Cosmos SDK receives 401 failures when using Entra ID for auth with Regional Database Account Endpoint

[ekuhlmann23]

We are continuously addressing and improving the SDK, if possible, make sure the problem persist in the latest SDK version.

Describe the bug

Cosmos DB SDK receives a 401 Unauthorized status code with 5008 sub-status code when CosmosClient is initialized using a TokenCredential (used for Entra ID auth) and the regional database account endpoint.

To Reproduce

using Azure.Identity;
using Microsoft.Azure.Cosmos;

var cosmosClient = new CosmosClient("https://{REGIONAL_DATABASE_ACCOUNT}.documents.azure.com:443/", new InteractiveBrowserCredential());
var database = cosmosClient.GetDatabase("myDb1");

Expected behavior

Assuming that the user has been assigned the correct permissions, after completing the login pop-up, we expect a 404 Not Found to be returned, since the database does not exist on the database account, or 200 if was created already.

Actual behavior

A 401 Unauthorized status code with 5008 sub-status code is received.

Environment summary

SDK Version: 3.46.0
OS Version: Windows

Additional context

For complete stack trace for my account, check Activity ID: 92460b89-3a58-462d-a668-8329d1d2b59c (from Dec. 16th, 2024).

[aavasthy]

@ekuhlmann23 couldn't repro the issue when following below steps. Please let me know if you are doing anything different.

• Created an account and enable AAD on it using az resource update --resource-group "resourcegroupname" --name "accountname" --resource-type "Microsoft.DocumentDB/databaseAccounts" --set properties.disableLocalAuth=true
• Then using console app and dotnet sdk 3.46.0, I tried to access the account and I got 403.
• Then gave read and write access to the principal id for accessing the account.
• Tried accessing the account again and got 200 response back.