Security — Azure DocumentDB

Core controls: TLS on the wire, network isolation with Private Endpoint, Microsoft Entra ID for identity, and CMK for data-at-rest encryption on regulated workloads.

Rules

• security-tls-required — Always connect with TLS; never disable certificate validation in production.
• security-private-endpoint — Use Private Endpoint / firewall rules; disable public network access where possible.
• security-entra-rbac — Prefer Microsoft Entra ID + RBAC over long-lived passwords; create per-app secondary users with least privilege.
• security-cmk-encryption — Use customer-managed keys (CMK) for data-at-rest encryption on regulated workloads.