Azure Container Registry (ACR) introduces the Conditional Access policy
Azure Container Registry (ACR) gives you the option to create and configure the Conditional Access policy.
The Conditional Access policy is designed to enforce strong authentication. The authentication is based on the location, trusted and compliant devices, user assigned roles, authorization method, and the client applications. The policy enables the security to meet the organizations compliance requirements and keep the data and user accounts safe.
The Conditional Access policy applies after the first-factor authentication to the Azure Container Registry is complete. The purpose of Conditional Access for ACR is for user authentication only. The policy enables the user to choose the controls and further blocks or grants access based on the policy decisions.
The following steps will help create a Conditional Access policy for Azure Container Registry (ACR).
- Disable authentication-as-arm in ACR - Azure CLI.
- Disable authentication-as-arm in the ACR - Azure portal.
- Create and configure Conditional Access policy for Azure Container Registry.
Disable authentication-as-arm in ACR - Azure CLI
azureADAuthenticationAsArmPolicy will force the registry to use ACR audience token. You can use Azure CLI version 2.40.0 or later, run
az --version to find the version.
Run the command to show the current configuration of the registry's policy for authentication using ARM tokens with the registry. If the status is
enabled, then both ACRs and ARM audience tokens can be used for authentication. If the status is
disabledit means only ACR's audience tokens can be used for authentication.
az acr config authentication-as-arm show -r <registry>
Run the command to update the status of the registry's policy.
az acr config authentication-as-arm update -r <registry> --status [enabled/disabled]
Disable authentication-as-arm in the ACR - Azure portal
authentication-as-arm property by assigning a built-in policy will automatically disable the registry property for the current and the future registries. This automatic behavior is for registries created within the policy scope. The possible policy scopes include either Resource Group level scope or Subscription ID level scope within the tenant.
You can disable authentication-as-arm in the ACR, by following below steps:
- Sign in to the Azure portal.
- Refer to the ACR's built-in policy definitions in the azure-container-registry-built-in-policy definition's.
- Assign a built-in policy to disable authentication-as-arm definition - Azure portal.
Assign a built-in policy definition to disable ARM audience token authentication - Azure portal.
You can enable registry's Conditional Access policy in the Azure portal.
Azure Container Registry has two built-in policy definitions to disable authentication-as-arm, as below:
Container registries should have ARM audience token authentication disabled.- This policy will report, block any non-compliant resources, and also sends a request to update non-compliant to compliant.
Configure container registries to disable ARM audience token authentication.- This policy offers remediation and updates non-compliant to compliant resources.
Sign in to the Azure portal.
Navigate to your Azure Container Registry > Resource Group > Settings > Policies .
Navigate to Azure Policy, On the Assignments, select Assign policy.
Under the Assign policy , use filters to search and find the Scope, Policy definition, Assignment name.
Select Scope to filter and search for the Subscription and ResourceGroup and choose Select.
Select Policy definition to filter and search the built-in policy definitions for the Conditional Access policy.
Use filters to select and confirm Scope, Policy definition, and Assignment name.
Use the filters to limit compliance states or to search for policies.
Confirm your settings and set policy enforcement as enabled.
Create and configure a Conditional Access policy - Azure portal
ACR supports Conditional Access policy for Active Directory users only. It currently doesn't support Conditional Access policy for Service Principal. To configure Conditional Access policy for the registry, you must disable
authentication-as-arm for all the registries within the desired tenant. In this tutorial, we'll create a basic Conditional Access policy for the Azure Container Registry from the Azure portal.
Create a Conditional Access policy and assign your test group of users as follows:
Sign in to the Azure portal by using an account with global administrator permissions.
Search for and select Azure Active Directory. Then select Security from the menu on the left-hand side.
Select Conditional Access, select + New policy, and then select Create new policy.
Enter a name for the policy, such as demo.
Under Assignments, select the current value under Users or workload identities.
Under What does this policy apply to?, verify and select Users and groups.
Under Include, choose Select users and groups, and then select All users.
Under Exclude, choose Select users and groups, to exclude any choice of selection.
Under Cloud apps or actions, choose Cloud apps.
Under Include, choose Select apps.
Browse for and select apps to apply Conditional Access, in this case Azure Container Registry, then choose Select.
Under Conditions , configure control access level with options such as User risk level, Sign-in risk level, Sign-in risk detections (Preview), Device platforms, Locations, Client apps, Time (Preview), Filter for devices.
Under Grant, filter and choose from options to enforce grant access or block access, during a sign-in event to the Azure portal. In this case grant access with Require multifactor authentication, then choose Select.
To configure and grant multi-factor authentication, see configure and conditions for multi-factor authentication.
Under Session, filter and choose from options to enable any control on session level experience of the cloud apps.
After selecting and confirming, Under Enable policy, select On.
To apply and activate the policy, Select Create.
We have now completed creating the Conditional Access policy for the Azure Container Registry.
- Learn more about Azure Policy definitions and effects.
- Learn more about common access concerns that Conditional Access policies can help with.
- Learn more about Conditional Access policy components.