Microsoft AzureOverview
ACR admin user exposes a shared username and password for the whole registry. It should normally be disabled in favor of Microsoft Entra ID, managed identities, and RBAC.
Why this matters
Shared credentials are harder to rotate, harder to scope, and much harder to attribute during investigations.
Remediation guidance
Azure Remediation
Service-wide fix (recommended): disable ACR admin user by policy and make Entra ID or managed identity auth the default registry access pattern.
When to use service-wide remediation
Use the service-wide path when many registries are affected or when teams still rely on shared registry credentials.
Azure portal
- Open the affected Container Registry.
- Go to
Access keys. - Set
Admin usertoDisabled. - Confirm workloads authenticate with Entra ID,
AcrPull/AcrPush, or repository-scoped permissions before removing the shared credential path.
Azure CLI
Disable the admin user:
az acr update \
--name <acr-name> \
--resource-group <resource-group> \
--admin-enabled false
Validate the setting:
az acr show \
--name <acr-name> \
--resource-group <resource-group> \
--query adminUserEnabled
Operational notes
- Before disabling the admin user, identify old scripts, CI jobs, or third-party tools that still use registry username and password authentication.
- Prefer managed identities for Azure-hosted workloads and Entra ID plus RBAC for users and automation outside Azure.
References
- https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication
Query logic
These are the stored checks tied to this control.
Container registries with admin user enabled
Connectors
Microsoft Azure
Covered asset types
ContainerRegistry
Expected check: eq []
{ containerRegistries(where: { adminUserEnabled: true }) { ...AssetFragment } }
