Skip to main content

Azure Container Registry (ACR)

Azure Container Registry (ACR) integration allows your product to fetch container repositories, list container images, tags, and metadata stored in Azure ACR. This integration is commonly used for vulnerability scanning, container inventory, and image compliance across Azure workloads.

Credentials Needed

To integrate with Azure Container Registry, you'll need credentials from an Azure Active Directory (AAD) App Registration or ACR-specific credentials.

Recommended Method (AAD App Registration):

  • Tenant ID (Directory ID)
  • Client ID (Application ID)
  • Client Secret
  • Subscription ID

Alternative Method (Admin User Authentication):

  • ACR Login Server (e.g., myregistry.azurecr.io)
  • ACR Username
  • ACR Password (Access Key)

The AAD App Registration method is more secure and recommended for production integrations.

Permissions Needed

The integration requires read-only permissions to list repositories, images, and metadata.

1. Role Assignment (Azure RBAC Roles)

Assign one of the following roles to the App Registration or Service Principal:

RoleDescription
AcrPullRecommended for read-only access to repositories and image metadata
ReaderOptional, allows viewing resource-level metadata in addition to image data

AcrPull is the minimal and safest role for container registry integrations.

2. API Permissions (App Registration)

APIPermissionTypePurpose
Azure Service Management (Azure Resource Manager)user_impersonationDelegatedAccess registry details and resource metadata

Creating Users / App Registration in Azure

Step 1: Register an Application

  1. Go to Azure Portal → Azure Active Directory → App registrations → New registration
  2. Enter a name (e.g., ACRIntegrationApp)
  3. Supported account type: "Accounts in this organizational directory only"
  4. Redirect URI: Optional or use your platform callback URL if needed
  5. Click Register

After registration, note down:

  • Application (Client) ID
  • Directory (Tenant) ID

Step 2: Create a Client Secret

  1. In the same App Registration, go to Certificates & Secrets → New client secret
  2. Enter a description and choose an expiry period (1 or 2 years)
  3. Copy the Client Secret Value immediately — it will not be visible again later.

Step 3: Assign Role to App

  1. Go to Azure Portal → Container Registries → [Your Registry Name] → Access Control (IAM)
  2. Click Add role assignment
  3. Select AcrPull or Reader role
  4. Under Members, select User, group, or service principal → Choose your registered app (ACRIntegrationApp)
  5. Save the assignment.

Alternative: Use ACR Admin Credentials

  1. Go to Azure Portal → Container Registries → [Your Registry Name] → Access Keys
  2. Enable Admin user if not already enabled
  3. Copy the Username and Password provided (or regenerate as needed)
  4. Use these credentials directly for basic authentication.

Test Connectivity

You can test the connection using either the Azure CLI or Docker CLI.

Using Azure CLI

# Login using service principal credentials
az login --service-principal \
  --username <CLIENT_ID> \
  --password <CLIENT_SECRET> \
  --tenant <TENANT_ID>

# Set the subscription
az account set --subscription <SUBSCRIPTION_ID>

# List all ACR instances
az acr list --output table

# List repositories in the target registry
az acr repository list --name <ACR_NAME> --output table

# List image tags in a repository
az acr repository show-tags --name <ACR_NAME> --repository <REPOSITORY_NAME> --output table

Using Docker CLI

docker login <ACR_LOGIN_SERVER> -u <ACR_USERNAME> -p <ACR_PASSWORD>
docker pull <ACR_LOGIN_SERVER>/<REPOSITORY>:<TAG>

If you successfully retrieve registry and image data, your credentials and permissions are correctly configured.

Save the Results in the Platform and Create Connection

In your product's integration setup, securely store:

  • AZURE_TENANT_ID
  • AZURE_CLIENT_ID
  • AZURE_CLIENT_SECRET
  • AZURE_SUBSCRIPTION_ID
  • (Optional) ACR_NAME or ACR_LOGIN_SERVER

Create a new connector labeled Azure Container Registry Integration.

Test the connection by listing repositories and images.

Best Practices

  • Prefer AAD App Registration + AcrPull role for secure, scalable access.
  • Avoid using Admin credentials except for quick testing.
  • Rotate Client Secrets or Access Keys periodically.
  • Store all credentials securely in your encrypted secret manager or Azure Key Vault.
  • Assign roles with the least privilege (e.g., AcrPull only).
  • Limit registry access to required regions or subscriptions.
  • Monitor access via Azure Activity Logs to detect unauthorized use.
  • Enable Azure Policy and Defender for Containers for continuous compliance and threat detection.