Conditional Access policy for Azure Container Registry

Article
12/11/2023

Azure Container Registry (ACR) gives you the option to create and configure the Conditional Access policy. Conditional Access policies, which are typically associated with Azure Active Directory (Azure AD), are used to enforce strong authentication and access controls for various Azure services, including ACR.

The Conditional Access policy applies after the first-factor authentication to the Azure Container Registry is complete. The purpose of Conditional Access for ACR is for user authentication only. The policy enables the user to choose the controls and further blocks or grants access based on the policy decisions.

The Conditional Access policy is designed to enforce strong authentication. The policy enables the security to meet the organizations compliance requirements and keep the data and user accounts safe.

Important

To configure Conditional Access policy for the registry, you must disable authentication-as-arm for all the registries within the desired tenant.

Learn more about Conditional Access policy, the conditions you'll take it into consideration to make policy decisions.

In this tutorial, you learn how to:

Create and configure Conditional Access policy for Azure Container Registry.
Troubleshoot Conditional Access policy.

Prerequisites

Install or upgrade Azure CLI version 2.40.0 or later. To find the version, run az --version.
Sign in to the Azure portal.

Create and configure a Conditional Access policy - Azure portal

ACR supports Conditional Access policy for Active Directory users only. It currently doesn't support Conditional Access policy for Service Principal. To configure Conditional Access policy for the registry, you must disable authentication-as-arm for all the registries within the desired tenant. In this tutorial, we'll create a basic Conditional Access policy for the Azure Container Registry from the Azure portal.

Create a Conditional Access policy and assign your test group of users as follows:

Sign in to the Azure portal by using an account with global administrator permissions.
Search for and select Microsoft Entra ID. Then select Security from the menu on the left-hand side.
Select Conditional Access, select + New policy, and then select Create new policy.
Enter a name for the policy, such as demo.
Under Assignments, select the current value under Users or workload identities.
Under What does this policy apply to?, verify and select Users and groups.
Under Include, choose Select users and groups, and then select All users.
Under Exclude, choose Select users and groups, to exclude any choice of selection.
Under Cloud apps or actions, choose Cloud apps.
Under Include, choose Select apps.
Browse for and select apps to apply Conditional Access, in this case Azure Container Registry, then choose Select.
Under Conditions , configure control access level with options such as User risk level, Sign-in risk level, Sign-in risk detections (Preview), Device platforms, Locations, Client apps, Time (Preview), Filter for devices.
Under Grant, filter and choose from options to enforce grant access or block access, during a sign-in event to the Azure portal. In this case grant access with Require multifactor authentication, then choose Select.

Tip

To configure and grant multi-factor authentication, see configure and conditions for multi-factor authentication.
Under Session, filter and choose from options to enable any control on session level experience of the cloud apps.
After selecting and confirming, Under Enable policy, select On.
To apply and activate the policy, Select Create.