Skip to content

Commit 057e103

Browse files
committed
Learn Editor: Update how-to-setup-rbac.md
1 parent 53fce83 commit 057e103

File tree

1 file changed

+7
-5
lines changed

1 file changed

+7
-5
lines changed

articles/cosmos-db/how-to-setup-rbac.md

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -451,10 +451,7 @@ When constructing the [REST API authorization header](/rest/api/cosmos-db/access
451451

452452
## Use data explorer
453453

454-
> [!NOTE]
455-
> As of July 2024, the Data Explorer exposed in the Azure portal does support Azure Cosmos DB role-based access control. The Azure Cosmos DB Explorer at [https://cosmos.azure.com](https://cosmos.azure.com) also supports this without the need to specify a query parameter. The previous method of using `https://cosmos.azure.com/?feature.enableAadDataPlane=true` to enable this functionality is still honored and will force the use of Microsoft Entra identity for your data requests.
456-
457-
The use of Azure Cosmos DB role-based access control within Data Explorer (either exposed in the Azure Portal or at [https://cosmos.azure.com] (https://cosmos.azure.com)) is governed by the **Enable Entra ID RBAC** setting. You can access this setting via the "wheel" icon at the right-hand side of the Data Explorer interface.
454+
The use of Azure Cosmos DB role-based access control within Data Explorer (either exposed in the Azure Portal or at [https://cosmos.azure.com] (https://cosmos.azure.com)) is governed by the **Enable Entra ID RBAC** setting. You can access this setting via the "wheel" icon at the upper right-hand side of the Data Explorer interface.
458455

459456
The setting has three possible values:
460457
- **Automatic (default)**: In this mode, role-based access control will be automatically used if the account has [disabled the use of keys] (#disable-local-auth). Otherwise, Data Explorer will use account keys for data requests.
@@ -463,7 +460,12 @@ The setting has three possible values:
463460

464461
- **False**: In this mode, account keys will always be used for Data Explorer data requests. If the account has disabled the use of keys, then the requests will fail.
465462

466-
Please note that changing the mode to one that uses account keys may trigger a request to fetch the primary key on behalf of the identity that is signed in.
463+
When using modes that enable role-based access, please ensure that the signed in identity has been [assigned with proper role definitions] (#role-assignments) to enable data access.
464+
465+
Also note that changing the mode to one that uses account keys may trigger a request to fetch the primary key on behalf of the identity that is signed in.
466+
467+
> [!NOTE]
468+
> Previously, role-based access was only supported in Cosmos Explorer using `https://cosmos.azure.com/?feature.enableAadDataPlane=true`. This is still supported and will override the value of the **Enable Entra ID RBAC** setting. Using this query parameter is the equal to using the 'True' mode mentioned above.
467469
468470
## Audit data requests
469471

0 commit comments

Comments
 (0)