Issues using Cosmos Explorer with Local Auth Disabled

[faheemgani]

We currently have a Cosmos Database hosted within Azure and the recommendation by Microsoft is to have local authentication disabled and to authenticate using AD instead.

We are able to get this to work with our .NET services using managed identity with the correct RA but when trying to use the data explorer either in the portal or on https://cosmos.azure.com/ we get the following error:

Failed to get authorization headers for docs: Unexpected end of JSON input

This is when we try and load the items within a container itself, we can load everything else such as the list of containers, the settings for a container etc.

It comes back with a 401 on a POST request to this URL: https://main.documentdb.ext.azure.com/api/guest/runtimeproxy/authorizationTokens

We have assigned the Cosmos DB Data Contributor role through the Azure CLI (using the az cosmosdb sql role assignment command) to the AD users that are trying to access the containers within the database.

We are using private endpoints with the Cosmos DB instance but we have exceptions in place to Accept Connections from within public Azure datacentres and to allow access from Azure Portal.

[chshihMSFT]

Can you test with adding specific parameter and see how it goes?
https://cosmos.azure.com/?feature.enableAadDataPlane=true

This is documented in here: https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac#use-data-explorer

[dozer75]

I know this is an old post, but I struggled with the same today, when I found this post I realized I had forgotten about the query param after the easter, so I can confirm that the query param works.

[adriangalvarez]

Unfortunately, the query param is not working for me. For testing purposes and to isolate the issue, I created a brand new Cosmos DB, and accessed it as expected through both the Data Explorer and cosmos.azure.com. Then I disabled local auth on it by using the az resource update --ids $cosmosDbAccount.id --set properties.disableLocalAuth=true command, and I was no longer able to view the Cosmos DB data. I could see the databases & the containers, but not the items inside them.

I added the querystring param ?feature.enableAadDataPlane=true with no luck.

I have the following roles assigned on the Cosmos DB resource:

• Contributor (inherited from Subscription)
• Cosmos DB Account Reader.Role (specifically assigned to this resource)

[chshihMSFT]

If I'm not wrong, those mentioned permission like Contributor, Cosmos DB Account Reader roles are from Portal -Access Control (IAM), which belongs to "Control-Plane" permissions and not the necessary configuration when disable local auth.

When you have disabled local auth, that literally means all key-based authentication is not allowed anymore. So even though those control-plane roles give you the permission to read master key (or readonly key), you are still not able to browse data via standalone Data Explorer (https://cosmos.azure.com/?feature.enableAadDataPlane=true)

To help you to see your data via Data Explorer AFTER disabled local auth, you have to :

1. Grant your AAD user with proper "Data-Plane" permissions first
   Note: This can only be done via Azure CLI / Power Shell / ARM template. There is no UI support for this still.
   Sample CLI commands:

$subscriptionid = "your_subscription_id"
$resourceGroupName = "your_resource_group_name"
$accountName = "your_cosmosdb_account_name"
az account set --subscription $subscriptionid
 
$buildInRoleId = "00000000-0000-0000-0000-000000000002" #Cosmos DB Built-in Data Contributor
$principalId = "your_application_object_id" #AAD User or Application ObjectId, not Application Id
az cosmosdb sql role assignment create --resource-group $resourceGroupName --account-name $accountName --scope "/" --principal-id $principalId --role-definition-id $buildInRoleId

2. Browse your Cosmos DB account / database / container via the mentioned URL, i.e., https://cosmos.azure.com/?feature.enableAadDataPlane=true

Hope this helps.

Please check public docs below, if anything is unclear. Thank you very much.
Control-Plane RBAC permission
Data-Plane RBAC permission

[adriangalvarez]

Thank you for your quick answer. There is another important thing that might be worth mentioning. The website and function apps connecting to it are registered as App Services in Azure. They were failing until I gave its App Id the permission above.

So, what's the blaming scenario?

• The offending Cosmos DB account is located in tenant B
• I am a guest in tenant B
• Previously, when local auth was enabled, my guest user could read/write items in the offending Cosmos DB account
• My guest user in tenant B was granted with the Cosmos DB Built-in Data Contributor role
• My guest user in tenant B still can't read/write items in the offending Cosmos DB account

The proposed solution works good for users within tenant B. Guests users on that tenant can't access the Cosmos DB items.

[daveoshinsky]

I have opened related post: Azure/azure-cosmos-dotnet-v3#4653