Skip to content

Disable ACR admin user#

Security · Container Registry · Rule · 2020_06 · Critical

Use Entra ID identities instead of using the registry admin user.

Description#

Azure Container Registry (ACR) includes a built-in local admin user account. The admin user account is a single user account with administrative access to the registry. This account provides single user access for early test and development. The admin user account is not intended for use with production container registries.

Instead of using the admin user account, consider using Entra ID (previously Azure AD) identities. Entra ID provides a centralized identity and authentication system for Azure. This provides a number of benefits including:

  • Strong account protection controls with conditional access, identity governance, and privileged identity management.
  • Auditing and reporting of account activity.
  • Granular access control with role-based access control (RBAC).
  • Separation of account types for users and applications.

Recommendation#

Consider disabling the admin user account and only use identity-based authentication for registry operations.

Examples#

Configure with Azure template#

To deploy registries that pass this rule:

  • Set properties.adminUserEnabled to false.

For example:

Azure Template snippet
{
  "type": "Microsoft.ContainerRegistry/registries",
  "apiVersion": "2023-07-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "sku": {
    "name": "Premium"
  },
  "identity": {
    "type": "SystemAssigned"
  },
  "properties": {
    "adminUserEnabled": false,
    "policies": {
      "trustPolicy": {
        "status": "enabled",
        "type": "Notary"
      },
      "retentionPolicy": {
        "days": 30,
        "status": "enabled"
      }
    }
  }
}

Configure with Bicep#

To deploy registries that pass this rule:

  • Set properties.adminUserEnabled to false.

For example:

Azure Bicep snippet
resource registry 'Microsoft.ContainerRegistry/registries@2023-07-01' = {
  name: name
  location: location
  sku: {
    name: 'Premium'
  }
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    adminUserEnabled: false
    policies: {
      trustPolicy: {
        status: 'enabled'
        type: 'Notary'
      }
      retentionPolicy: {
        days: 30
        status: 'enabled'
      }
    }
  }
}

Configure with Azure CLI#

To configure registries that pass this rule:

Azure CLI snippet
az acr update -n '<name>' -g '<resource_group>' --admin-enabled false

Configure with Azure PowerShell#

To configure registries that pass this rule:

Azure PowerShell snippet
Update-AzContainerRegistry -ResourceGroupName '<resource_group>' -Name '<name>' -DisableAdminUser

Configure with Azure Policy#

To address this issue at runtime use the following policies:

Comments