Disable ACR admin user

Security · Container Registry · 2020_06

Use Azure AD identities instead of using the registry admin user.

Description

Azure Container Registry (ACR) includes a built-in admin user account. The admin user account is a single user account with administrative access to the registry. This account provides single user access for early test and development. The admin user account is not intended for use with production container registries.

Instead use role-based access control (RBAC). RBAC can be used to delegate registry permissions to an Azure AD (AAD) identity.

Recommendation

Consider disabling the admin user account and only use identity-based authentication for registry operations.

Examples

Configure with Azure template

To deploy Container Registries that pass this rule:

• Set properties.adminUserEnabled to false.

For example:

Azure Template snippet

{
    "type": "Microsoft.ContainerRegistry/registries",
    "apiVersion": "2021-06-01-preview",
    "name": "[parameters('registryName')]",
    "location": "[parameters('location')]",
    "sku": {
        "name": "Premium"
    },
    "identity": {
        "type": "SystemAssigned"
    },
    "properties": {
        "adminUserEnabled": false,
        "policies": {
            "quarantinePolicy": {
                "status": "enabled"
            },
            "trustPolicy": {
                "status": "enabled",
                "type": "Notary"
            },
            "retentionPolicy": {
                "status": "enabled",
                "days": 30
            }
        }
    }
}

Configure with Bicep

To deploy Container Registries that pass this rule:

• Set properties.adminUserEnabled to false.

For example:

Azure Bicep snippet

resource acr 'Microsoft.ContainerRegistry/registries@2021-06-01-preview' = {
  name: registryName
  location: location
  sku: {
    name: 'Premium'
  }
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    adminUserEnabled: false
    policies: {
      quarantinePolicy: {
        status: 'enabled'
      }
      trustPolicy: {
        status: 'enabled'
        type: 'Notary'
      }
      retentionPolicy: {
        status: 'enabled'
        days: 30
      }
    }
  }
}

Configure with Azure CLI

Azure CLI snippet

az acr update --admin-enabled false -n '<name>' -g '<resource_group>'

Configure with Azure PowerShell

Azure PowerShell snippet

Update-AzContainerRegistry -ResourceGroupName '<resource_group>' -Name '<name>' -DisableAdminUser

Links

• Use identity-based authentication
• Authenticate with a private Docker container registry
• Best practices for Azure Container Registry
• Use an Azure managed identity to authenticate to an Azure container registry
• Azure Container Registry roles and permissions
• What is Azure role-based access control (Azure RBAC)?
• Azure deployment reference

---

Last update: 2022-10-17

Comments