Edit

Azure Container Registry (ACR) introduces the Conditional Access policy

  • Article

Azure Container Registry (ACR) gives you the option to create and configure the Conditional Access policy.

The Conditional Access policy is designed to enforce strong authentication. The authentication is based on the location, trusted and compliant devices, user assigned roles, authorization method, and the client applications. The policy enables the security to meet the organizations compliance requirements and keep the data and user accounts safe.

Learn more about Conditional Access policy, the conditions you'll take it into consideration to make policy decisions.

The Conditional Access policy applies after the first-factor authentication to the Azure Container Registry is complete. The purpose of Conditional Access for ACR is for user authentication only. The policy enables the user to choose the controls and further blocks or grants access based on the policy decisions.

The following steps will help create a Conditional Access policy for Azure Container Registry (ACR).

  1. Disable authentication-as-arm in ACR - Azure CLI.
  2. Disable authentication-as-arm in the ACR - Azure portal.
  3. Create and configure Conditional Access policy for Azure Container Registry.

Prerequisites

Disable authentication-as-arm in ACR - Azure CLI

Disabling azureADAuthenticationAsArmPolicy will force the registry to use ACR audience token. You can use Azure CLI version 2.40.0 or later, run az --version to find the version.

  1. Run the command to show the current configuration of the registry's policy for authentication using ARM tokens with the registry. If the status is enabled, then both ACRs and ARM audience tokens can be used for authentication. If the status is disabled it means only ACR's audience tokens can be used for authentication.

    az acr config authentication-as-arm show -r <registry>

  2. Run the command to update the status of the registry's policy.

    az acr config authentication-as-arm update -r <registry> --status [enabled/disabled]

Disable authentication-as-arm in the ACR - Azure portal

Disabling authentication-as-arm property by assigning a built-in policy will automatically disable the registry property for the current and the future registries. This automatic behavior is for registries created within the policy scope. The possible policy scopes include either Resource Group level scope or Subscription ID level scope within the tenant.

You can disable authentication-as-arm in the ACR, by following below steps:

  1. Sign in to the Azure portal.
  2. Refer to the ACR's built-in policy definitions in the azure-container-registry-built-in-policy definition's.
  3. Assign a built-in policy to disable authentication-as-arm definition - Azure portal.

Assign a built-in policy definition to disable ARM audience token authentication - Azure portal.

You can enable registry's Conditional Access policy in the Azure portal.

Azure Container Registry has two built-in policy definitions to disable authentication-as-arm, as below:

  • Container registries should have ARM audience token authentication disabled. - This policy will report, block any non-compliant resources, and also sends a request to update non-compliant to compliant.
  • Configure container registries to disable ARM audience token authentication. - This policy offers remediation and updates non-compliant to compliant resources.

  1. Sign in to the Azure portal.

  2. Navigate to your Azure Container Registry > Resource Group > Settings > Policies .

    Screenshot showing how to navigate Azure policies.

  3. Navigate to Azure Policy, On the Assignments, select Assign policy.

    Screenshot showing how to assign a policy.

  4. Under the Assign policy , use filters to search and find the Scope, Policy definition, Assignment name.

    Screenshot of the assign policy tab.

  5. Select Scope to filter and search for the Subscription and ResourceGroup and choose Select.

    Screenshot of the Scope tab.

  6. Select Policy definition to filter and search the built-in policy definitions for the Conditional Access policy.

    Screenshot of built-in-policy-definitions.

  7. Use filters to select and confirm Scope, Policy definition, and Assignment name.

  8. Use the filters to limit compliance states or to search for policies.

  9. Confirm your settings and set policy enforcement as enabled.

  10. Select Review+Create.

    Screenshot to activate a Conditional Access policy

Create and configure a Conditional Access policy - Azure portal

ACR supports Conditional Access policy for Active Directory users only. It currently doesn't support Conditional Access policy for Service Principal. To configure Conditional Access policy for the registry, you must disable authentication-as-arm for all the registries within the desired tenant. In this tutorial, we'll create a basic Conditional Access policy for the Azure Container Registry from the Azure portal.

Create a Conditional Access policy and assign your test group of users as follows:

  1. Sign in to the Azure portal by using an account with global administrator permissions.

  2. Search for and select Azure Active Directory. Then select Security from the menu on the left-hand side.

  3. Select Conditional Access, select + New policy, and then select Create new policy.

    A screenshot of the Conditional Access page, where you select 'New policy' and then select 'Create new policy'.

  4. Enter a name for the policy, such as demo.

  5. Under Assignments, select the current value under Users or workload identities.

    A screenshot of the Conditional Access page, where you select the current value under 'Users or workload identities'.

  6. Under What does this policy apply to?, verify and select Users and groups.

  7. Under Include, choose Select users and groups, and then select All users.

    A screenshot of the page for creating a new policy, where you select options to specify users.

  8. Under Exclude, choose Select users and groups, to exclude any choice of selection.

  9. Under Cloud apps or actions, choose Cloud apps.

  10. Under Include, choose Select apps.

    A screenshot of the page for creating a new policy, where you select options to specify cloud apps.

  11. Browse for and select apps to apply Conditional Access, in this case Azure Container Registry, then choose Select.

    A screenshot of the list of apps, with results filtered, and 'Azure Container Registry' selected.

  12. Under Conditions , configure control access level with options such as User risk level, Sign-in risk level, Sign-in risk detections (Preview), Device platforms, Locations, Client apps, Time (Preview), Filter for devices.

  13. Under Grant, filter and choose from options to enforce grant access or block access, during a sign-in event to the Azure portal. In this case grant access with Require multifactor authentication, then choose Select.

    Tip

    To configure and grant multi-factor authentication, see configure and conditions for multi-factor authentication.

  14. Under Session, filter and choose from options to enable any control on session level experience of the cloud apps.

  15. After selecting and confirming, Under Enable policy, select On.

  16. To apply and activate the policy, Select Create.

    A screenshot showing how to activate the Conditional Access policy.

We have now completed creating the Conditional Access policy for the Azure Container Registry.

Next steps