1. Home
  2. Training Library
  3. Microsoft Azure
  4. Courses
  5. Configuring Azure Application and Data Security

Configuring Cosmos DB Security

The course is part of this learning path

Start course
Microsoft Azure offers a wide range of options to secure and protect your data, regardless of the format. Whether you're dealing with documents, SQL databases or big data, there are multiple solutions ranging from authentication to virtual networks.
In this course, we will cover the protection of your data from external and internal threats, whether those threats be malicious or accidental. We will see how good design combined with the right configuration can secure your organization's most precious asset: its data.

Learning Objectives

  • Configure security policies to classify, protect, and manage data
  • Configure data retention for storage and databases
  • Set up Azure SQL security features and auditing
  • Learn how to configure storage account security and access
  • Learn how to secure HDInsight clusters
  • Configure Cosmos DB security
  • Configure Data Lake security
  • Learn good design features of an Azure application
  • See how Azure App Services can secure your app
  • See how a governance policy can help formalize security requirements

Intended Audience

  • People preparing for Microsoft’s AZ-500 exam
  • System administrators
  • App developers


  • Experience with Microsoft Azure
  • Experience with Office 365
  • Basic knowledge of computer security principles
  • Basic networking knowledge



Let's look at the security measures available in Cosmos DB. There are two methods for controlling access to your Cosmos database. Firstly, you can use IP address filtering. By default, this is disabled, so any IP address could potentially access your database. You can configure network and IP access through Firewall and virtual networks under settings. This allows you to specify either particular virtual networks access, or specified IP addresses.

Once connected, a request needs to be authenticated and authorized. This is done using keys: a primary and secondary key that are generated as part of the account creation. These are the read-write keys. There are also two read-only keys. Having two sets of keys allows you to regenerate one key in each pair, that is, rotating the keys while maintaining uninterrupted access to the database for users and applications.

It's definitely not ideal to use the master keys for all access to your Cosmos database. You can use resource tokens to grant access to specified resources within the database. A token is created when a user is given permission to access a resource. Once a user has been authenticated, say, via Azure Active Directory, a resource token is requested for that user from the Cosmos DB account and relayed back to the client. The client app can then use that token to access the specified Cosmos resources until the token expires. Tokens, by default, are only valid for an hour, but this can be extended to up to five hours. Once expired, a new token will be created for the client if access is still permitted.

Apart from keys and resource tokens, you can assign roles and permissions to users through the Cosmos DB account Access control function.

As with other Azure services, Cosmos DB records audit logs which can be viewed through Activity log. In addition to activity logs, you can enable diagnostic logging by going into Diagnostic settings under the monitoring menu. Diagnostic logs can be saved to a storage account, streamed to an event hub, or sent to Log analytics. From a security point of view, Query Runtime Statistics, which records details of queries, could hold valuable information when tracking down suspicious activity. You can also record Mongo requests and Data plane requests, which include the resource unit charge.

About the Author
Learning Paths

Hallam is a software architect with over 20 years experience across a wide range of industries. He began his software career as a  Delphi/Interbase disciple but changed his allegiance to Microsoft with its deep and broad ecosystem. While Hallam has designed and crafted custom software utilizing web, mobile and desktop technologies, good quality reliable data is the key to a successful solution. The challenge of quickly turning data into useful information for digestion by humans and machines has led Hallam to specialize in database design and process automation. Showing customers how leverage new technology to change and improve their business processes is one of the key drivers keeping Hallam coming back to the keyboard.