How to create a custom role for secondary user in CosmosDB for MongoDB vCore

Hello !

Thank you for posting on Microsoft Learn Q&A.

In Azure Cosmos DB for MongoDB vCore, admin-type MongoDB commands such as createRole are not exposed. They’re handled by the service itself, so when you call them you get that error.

This is by design vCore abstracts administration commands as part of the managed PaaS offering.

https://learn.microsoft.com/en-us/azure/cosmos-db/mongodb/vcore/compatibility-and-feature-support

For native (DocumentDB) secondary users on vCore, Microsoft explicitly documents these limitations:

• secondary users can be created only by the built-in admin account (createUser).
• supported roles are fixed (cluster level read or write or read only like clusterAdmin, readWriteAnyDatabase, readAnyDatabase). https://docs.azure.cn/en-us/cosmos-db/mongodb/vcore/limits
• assigning roles to specific databases or collections isn’t supported and only cluster level is supported

So even aside from createRole being unsupported, vCore simply does not allow database or collection scoped roles for native secondary users today.

You can create secondary users with createUser from the admin account and assign:

• readAnyDatabase (cluster-wide read-only) or
• readWriteAnyDatabase (cluster-wide read/write).

This gives you secondary users but not per database segregation.

You can create custom Azure roles for Microsoft.DocumentDB/mongoClusters/* and assign them to Entra principals to control who can manage or connect to each cluster.

https://learn.microsoft.com/en-us/azure/cosmos-db/mongodb/vcore/role-based-access-control

This still doesn’t give you per-database data-plane permissions, but does help separate who can access which clusters.

and if you truly need user X can write only to DB_A but not DB_B, the only supported way today is to:

• put DB_A and DB_B in different vCore clusters
• give the user a read/write role only on the cluster that hosts DB_A