What it is
An Azure Container Registry with adminUserEnabled set to true. The admin user is a built-in account: one username (the registry name) and two static passwords, with full push and pull rights over every repository in the registry. It is not an Entra ID identity. It can't be scoped down, it doesn't expire, and nothing records who used it, only that "the admin" did.
Why it happens
The admin user is disabled by default, so this footgun is one your own tooling and habits switch on. It happens because the admin account is the path of least resistance everywhere: docker login with a plain username and password just works, several portal deployment flows for App Service and Container Apps historically leaned on admin credentials to wire up image pulls, and countless CI examples and Terraform snippets set admin_enabled = true because it makes the pipeline green on the first try.
Once enabled, the credential spreads. It gets pasted into pipeline variables, Kubernetes image-pull secrets, teammates' shells, and the deployment config of every app that pulls from the registry. Each copy is a reason not to disable it later, so "temporary" becomes permanent.
What it costs / blast radius
The blast radius is control over what your infrastructure runs. Whoever holds the admin password can pull every image in the registry, which is your proprietary code, baked-in configuration, and internal service layout, and can push to any repository, which is worse: overwrite a tag your clusters pull and your own orchestrator deploys the attacker's image for them. Because the account has no identity behind it, the audit log can't tell you whether a given login was your pipeline, a former contractor, or someone who found the password in a repo. And because it's shared, rotating it breaks every pipeline and pull secret that embeds it, which is exactly why it rarely gets rotated. (Assessment of Azure behavior, not a measured incident statistic.)
See it
resource acr 'Microsoft.ContainerRegistry/registries@2023-07-01' = {
name: 'corpregistry'
location: location
sku: { name: 'Standard' }
properties: {
adminUserEnabled: true // one username, two static passwords, full push/pull
}
}resource acr 'Microsoft.ContainerRegistry/registries@2023-07-01' = {
name: 'corpregistry'
location: location
sku: { name: 'Standard' }
properties: {
adminUserEnabled: false // Entra ID principals only
}
}
// Give each consumer its own identity instead of the shared password:
// AKS: attach the registry (az aks update --attach-acr) or use
// the kubelet's managed identity with the AcrPull role
// App Service / CI: a managed identity or service principal with
// AcrPull (or AcrPush for pipelines that build)How StratoLens helps
StratoLens flags every registry with the admin user enabled, across all your subscriptions, continuously and inside your own tenant. Instead of hoping nobody flipped the convenient switch, you get a standing list of the registries still running on a shared password, so you can migrate them to real identities on your schedule rather than an attacker's.