Skip to main content
Back to the Azure Footguns Database
SecurityMediumCommonAZF-0067

The ACR admin user is one shared credential with full push and pull over every image

The ACR admin account is a single shared username/password with full push and pull rights and no identity behind it. It ends up pasted into CI configs everywhere, and a leak means someone else decides what your clusters run.

Footgun ID
AZF-0067 (Azure Footgun No. 67)
Azure service
Azure Container Registry
Resource type
Microsoft.ContainerRegistry/registries
Updated
July 9, 2026

What it is

An Azure Container Registry with adminUserEnabled set to true. The admin user is a built-in account: one username (the registry name) and two static passwords, with full push and pull rights over every repository in the registry. It is not an Entra ID identity. It can't be scoped down, it doesn't expire, and nothing records who used it, only that "the admin" did.

Impact (security)
One static credential grants full push and pull across the entire registry, with no identity attached
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

The admin user is disabled by default, so this footgun is one your own tooling and habits switch on. It happens because the admin account is the path of least resistance everywhere: docker login with a plain username and password just works, several portal deployment flows for App Service and Container Apps historically leaned on admin credentials to wire up image pulls, and countless CI examples and Terraform snippets set admin_enabled = true because it makes the pipeline green on the first try.

Once enabled, the credential spreads. It gets pasted into pipeline variables, Kubernetes image-pull secrets, teammates' shells, and the deployment config of every app that pulls from the registry. Each copy is a reason not to disable it later, so "temporary" becomes permanent.

What it costs / blast radius

The blast radius is control over what your infrastructure runs. Whoever holds the admin password can pull every image in the registry, which is your proprietary code, baked-in configuration, and internal service layout, and can push to any repository, which is worse: overwrite a tag your clusters pull and your own orchestrator deploys the attacker's image for them. Because the account has no identity behind it, the audit log can't tell you whether a given login was your pipeline, a former contractor, or someone who found the password in a repo. And because it's shared, rotating it breaks every pipeline and pull secret that embeds it, which is exactly why it rarely gets rotated. (Assessment of Azure behavior, not a measured incident statistic.)

See it

Footgun: a single shared password with full registry rights
resource acr 'Microsoft.ContainerRegistry/registries@2023-07-01' = {
  name: 'corpregistry'
  location: location
  sku: { name: 'Standard' }
  properties: {
    adminUserEnabled: true    // one username, two static passwords, full push/pull
  }
}
Fix: disable the admin user; authenticate with managed identities or scoped tokens
resource acr 'Microsoft.ContainerRegistry/registries@2023-07-01' = {
  name: 'corpregistry'
  location: location
  sku: { name: 'Standard' }
  properties: {
    adminUserEnabled: false   // Entra ID principals only
  }
}
// Give each consumer its own identity instead of the shared password:
//   AKS:        attach the registry (az aks update --attach-acr) or use
//               the kubelet's managed identity with the AcrPull role
//   App Service / CI: a managed identity or service principal with
//               AcrPull (or AcrPush for pipelines that build)

How StratoLens helps

StratoLens flags every registry with the admin user enabled, across all your subscriptions, continuously and inside your own tenant. Instead of hoping nobody flipped the convenient switch, you get a standing list of the registries still running on a shared password, so you can migrate them to real identities on your schedule rather than an attacker's.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Not ready to install anything? Browse the Azure Footguns Database: 55+ documented ways Azure quietly costs money or creates risk.

Request a demo

StratoLens catches the cost waste, access risk, and config drift across your whole Azure estate, from inside your own tenant, so your data never leaves it.