Share via

Azure Container Apps and Azure Container Registry - Unauthorized when pulling image

Dominik 0 Reputation points
2026-02-04T14:16:11.4033333+00:00

I want to deploy a Container App which pulls an image from a Container Registry. Unfortunately, i get an UNAUTHORIZED error when using a system or user assigned managed identity.

The deployment works when I use the secrets from the ACR (no managed identity).

However, when I try a system-assigned managed identity (SAMI) as described here:
https://learn.microsoft.com/en-us/azure/container-apps/managed-identity-image-pull?tabs=bash&pivots=console#system-assigned-managed-id
I get this error: 

.Failed to provision revision for container app 'todoapp-containerapp-client'. Error details: The following field(s) are either invalid or missing. Field 'template.containers.todoapp-containerapp-client.image' is invalid with details: 'Invalid value: "todoappacr1234.azurecr.io/todoappblazor-client": GET https:: UNAUTHORIZED: authentication required, visit https://aka.ms/acr/authorization for more information.; [map[Action:pull Name:todoappblazor-client Type:repository]]';..

To make sure, I tried the same "by hand" by exectuing the steps:

  • Create managed environemnt with SAMI
  • Give roles "AcrPull" and "Container Registry Repository Contributor" to SAMI
  • Create app with
az containerapp create `
    --name <APPNAME> `
    --resource-group <GROUPNAME>`
    --environment <APPENVNAME> `
    --image "<ACR_SERVER>/<REGISTRYNAME>:latest" `
    --target-port 80 `
    --ingress external

I get the same error as above.

Anyone have an idea why?

Azure Container Apps
Azure Container Apps
An Azure service that provides a general-purpose, serverless container platform.
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Praveen Kumar Gudipudi 1,680 Reputation points Microsoft External Staff Moderator
    2026-02-04T15:48:47.88+00:00

    Hello Dominik,

    The "UNAUTHORIZED" error when using system- or user-assigned managed identities to pull images from ACR fundamentally indicates that the identity does not have the required token-based permissions or cannot reach the registry endpoint. Correcting this typically involves:

    1. Assigning the AcrPull role to the MI at the registry scope.
    2. Avoiding MI conflicts in Windows App Service deployments.
    3. Accounting for role propagation latency and using DOCKER_SKIP_IMAGE_VALIDATION if necessary.
    4. Confirming network connectivity for private endpoints.
    • Built-in Azure roles granting this include:
      • AcrPull (most specific)
      • Owner or Contributor (broader roles)
      • Reader + AcrPull (custom combination)

    Can't pull images from Azure Container Registry to Azure Web App

    Please check above steps and let me know with an update.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.