Ensure Azure Container Registry public network access is disabled

Azure Remediation

Service-wide fix (recommended): use Premium registries with Private Link, disable public access, and only keep trusted-service bypass enabled when there is a documented business need.

When to use service-wide remediation

Use the service-wide path when many registries are internet reachable or when teams still depend on public endpoints.

Azure portal

1. Open the affected Container Registry.
2. Go to Networking.
3. On Public access, set Public network access to Disabled.
4. Create or verify a Private endpoint for every network that must reach the registry.
5. If the finding is caused by the trusted-services bypass, clear Allow trusted Microsoft services to access this container registry unless you explicitly need it.

Azure CLI

Disable public network access:

az acr update \
  --name <acr-name> \
  --resource-group <resource-group> \
  --public-network-enabled false

Disable trusted-services bypass if it is not required:

az acr update \
  --name <acr-name> \
  --resource-group <resource-group> \
  --allow-trusted-services false

Validate the network settings:

az acr show \
  --name <acr-name> \
  --resource-group <resource-group> \
  --query '{publicNetworkAccess:publicNetworkAccess,networkRuleBypassOptions:networkRuleBypassOptions}'

Operational notes

• Private Link requires the Premium SKU.
• If you disable public access, az acr build and some Azure DevOps scenarios can break unless you use a supported private connectivity design or self-hosted agents.
• If Microsoft Defender for Cloud or another trusted service still needs access, document that exception instead of leaving bypass broadly enabled by default.

References

• https://learn.microsoft.com/en-us/azure/container-registry/container-registry-private-link
• https://learn.microsoft.com/en-us/azure/container-registry/allow-access-trusted-services