AzCosmosDBSqlRoleAssignment issue for a group

Question

We have an AzureGroup, say CMR, & it has > 400 members. I want to give a cosmosDB permission for each member of the group. Azure AD identity (which could be a user, security group, service principal, or managed identity) for CMR can be used for giving access to each member of the group.

For that I have used AzCosmosDBSqlRoleAssignment and ran the following command for the principalID for the CMR whose principlaid is 9f58c295-efa6-4513-84c6-9c84d4033396

$resourceGroupName = "test"
$accountName = "test7782"
$contributorRoleDefinitionId = "00000000-0000-0000-0000-000000000001"
$principalId = "9f58c295-efa6-4513-84c6-9c84d4033396"
New-AzCosmosDBSqlRoleAssignment -AccountName $accountName `
-ResourceGroupName $resourceGroupName `
-RoleDefinitionId $contributorRoleDefinitionId `
-Scope "/" `
-PrincipalId $principalId

Please note, I'm using contributorRoleDefinitionId as 00000000-0000-0000-0000-000000000001 which has readMetadata permission. https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac :

The command ran fine. But then I used Python API to establish connection with the database and getting permission error.

# Azure Identity library provides Azure Active Directory (Azure AD) token authentication support across the Azure SDK.
# https://learn.microsoft.com/en-us/dotnet/api/azure.identity.azureclicredential?view=azure-dotnet
from azure.identity.aio import AzureCliCredential    
azure_credential = AzureCliCredential()

I'm getting following error:

Request is blocked because principal [9f58c295-efa6-4513-84c6-9c84d4033396] does not have required RBAC permissions to perform action [Microsoft.DocumentDB/databaseAccounts/readMetadata] on resource [dbs/].

It works perfectly when I switch to giving permissions for each member of the group of CMR with their principalid. But that is cumbersome and way more difficult for me to manage. Any help/suggestions on how to make the it work giving group permission?

Answer 1

My method was correct but I was giving access to the principalid of M365 group, instead of Mail-enabeled security groups. M365 group seems will never work for giving bulk access to CosmosDB RBAC . Whereas Windows Server AD which was successful, as this is made via Microsoft Identify Manager (MIM) https://idweb.microsoft.com/IdentityManagement/default.aspx:

Further Research:

There are many different ways of group formation:

Microsoft M365 Group

M365 group seems used for collaboration between inside & outside of company. For this security reason, M365 group's each member needs to be provided access to lower-level resources like CosmosDB read permission.

Microsoft Identify Manager (MIM)

Microsoft Identity Manager (MIM) is a service that allows you to manage your organization’s users, credentials, and devices. My Laptop needs to be in my company VPN to even access the MIM group. For this extra security, no further low level access is required for individual users.