Disable ACR admin user#
Security · Container Registry · 2020_06
Use Azure AD identities instead of using the registry admin user.
Description#
Azure Container Registry (ACR) includes a built-in admin user account. The admin user account is a single user account with administrative access to the registry. This account provides single user access for early test and development. The admin user account is not intended for use with production container registries.
Instead use role-based access control (RBAC). RBAC can be used to delegate registry permissions to an Azure AD (AAD) identity.
Recommendation#
Consider disabling the admin user account and only use identity-based authentication for registry operations.
Examples#
Configure with Azure template#
To deploy Container Registries that pass this rule:
- Set
properties.adminUserEnabled
tofalse
.
For example:
{
"type": "Microsoft.ContainerRegistry/registries",
"apiVersion": "2023-01-01-preview",
"name": "[parameters('registryName')]",
"location": "[parameters('location')]",
"sku": {
"name": "Premium"
},
"identity": {
"type": "SystemAssigned"
},
"properties": {
"adminUserEnabled": false,
"policies": {
"quarantinePolicy": {
"status": "enabled"
},
"trustPolicy": {
"status": "enabled",
"type": "Notary"
},
"retentionPolicy": {
"days": 30,
"status": "enabled"
},
"softDeletePolicy": {
"retentionDays": 90,
"status": "enabled"
}
}
}
}
Configure with Bicep#
To deploy Container Registries that pass this rule:
- Set
properties.adminUserEnabled
tofalse
.
For example:
resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' = {
name: registryName
location: location
sku: {
name: 'Premium'
}
identity: {
type: 'SystemAssigned'
}
properties: {
adminUserEnabled: false
policies: {
quarantinePolicy: {
status: 'enabled'
}
trustPolicy: {
status: 'enabled'
type: 'Notary'
}
retentionPolicy: {
days: 30
status: 'enabled'
}
softDeletePolicy: {
retentionDays: 90
status: 'enabled'
}
}
}
}
Configure with Azure CLI#
Configure with Azure PowerShell#
Update-AzContainerRegistry -ResourceGroupName '<resource_group>' -Name '<name>' -DisableAdminUser
Links#
- Use identity-based authentication
- Authenticate with a private Docker container registry
- Best practices for Azure Container Registry
- Use an Azure managed identity to authenticate to an Azure container registry
- Azure Container Registry roles and permissions
- What is Azure role-based access control (Azure RBAC)?
- IM-1: Use centralized identity and authentication system
- IM-3: Manage application identities securely and automatically
- PA-1: Separate and limit highly privileged/administrative users
- Azure Policy Regulatory Compliance controls for Azure Container Registry
- Azure deployment reference