[@azure/cosmos] Add AAD Scope Override and fallback (#36024)

amanrao23 · web-flow · commit db79bcaa9136 · 2025-10-09T16:08:33.000+05:30
### Packages impacted by this PR @azure/cosmos ### Issues associated with this PR #36015 ### Describe the problem that is addressed by this PR Added support for overriding AAD authentication scope via the new `aadScope` option in `CosmosClientOptions`. When no custom scope is provided, the system uses the account-specific scope for authentication and implements a fallback mechanism to `https://cosmos.azure.com/.default` in case of `AADSTS500011` errors. When a custom scope is explicitly provided via the `aadScope` option, no fallback occurs. ### What are the possible designs available to address the problem? If there are more than one possible design, why was the one in this PR chosen? ### Are there test cases added in this PR? _(If not, why?)_ Yes ### Provide a list of related PRs _(if any)_ ### Command used to generate this PR:**_(Applicable only to SDK release request PRs)_ ### Checklists - [ ] Added impacted package name to the issue description - [ ] Does this PR needs any fixes in the SDK Generator?** _(If so, create an Issue in the [Autorest/typescript](https://github.com/Azure/autorest.typescript) repository and link it here)_ - [ ] Added a changelog (if necessary)
diff --git a/sdk/cosmosdb/cosmos/CHANGELOG.md b/sdk/cosmosdb/cosmos/CHANGELOG.md
@@ -1,5 +1,6 @@
 # Release History
-## 4.6.0 (2025-10-01)
+
+## 4.6.0 (2025-10-08)
 
 ### Features Added
 
@@ -13,6 +14,7 @@ await container.items.upsert(city, requestOptions);
 
 await container.item("1").delete(requestOptions);
 ```
+- [#36015](https://github.com/Azure/azure-sdk-for-js/issues/36015) AAD Authentication Scope Override: Added support for overriding AAD authentication scope via the new `aadScope` option in `CosmosClientOptions`. When no custom scope is provided, the system uses the account-specific scope for authentication and implements a fallback mechanism to `https://cosmos.azure.com/.default` in case of `AADSTS500011` errors. When a custom scope is explicitly provided via the `aadScope` option, no fallback occurs.
 
 ### Bugs Fixed
 - [#35875](https://github.com/Azure/azure-sdk-for-js/issues/35875) Fixed the per-operation partition key format in the batch API to match the API-level partition key,
diff --git a/sdk/cosmosdb/cosmos/review/cosmos-node.api.md b/sdk/cosmosdb/cosmos/review/cosmos-node.api.md
@@ -180,6 +180,7 @@ export type ClientConfigDiagnostic = {
     diagnosticLevel?: CosmosDbDiagnosticLevel;
     pluginsConfigured: boolean;
     sDKVersion: string;
+    aadScopeOverride?: boolean;
 };
 
 // @public (undocumented)
diff --git a/sdk/cosmosdb/cosmos/samples/v4/javascript/FabricAadScopeOverride.js b/sdk/cosmosdb/cosmos/samples/v4/javascript/FabricAadScopeOverride.js
@@ -0,0 +1,96 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+/**
+ * @summary Demonstrates how to authenticate and use your database account using AAD credentials with Fabric.
+ * 
+ * Prerequisites:
+ * 1. An Azure Cosmos account in fabric environment and database and container created.
+ *    https://learn.microsoft.com/en-us/fabric/database/cosmos-db/overview
+ * 2. Node.js packages (@azure/cosmos + @azure/identity) and login:
+ *    npm install @azure/cosmos @azure/identity
+ *    az login
+ * 
+ * Sample - demonstrates how to authenticate and use your database account using AAD credentials with Fabric.
+ * Read more about operations allowed for this authorization method: https://aka.ms/cosmos-native-rbac
+ * 
+ * Note:
+ * This sample assumes the database and container already exist.
+ * It writes one item (PK path assumed to be "/pk") and reads it back.
+ */
+
+require("dotenv/config");
+const { DefaultAzureCredential } = require("@azure/identity");
+const { CosmosClient } = require("@azure/cosmos");
+const { handleError, finish, logStep } = require("./Shared/handleError.js");
+
+// Configuration - replace with your values
+const endpoint = process.env.COSMOS_ENDPOINT || "<cosmos endpoint>";
+const databaseId = process.env.COSMOS_DATABASE || "<cosmos database>";
+const containerId = process.env.COSMOS_CONTAINER || "<cosmos container>";
+
+function getTestItem(num) {
+  return {
+    id: `Item_${num}`,
+    pk: "partition1",
+    name: `Item ${num}`,
+    description: `This is item ${num}`,
+    runId: crypto.randomUUID(),
+  };
+}
+
+async function run() {
+
+  logStep("Setting up AAD credentials");
+  
+  // AAD auth works with az login
+  const credentials = new DefaultAzureCredential();
+
+  logStep("Creating Cosmos client with AAD credentials");
+  const client = new CosmosClient({
+    endpoint,
+    aadCredentials: credentials,
+    aadScope: "https://cosmos.azure.com/.default"
+  });
+
+
+  // Do R/W data operations with your authorized AAD client
+  logStep("Getting database and container references");
+  const database = client.database(databaseId);
+  const container = database.container(containerId);
+
+  logStep("Creating a test item");
+  // Create item
+  const testItem = getTestItem(0);
+  const { resource: createdItem } = await container.items.create(testItem);
+  console.log(`Created item: ${createdItem?.id}`);
+
+  logStep("Reading the item back");
+  // Read item
+  const { resource: readItem } = await container.item(testItem.id, testItem.pk).read();
+  console.log("Point read:");
+  console.log(JSON.stringify(readItem, null, 2));
+
+  logStep("Querying for items in the partition");
+  // Query items
+  const querySpec = {
+    query: "SELECT * FROM c WHERE c.pk = @partitionKey",
+    parameters: [
+      {
+        name: "@partitionKey",
+        value: testItem.pk,
+      },
+    ],
+  };
+
+  const { resources: items } = await container.items.query(querySpec).fetchAll();
+  console.log(`Found ${items.length} items in partition '${testItem.pk}':`);
+  items.forEach((item) => {
+    console.log(`- ${item.id}: ${item.name}`);
+  });
+
+  logStep("Sample completed successfully");
+  await finish();
+}
+
+run().catch(handleError);
diff --git a/sdk/cosmosdb/cosmos/samples/v4/typescript/src/FabricAadScopeOverride.ts b/sdk/cosmosdb/cosmos/samples/v4/typescript/src/FabricAadScopeOverride.ts
@@ -0,0 +1,106 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+/**
+ * @summary Demonstrates how to authenticate and use your database account using AAD credentials with Fabric.
+ * 
+ * Prerequisites:
+ * 1. An Azure Cosmos account in fabric environment and database and container created.
+ *    https://learn.microsoft.com/en-us/fabric/database/cosmos-db/overview
+ * 2. Node.js packages (@azure/cosmos + @azure/identity) and login:
+ *    npm install @azure/cosmos @azure/identity
+ *    az login
+ * 
+ * Sample - demonstrates how to authenticate and use your database account using AAD credentials with Fabric.
+ * Read more about operations allowed for this authorization method: https://aka.ms/cosmos-native-rbac
+ * 
+ * Note:
+ * This sample assumes the database and container already exist.
+ * It writes one item (PK path assumed to be "/pk") and reads it back.
+ */
+
+import "dotenv/config";
+import { DefaultAzureCredential } from "@azure/identity";
+// eslint-disable-next-line @typescript-eslint/ban-ts-comment
+// @ts-ignore
+import { CosmosClient } from "@azure/cosmos";
+import { handleError, finish, logStep } from "./Shared/handleError.js";
+
+// Configuration - replace with your values
+const endpoint = process.env.COSMOS_ENDPOINT || "<cosmos endpoint>";
+const databaseId = process.env.COSMOS_DATABASE || "<cosmos database>";
+const containerId = process.env.COSMOS_CONTAINER || "<cosmos container>";
+
+// Test item structure
+interface TestItem {
+  id: string;
+  pk: string;
+  name: string;
+  description: string;
+  runId: string;
+}
+
+function getTestItem(num: number): TestItem {
+  return {
+    id: `Item_${num}`,
+    pk: "partition1",
+    name: `Item ${num}`,
+    description: `This is item ${num}`,
+    runId: crypto.randomUUID(),
+  };
+}
+
+async function run(): Promise<void> {
+
+  logStep("Setting up AAD credentials");
+  
+  // AAD auth works with az login
+  const credentials = new DefaultAzureCredential();
+
+  logStep("Creating Cosmos client with AAD credentials");
+  
+  const client = new CosmosClient({
+    endpoint,
+    aadCredentials: credentials,
+    aadScope: "https://cosmos.azure.com/.default"
+  });
+
+  logStep("Getting database and container references");
+  const database = client.database(databaseId);
+  const container = database.container(containerId);
+
+  logStep("Creating a test item");
+  // Create item
+  const testItem = getTestItem(0);
+  const { resource: createdItem } = await container.items.create(testItem);
+  console.log(`Created item: ${createdItem?.id}`);
+
+  logStep("Reading the item back");
+  // Read item
+  const { resource: readItem } = await container.item(testItem.id, testItem.pk).read<TestItem>();
+  console.log("Point read:");
+  console.log(JSON.stringify(readItem, null, 2));
+
+  logStep("Querying for items in the partition");
+  // Query items
+  const querySpec = {
+    query: "SELECT * FROM c WHERE c.pk = @partitionKey",
+    parameters: [
+      {
+        name: "@partitionKey",
+        value: testItem.pk,
+      },
+    ],
+  };
+
+  const { resources: items } = await container.items.query<TestItem>(querySpec).fetchAll();
+  console.log(`Found ${items.length} items in partition '${testItem.pk}':`);
+  items.forEach((item) => {
+    console.log(`- ${item.id}: ${item.name}`);
+  });
+
+  logStep("Sample completed successfully");
+  await finish();
+}
+
+run().catch(handleError);
diff --git a/sdk/cosmosdb/cosmos/src/ClientContext.ts b/sdk/cosmosdb/cosmos/src/ClientContext.ts
@@ -46,6 +46,11 @@ import { getUserAgent } from "./common/platform.js";
 import type { GlobalPartitionEndpointManager } from "./globalPartitionEndpointManager.js";
 import type { RetryOptions } from "./retry/retryOptions.js";
 import { PartitionKeyRangeCache } from "./routing/partitionKeyRangeCache.js";
+import {
+  AAD_DEFAULT_SCOPE,
+  AAD_AUTH_PREFIX,
+  AAD_RESOURCE_NOT_FOUND_ERROR,
+} from "./common/constants.js";
 
 const logger: AzureLogger = createClientLogger("ClientContext");
 
@@ -83,17 +88,43 @@ export class ClientContext {
     if (cosmosClientOptions.aadCredentials) {
       this.pipeline = createEmptyPipeline();
       const hrefEndpoint = sanitizeEndpoint(cosmosClientOptions.endpoint);
-      const scope = `${hrefEndpoint}/.default`;
+
+      // Use custom AAD scope if provided, otherwise use account-based scope
+      const accountScope = `${hrefEndpoint}/.default`;
+      const primaryScope = cosmosClientOptions.aadScope || accountScope;
+      const fallbackScope = AAD_DEFAULT_SCOPE;
+
       this.pipeline.addPolicy(
         bearerTokenAuthenticationPolicy({
           credential: cosmosClientOptions.aadCredentials,
-          scopes: scope,
+          scopes: primaryScope,
           challengeCallbacks: {
             async authorizeRequest({ request, getAccessToken }) {
-              const tokenResponse = await getAccessToken([scope], {});
-              const AUTH_PREFIX = `type=aad&ver=1.0&sig=`;
-              const authorizationToken = `${AUTH_PREFIX}${tokenResponse.token}`;
-              request.headers.set("Authorization", authorizationToken);
+              try {
+                const tokenResponse = await getAccessToken([primaryScope], {});
+
+                const authorizationToken = `${AAD_AUTH_PREFIX}${tokenResponse.token}`;
+                request.headers.set(Constants.HttpHeaders.Authorization, authorizationToken);
+              } catch (error: any) {
+                // If no custom scope is provided and we get AADSTS500011 error,
+                // fallback to the default Cosmos scope
+                if (
+                  !cosmosClientOptions.aadScope &&
+                  error?.message?.includes(AAD_RESOURCE_NOT_FOUND_ERROR)
+                ) {
+                  try {
+                    const fallbackTokenResponse = await getAccessToken([fallbackScope], {});
+                    const authorizationToken = `${AAD_AUTH_PREFIX}${fallbackTokenResponse.token}`;
+                    request.headers.set(Constants.HttpHeaders.Authorization, authorizationToken);
+                  } catch (fallbackError) {
+                    // If fallback also fails, throw the original error
+                    throw error;
+                  }
+                } else {
+                  // If custom scope is provided or error is not AADSTS500011, throw the original error
+                  throw error;
+                }
+              }
             },
           },
         }),
diff --git a/sdk/cosmosdb/cosmos/src/CosmosClient.ts b/sdk/cosmosdb/cosmos/src/CosmosClient.ts
@@ -49,6 +49,19 @@ import { GlobalPartitionEndpointManager } from "./globalPartitionEndpointManager
  *   },
  * });
  * ```
+ * @example Instantiate a client with AAD authentication and custom scope
+ * ```ts snippet:CosmosClientWithAADScope
+ * import { DefaultAzureCredential } from "@azure/identity";
+ * import { CosmosClient } from "@azure/cosmos";
+ *
+ * const endpoint = "https://your-account.documents.azure.com";
+ * const aadCredentials = new DefaultAzureCredential();
+ * const client = new CosmosClient({
+ *   endpoint,
+ *   aadCredentials,
+ *   aadScope: "https://cosmos.azure.com/.default", // Optional custom scope
+ * });
+ * ```
  */
 export class CosmosClient {
   /**
@@ -214,6 +227,7 @@ export class CosmosClient {
       diagnosticLevel: optionsOrConnectionString.diagnosticLevel,
       pluginsConfigured: optionsOrConnectionString.plugins !== undefined,
       sDKVersion: Constants.SDKVersion,
+      aadScopeOverride: optionsOrConnectionString.aadScope !== undefined,
     };
   }
 
diff --git a/sdk/cosmosdb/cosmos/src/CosmosClientOptions.ts b/sdk/cosmosdb/cosmos/src/CosmosClientOptions.ts
@@ -38,6 +38,13 @@ export interface CosmosClientOptions {
    * to authenticate requests to Cosmos
    */
   aadCredentials?: TokenCredential;
+  /**
+   * @internal
+   * Optional custom AAD scope to override the default account-based scope for authentication.
+   * If not provided, the default scope will be constructed from the endpoint URL.
+   * When provided, no fallback mechanism will be applied if authentication fails.
+   */
+  aadScope?: string;
   /** An array of {@link Permission} objects. */
   permissionFeed?: PermissionDefinition[];
   /** An instance of {@link ConnectionPolicy} class.
diff --git a/sdk/cosmosdb/cosmos/src/CosmosDiagnostics.ts b/sdk/cosmosdb/cosmos/src/CosmosDiagnostics.ts
@@ -97,6 +97,10 @@ export type ClientConfigDiagnostic = {
    * SDK version
    */
   sDKVersion: string;
+  /**
+   * True if `aadScope` were supplied during client initialization.
+   */
+  aadScopeOverride?: boolean;
 };
 
 /**
diff --git a/sdk/cosmosdb/cosmos/src/common/constants.ts b/sdk/cosmosdb/cosmos/src/common/constants.ts
@@ -306,6 +306,10 @@ export const Constants = {
   RequestTimeoutForReadsInMs: 2000, // 2 seconds
 };
 
+export const AAD_DEFAULT_SCOPE = "https://cosmos.azure.com/.default";
+export const AAD_AUTH_PREFIX = "type=aad&ver=1.0&sig=";
+export const AAD_RESOURCE_NOT_FOUND_ERROR = "AADSTS500011";
+
 /**
  * @hidden
  */
diff --git a/sdk/cosmosdb/cosmos/test/internal/unit/aadScopeOverride.spec.ts b/sdk/cosmosdb/cosmos/test/internal/unit/aadScopeOverride.spec.ts
diff --git a/sdk/cosmosdb/cosmos/test/snippets.spec.ts b/sdk/cosmosdb/cosmos/test/snippets.spec.ts
