Eliminate Dependency on Key-based Authentication in Azure Cognitive Search with RBAC and Azure AD
Published May 16 2023 05:00 AM 3,577 Views

We are excited to announce that Azure Cognitive Search now offers support for role-based access control (RBAC) and Azure Active Directory (Azure AD) authentication for data plane operations, which are now generally available. These features allow Developers to secure their search indexes and queries with RBAC, thereby controlling access to data plane operations such as creating, loading, and querying indexes. This eliminates the need for key-based authentication, making the process more secure.


Importance of securing Cognitive Search indexes and queries with Azure RBAC

  • Azure role-based access control (RBAC) offers a secure approach to managing access to indexes and queries. Developers will be able to define what actions a user can perform over them, limiting access to only those who need it, reducing the risk of unauthorized access. In contrast, when using key-based authentication, developers need to provide full admin access to the entire service or query-only access to an index, with no way to prevent the key from being misused or abused.
  • With Azure AD, credentials don’t need to be stored in code, providing improved integration with other Azure security features such as managed identities. For more information on the benefits of incorporating Azure AD into applications, refer to the article Integrating with Azure Active Directory.
  • Provide access to a single index or other Cognitive Search resource (i.e., indexer, skillset, data source, etc.) - rather than giving access to the entire search service. This is especially useful in multi-tenant scenarios.


Use built-in roles or define custom roles

Using built-in roles or defining custom roles is possible for supporting common data plane operations scenarios. There are three built-in roles:

For more customized roles, Developers can define custom roles for administrators or applications.


Ready to get started?

Get started today by configuring role-based access control for data plane operations from the Azure portal. Select the “API access control” option “Both” for flexibility or if there is a requirement for application migration.




Follow up the additional instructions in the official documentation link to assign the respective roles, to have them tested and for more information.

Version history
Last update:
‎May 15 2023 02:36 PM
Updated by: