Use Entra ID Client Authentication and Azure RBAC for Cosmos DB

Map all the resources that currently have access to the Azure Cosmos DB account with keys or access tokens.

Create an Entra ID identity for each of these resources:

• For Azure resources, you can create a managed identity. You may choose between system-assigned and user-assigned managed identities.
• For non-Azure resources, create an Entra ID identity. Grant each Entra ID identity the minimum permission it requires. When possible, we recommend you use one of the 2 built-in role definitions: Cosmos DB Built-in Data Reader or Cosmos DB Built-in Data Contributor. Validate that the new resource is functioning correctly. After new permissions are granted to identities, it may take a few hours until they propagate. When all resources are working correctly with the new identities, continue to the next step.

Remediate from Azure CLI

az resource update --name <name> --resource-group <resourceGroup> --resource-type Microsoft.DocumentDB/databaseAccounts --set properties.disableLocalAuth=true

Azure Portal (Asset-Level)

1. Open the affected resource from the finding details in Azure Portal.
2. Navigate to the relevant Security/Configuration/Networking blade.
3. Apply the control-specific secure setting.
4. Save and re-run the check.

Service-wide remediation

Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.

Azure

Use management group or subscription Azure Policy assignments, remediation tasks where supported, landing-zone standards, and IaC modules so drift is prevented at scale.

Operational rollout

1. Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
2. Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
3. Re-scan and track approved exceptions with an owner and expiry date.