What it is
An Azure Container Registry with anonymousPullEnabled set to true, which lets clients pull images with no authentication at all. It exists for a legitimate use case: distributing public images without forcing consumers to log in. The footgun is that the setting is registry-wide. The moment an internal image lands in a registry that also serves public ones, it is downloadable by anyone who can name its repository.
Why it happens
Anonymous pull is never on by accident at creation time: it's off by default and takes an explicit az acr update --anonymous-pull-enabled on a Standard or Premium registry. It gets switched on for sensible-sounding reasons, such as serving OSS artifacts to external users, unblocking a demo, or making cluster pulls "just work" without wiring up pull secrets.
The trap is what happens next. The flag doesn't distinguish public repositories from private ones, registries accumulate images from every team that finds them convenient, and the setting is invisible in daily use because authenticated pushes and pulls behave identically. Nobody re-decides the question when the tenth internal service starts pushing to a registry that was made anonymous for one public artifact a year ago.
It also can't be fenced in by network hardening alone: anonymous pull is a data-plane authorization setting, so wherever the endpoint is reachable from, that entire audience can pull without credentials.
What it costs / blast radius
The blast radius is everything your images contain, available to anyone who can reach the endpoint and name a repository. And repository names leak constantly: through CI logs, Kubernetes manifests, Helm charts, compose files, and plain guessable conventions like corpregistry.azurecr.io/api. An image is not just your compiled code. Layers routinely carry appsettings and .env files, internal hostnames and service topology, private package feeds referenced in build steps, and the occasional connection string someone baked in "temporarily." Anyone who pulls the image can un-layer it offline with standard tooling and read all of it. There's no per-pull identity, so you also lose any record of who took what. (Assessment of Azure behavior, not a measured incident statistic.)
See it
resource acr 'Microsoft.ContainerRegistry/registries@2023-07-01' = {
name: 'corpregistry'
location: location
sku: { name: 'Standard' } // anonymous pull exists on Standard/Premium
properties: {
anonymousPullEnabled: true // no credentials needed to pull any repository
}
}resource acr 'Microsoft.ContainerRegistry/registries@2023-07-01' = {
name: 'corpregistry'
location: location
sku: { name: 'Standard' }
properties: {
anonymousPullEnabled: false // pulls require an authenticated principal
}
}
// Consumers authenticate with the AcrPull role via managed identity or a
// scoped token. If you genuinely distribute public images, put them in a
// dedicated registry so the anonymous flag never covers internal ones.How StratoLens helps
StratoLens flags every registry that allows anonymous pull, across all your subscriptions, continuously and inside your own tenant. The registry someone opened up for a demo two teams ago stops being tribal knowledge and becomes a finding you can close before your internal images become public downloads.