login using Entra ID to MonogDB shell and Compass. Assign managed identity to an Azure virtual machine (VM) and log in to the cluster from that VM using MongoDB shell or Compass. One of the common tasks performed in the tools with Entra ID authentication is management of the secondary Entra ID users on the cluster. Administrative Entra ID user needs to be authenticated in MongoDB shell, Compass, or other MongoDB management tool in order to manage secondary Entra ID users on the cluster.

Connect to the cluster using Entra ID in Visual Studio Code

To connect to an Azure Cosmos DB for MongoDB vCore cluster using Visual Studio Code with DocumentDB extension and Entra ID authentication, follow this guidance.

Note

When you authenticate to an Azure Cosmos DB for MongoDB vCore cluster using Entra ID in Visual Studio Code with DocumentDB extension, shell functionality isn't supported. If you need to use MongoDB shell with Entra ID authentication, follow these steps.

Connect to the cluster using Entra ID in MongoDB shell

Create a user-assigned managed identity.
Assign managed identity to a virtual machine.
Add managed identity to the cluster as an Entra ID user using the managed identity metadata.

To connect to the cluster, use the following connection string in MongoDB shell on the VM:

mongosh "mongodb+srv://<client-id>@<cluster-name>.global.mongocluster.cosmos.azure.com/?tls=true&authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:azure,TOKEN_RESOURCE:https://ossrdbms-aad.database.windows.net" --oidcTrustedEndpoint

where clientID is the managed identity's client ID.

Connect to the cluster using Entra ID in MongoDB Compass

Use the following steps to use Entra ID to authenticate to the cluster in MongoDB Compass.

Create a user-assigned managed identity.
Assign managed identity to a virtual machine.
Add managed identity to the cluster as an Entra ID user using the managed identity metadata.
Run MongoDB Compass on the VM.
Select + sign on the left side next to Connections to add a new connection.
Make sure Edit Connection String toggle is enabled in the New Connection window.

Paste the following connection string into the URI input box.

mongodb+srv://<client-id>@<cluster-name>.global.mongocluster.cosmos.azure.com/?tls=true&authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:azure,TOKEN_RESOURCE:https://ossrdbms-aad.database.windows.net

where clientID is the managed identity's client ID.

Open Advanced Connection Options.
On the General tab, make sure mongodb+srv is selected under Connection String Scheme.
Go to the Authentication tab.
Make sure OIDC is selected.
Open OIDC Options.
Set Consider Target Endpoint Trusted option.
Select Save & Connect.

Microsoft Entra ID authentication in Azure Cosmos DB for MongoDB vCore overview
Check limitations of Microsoft Entra ID in Azure Cosmos DB for MongoDB vCore
Connect using a console application

Feedback

Was this page helpful?

Share via

Configure Microsoft Entra ID authentication for an Azure Cosmos DB for MongoDB vCore cluster

Prerequisites

Get identity metadata

Get unique identifier for Entra ID user management

Get friendly name using unique identifier

Get unique identifier for an Entra ID service principal

Manage cluster authentication methods

View authentication methods enabled on the cluster

Manage administrative Entra ID users on the cluster

View administrative Entra ID users on the cluster

Manage non-administrative Entra ID users on the cluster

Connect to the cluster

Use Entra ID with Visual Studio Code, MongoDB shell, and MongoDB Compass

Connect to the cluster using Entra ID in Visual Studio Code

Connect to the cluster using Entra ID in MongoDB shell

Connect to the cluster using Entra ID in MongoDB Compass

Related content

Feedback

Additional resources