Azure Function Call Services On Behalf Of User
It’s pretty complex unfortunately, you’d need to have a new OAuth2 access token scoped to cosmosdb resource to be able to access it.
Please check OAuth2 On-Behalf-Of flow:
learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow
When I used it 2 years ago, there was no SDK support for this flow, I simply used http request against login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token
In your case, you would also have to add cosmos.azure.com/user_impersonation delegated API permission to your app registration and users will be asked for a consent when they try to access your API.
Read more here: Source link