Skip to content

Disable ACR admin user#

Security · Container Registry · Azure.ACR.AdminUser

Use Azure AD identities instead of using the registry admin user.

Description#

Azure Container Registry (ACR) includes a built-in admin user account. The admin user account is a single user account with administrative access to the registry. This account provides single user access for early test and development. The admin user account is not intended for use with production container registries.

Instead use role-based access control (RBAC). RBAC can be used to delegate registry permissions to an Azure AD (AAD) identity.

Recommendation#

Consider disabling the admin user account and only using AAD-based identities for registry operations.

Examples#

Configure with Azure CLI#

az acr update --admin-enabled false -n '<name>' -g '<resource_group>'

Configure with Azure PowerShell#

Update-AzContainerRegistry -ResourceGroupName '<resource_group>' -Name '<name>' -DisableAdminUser

Last update: 2021-09-24