I am trying to disable local authentication for my Cosmos DB and use Managed Identity for my Web App and Function App which connects to it. I have granted both apps the Cosmos DB Built-in Contributor role and verified they are assigned via az cli. However, I am getting the error:
"The MAC signature found in the HTTP request is not the same as the computed signature. Server used following string to sign - . Learn more: https://aka.ms/cosmosdb-tsg-mac-signature","Local Authorization is disabled. Use an AAD token to authorize all requests."
This is the updated Cosmos Client:
var cosmosClient = new CosmosClient(_endpointUrl, new DefaultAzureCredential(), options);
I have followed this guide to disable local auth
https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac#disable-local-auth
Is the Cosmos DB Built in Contributor Role enough?
2
Answers
Fixed - missed a Cosmos Client init which was still using key auth.
The error you’re seeing indicates that local authentication is disabled for your Cosmos DB, and an AAD token is required for all requests. Since you’re using Managed Identity, ensure the Web App and Function App have the correct "Cosmos DB Built-in Contributor" role assigned at the appropriate scope (e.g., account, database, or container level).
Make sure the Managed Identity is properly enabled for your apps and that DefaultAzureCredential() is fetching the AAD token correctly. Additionally, verify that local authentication is fully disabled in your Cosmos DB settings by following this guide.
Lastly, double-check that your CosmosClientOptions are correctly set up, especially with ConnectionMode.Gateway or other necessary settings for your environment.