Merge pull request #280500 from ealsur/users/ealsur/cfproles

Cosmos DB Change Feed Processor: Adding roles and permissions

Author: prmerger-automator[bot]

articles/cosmos-db/nosql/change-feed-processor.md

@@ -8,7 +8,7 @@ ms.service: cosmos-db
 ms.subservice: nosql
 ms.devlang: csharp
 ms.topic: conceptual
-ms.date: 04/19/2024
+ms.date: 07/10/2024
 ms.custom: devx-track-csharp, build-2023
 ---
 
@@ -252,6 +252,20 @@ The change feed processor can be hosted in any platform that supports long-runni
 
 Although the change feed processor can run in short-lived environments because the lease container maintains the state, the startup cycle of these environments adds delays to the time it takes to receive notifications (due to the overhead of starting the processor every time the environment is started).
 
+## Role-based access requirements
+
+When using Microsoft Entra ID as authentication mechanism, make sure the identity has the proper [permissions](../how-to-setup-rbac.md#permission-model):
+
+* On the monitored container:
+  * `Microsoft.DocumentDB/databaseAccounts/readMetadata`
+  * `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/readChangeFeed`
+* On the lease container:
+  * `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read`
+  * `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/create`
+  * `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/replace`
+  * `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/delete`
+  * `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/executeQuery`
+
 ## Additional resources
 
 * [Azure Cosmos DB SDK](sdk-dotnet-v2.md)