Added Azure.Cosmos.EntraID (#3575)

* Added Azure.Cosmos.EntraId

* remove selector

* Updates

---------

Co-authored-by: Bernie White <[email protected]>

Author: BenjaminEngeset

docs/changelog.md

@@ -34,6 +34,9 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers
   - App Configuration:
     - Check that replica locations are in allowed regions by @BernieWhite.
       [#3441](https://github.com/Azure/PSRule.Rules.Azure/issues/3441)
+  - Cosmos DB:
+    - Check that MongoDB vCore clusters use Microsoft Entra ID authentication by @BenjaminEngeset.
+      [#3369](https://github.com/Azure/PSRule.Rules.Azure/issues/3369)
 - Updated rules:
   - Application Gateway Policy:
     - Updated `Azure.AppGwWAF.RuleGroups` to use Microsoft Default Rule Set instead of legacy OWASP rule set by @BenjaminEngeset.

docs/en/rules/Azure.Cosmos.MongoEntraID.md

@@ -0,0 +1,120 @@
+---
+reviewed: 2025-11-03
+severity: Critical
+pillar: Security
+category: SE:05 Identity and access management
+resource: Cosmos DB
+resourceType: Microsoft.DocumentDB/mongoClusters
+online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Cosmos.MongoEntraID/
+---
+
+# MongoDB vCore clusters should use Microsoft Entra ID authentication
+
+## SYNOPSIS
+
+MongoDB vCore clusters should have Microsoft Entra ID authentication enabled.
+
+## DESCRIPTION
+
+MongoDB vCore clusters support multiple authentication modes including native authentication (connection string) and
+Microsoft Entra ID authentication.
+Native authentication uses MongoDB credentials (username/password) that are embedded in connection strings and
+managed locally within the cluster.
+
+Using Microsoft Entra ID authentication provides several security benefits:
+
+- **Centralized identity management** - Single authoritative source for all user identities.
+- **MongoDB role-based permissions** - Fine-grained access control using MongoDB's native role system with Entra ID identities.
+- **Enhanced security features** - Multi-factor authentication, conditional access, and identity protection.
+- **Reduced complexity** - Eliminates the need to manage separate database credentials.
+- **Audit and compliance** - Centralized logging and monitoring of authentication events.
+
+Microsoft Entra ID authentication should be enabled to ensure secure and centralized identity management for
+MongoDB vCore clusters.
+
+## RECOMMENDATION
+
+Consider enabling Microsoft Entra ID authentication on MongoDB vCore clusters.
+
+## EXAMPLES
+
+### Configure with Azure template
+
+To deploy MongoDB vCore clusters that pass this rule:
+
+- Set the `properties.authConfig.allowedModes` array to include `MicrosoftEntraID`.
+
+For example:
+
+```json
+{
+  "type": "Microsoft.DocumentDB/mongoClusters",
+  "apiVersion": "2025-04-01-preview",
+  "name": "[parameters('name')]",
+  "location": "[parameters('location')]",
+  "properties": {
+    "serverVersion": "8.0",
+    "authConfig": {
+      "allowedModes": [
+        "NativeAuth",
+        "MicrosoftEntraID"
+      ]
+    },
+    "compute": {
+      "tier": "M30"
+    },
+    "storage": {
+      "sizeGb": 128,
+      "type": "PremiumSSD"
+    }
+  }
+}
+```
+
+### Configure with Bicep
+
+To deploy MongoDB vCore clusters that pass this rule:
+
+- Set the `properties.authConfig.allowedModes` array to include `MicrosoftEntraID`.
+
+For example:
+
+```bicep
+resource mongoCluster 'Microsoft.DocumentDB/mongoClusters@2025-04-01-preview' = {
+  name: name
+  location: location
+  properties: {
+    serverVersion: '8.0'
+    authConfig: {
+      allowedModes: [
+        'NativeAuth'
+        'MicrosoftEntraID'
+      ]
+    }
+    compute: {
+      tier: 'M30'
+    }
+    storage: {
+      sizeGb: 128
+      type: 'PremiumSSD'
+    }
+  }
+}
+```
+
+## NOTES
+
+**Important:** For initial deployment, you must include both `NativeAuth` and `MicrosoftEntraID` in the `allowedModes` array.
+Deploying with only `MicrosoftEntraID` will cause the deployment to fail as the initial setup process requires native authentication.
+After deployment is complete and Entra ID users are configured, you can optionally remove `NativeAuth` for enhanced security.
+
+## LINKS
+
+- [SE:05 Identity and access management](https://learn.microsoft.com/azure/well-architected/security/design-identity-authentication)
+- [Security: Level 1](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level1)
+- [Microsoft Entra ID authentication with Azure Cosmos DB for MongoDB vCore](https://learn.microsoft.com/azure/cosmos-db/mongodb/vcore/entra-authentication)
+- [Configure Microsoft Entra ID authentication for an Azure Cosmos DB for MongoDB vCore cluster](https://learn.microsoft.com/azure/cosmos-db/mongodb/vcore/how-to-configure-entra-authentication?tabs=portal%2Cazure-portal)
+- [Azure security baseline for Azure Cosmos DB](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-cosmos-db-security-baseline)
+- [IM-1: Use centralized identity and authentication system](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-cosmos-db-security-baseline#im-1-use-centralized-identity-and-authentication-system)
+- [IM-3: Manage application identities securely and automatically](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-cosmos-db-security-baseline#im-3-manage-application-identities-securely-and-automatically)
+- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.documentdb/mongoclusters)

src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.yaml

@@ -138,6 +138,27 @@ spec:
     - field: properties.backupPolicy.continuousModeProperties.tier
       hasValue: true
 
+---
+# Synopsis: Cosmos DB accounts should use Entra ID authentication.
+apiVersion: github.com/microsoft/PSRule/v1
+kind: Rule
+metadata:
+  name: Azure.Cosmos.MongoEntraID
+  ref: AZR-000499
+  tags:
+    release: GA
+    ruleSet: 2025_12
+    Azure.WAF/pillar: Security
+  labels:
+    Azure.MCSB.v1/control: ['IM-1', 'IM-3']
+    Azure.WAF/maturity: L1
+spec:
+  type:
+    - Microsoft.DocumentDB/mongoClusters
+  condition:
+    field: properties.authConfig.allowedModes[*]
+    contains: MicrosoftEntraID
+
 #endregion Rules
 
 #region Selectors

tests/PSRule.Rules.Azure.Tests/Azure.Cosmos.Tests.ps1

@@ -122,6 +122,22 @@ Describe 'Azure.Cosmos' -Tag 'Cosmos', 'CosmosDB' {
             $ruleResult.Length | Should -Be 3;
             $ruleResult.TargetName | Should -BeIn 'nosql-A', 'nosql-B', 'nosql-C';
         }
+
+        It 'Azure.Cosmos.MongoEntraID' {
+            $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Cosmos.MongoEntraID' };
+
+            # Fail
+            $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
+            $ruleResult.Length | Should -Be 1;
+            $ruleResult.TargetName | Should -BeIn 'mongodb-a';
+
+            $ruleResult[0].Reason | Should -Be "Path properties.authConfig.allowedModes[*]: The value 'System.String[]' does not contain any of 'System.String[]'.";
+
+            # Pass
+            $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
+            $ruleResult.Length | Should -Be 2;
+            $ruleResult.TargetName | Should -BeIn 'mongodb-b', 'mongodb-c';
+        }
     }
 
     Context 'Resource name - Azure.Cosmos.AccountName' {

tests/PSRule.Rules.Azure.Tests/Resources.Cosmos.json

@@ -381,5 +381,129 @@
         "SubscriptionId": "00000000-0000-0000-0000-000000000000"
       }
     ]
+  },
+  {
+    "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-test/providers/Microsoft.DocumentDB/mongoClusters/mongodb-a",
+    "Id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-test/providers/Microsoft.DocumentDB/mongoClusters/mongodb-a",
+    "Location": "East US",
+    "ResourceName": "mongodb-a",
+    "Name": "mongodb-a",
+    "Properties": {
+      "administrator": {
+        "userName": "mongoAdmin"
+      },
+      "serverVersion": "8.0",
+      "authConfig": {
+        "allowedModes": [
+          "NativeAuth"
+        ]
+      },
+      "compute": {
+        "tier": "M30"
+      },
+      "storage": {
+        "sizeGb": 128,
+        "type": "PremiumSSD"
+      },
+      "sharding": {
+        "shardCount": 1
+      },
+      "highAvailability": {
+        "targetMode": "Disabled"
+      },
+      "backup": {},
+      "publicNetworkAccess": "Enabled",
+      "dataApi": {
+        "mode": "Disabled"
+      },
+      "createMode": "Default"
+    },
+    "ResourceGroupName": "rg-test",
+    "Type": "Microsoft.DocumentDB/mongoClusters",
+    "ResourceType": "Microsoft.DocumentDB/mongoClusters",
+    "Tags": null,
+    "SubscriptionId": "00000000-0000-0000-0000-000000000000"
+  },
+  {
+    "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-test/providers/Microsoft.DocumentDB/mongoClusters/mongodb-b",
+    "Id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-test/providers/Microsoft.DocumentDB/mongoClusters/mongodb-b",
+    "Location": "East US",
+    "ResourceName": "mongodb-b",
+    "Name": "mongodb-b",
+    "Properties": {
+      "administrator": {
+        "userName": "mongoAdmin"
+      },
+      "serverVersion": "8.0",
+      "authConfig": {
+        "allowedModes": [
+          "NativeAuth",
+          "MicrosoftEntraID"
+        ]
+      },
+      "compute": {
+        "tier": "M40"
+      },
+      "storage": {
+        "sizeGb": 256,
+        "type": "PremiumSSD"
+      },
+      "sharding": {
+        "shardCount": 2
+      },
+      "highAvailability": {
+        "targetMode": "SameZone"
+      },
+      "backup": {},
+      "publicNetworkAccess": "Disabled",
+      "dataApi": {
+        "mode": "Enabled"
+      },
+      "createMode": "Default"
+    },
+    "ResourceGroupName": "rg-test",
+    "Type": "Microsoft.DocumentDB/mongoClusters",
+    "ResourceType": "Microsoft.DocumentDB/mongoClusters",
+    "Tags": null,
+    "SubscriptionId": "00000000-0000-0000-0000-000000000000"
+  },
+  {
+    "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-test/providers/Microsoft.DocumentDB/mongoClusters/mongodb-c",
+    "Id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-test/providers/Microsoft.DocumentDB/mongoClusters/mongodb-c",
+    "Location": "East US",
+    "ResourceName": "mongodb-c",
+    "Name": "mongodb-c",
+    "Properties": {
+      "serverVersion": "8.0",
+      "authConfig": {
+        "allowedModes": [
+          "MicrosoftEntraID"
+        ]
+      },
+      "compute": {
+        "tier": "M50"
+      },
+      "storage": {
+        "sizeGb": 512,
+        "type": "PremiumSSD"
+      },
+      "sharding": {
+        "shardCount": 3
+      },
+      "highAvailability": {
+        "targetMode": "ZoneRedundantPreferred"
+      },
+      "backup": {},
+      "publicNetworkAccess": "Disabled",
+      "dataApi": {
+        "mode": "Disabled"
+      },
+      "createMode": "Default"
+    },
+    "ResourceGroupName": "rg-test",
+    "Type": "Microsoft.DocumentDB/mongoClusters",
+    "ResourceType": "Microsoft.DocumentDB/mongoClusters",
+    "Tags": null,
+    "SubscriptionId": "00000000-0000-0000-0000-000000000000"
   }
 ]