I have an Azure Container Registry (ACR) that is private where I push Docker images for our customers. The customers have their own Azure accounts, and I want to allow them to only pull images from the ACR in our Azure account. How can this be done in such a way that every customer has their own set of credentials to access our ACR?

Hi xdf1038 , Welcome to the Microsoft Q&A Platform! Thank you for asking your question here. To allow customers from another Azure tenant to access your private Azure Container Registry (ACR) with their own credentials: Use the Azure CLI to create a service principal and assign it the AcrPull role for your ACR. Example: az ad sp create-for-rbac --name "customer-sp" --role "AcrPull" \ --scopes /subscriptions/<YourSubscriptionId>/resourceGroups/<YourResourceGroup>/providers/Microsoft.ContainerRegistry/registries/<YourACRName> Share the appId, password, and tenant securely with the customer The customer logs in using the provided credentials: az login --service-principal -u <appId> -p <password> --tenant <tenant> az acr login --name <YourACRName> docker pull <YourACRName>.azurecr.io/<repository>:<tag> For more information, please refer to below documentations: Create a token with repository-scoped permissions Authenticate with an Azure container registry If an answer has been helpful, please consider accept the answer and "Upvote" to help increase visibility of this question for other members of the Microsoft Q&A community.

How to Allow Customers to Access Azure Container Registry from Another Tenant?

Accepted answer

Sai Krishna Katakam 1,510 Reputation points Microsoft Vendor

2024-12-09T21:53:31.29+00:00
Hi xdf1038,

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

To allow customers from another Azure tenant to access your private Azure Container Registry (ACR) with their own credentials:

Use the Azure CLI to create a service principal and assign it the AcrPull role for your ACR. Example:

az ad sp create-for-rbac --name "customer-sp" --role "AcrPull" \ --scopes /subscriptions/<YourSubscriptionId>/resourceGroups/<YourResourceGroup>/providers/Microsoft.ContainerRegistry/registries/<YourACRName>

Share the appId, password, and tenant securely with the customer

The customer logs in using the provided credentials:

az login --service-principal -u <appId> -p <password> --tenant <tenant> az acr login --name <YourACRName> docker pull <YourACRName>.azurecr.io/<repository>:<tag>

For more information, please refer to below documentations:
Create a token with repository-scoped permissions
Authenticate with an Azure container registry

If an answer has been helpful, please consider accept the answer and "Upvote" to help increase visibility of this question for other members of the Microsoft Q&A community.
Please sign in to rate this answer.
xdf1038 20 Reputation points

2024-12-10T08:24:18.9433333+00:00

How Do I allow an AppService of the external Customer to Access that ACR

Sai Krishna Katakam 1,510 Reputation points Microsoft Vendor

2024-12-11T02:02:26.2833333+00:00

Hi xdf1038,

To allow an external customer's App Service to access your Azure Container Registry (ACR), enable the System-Assigned Managed Identity for the App Service in the Azure Portal under Identity, and grant it the AcrPull role. Use the Azure CLI to assign the role:

az role assignment create --assignee <PrincipalId> \ --role "AcrPull" \ --scope /subscriptions/<YourSubscriptionId>/resourceGroups/<YourResourceGroup>/providers/Microsoft.ContainerRegistry/registries/<YourACRName>

Replace <PrincipalId> with the Object ID of the App Service's managed identity. The customer can then reference the image in their App Service settings using <YourACRName>.azurecr.io/<repository>:<tag>. App Service will automatically use the managed identity to pull the image.

For more details, please refer to below documentations:
Use an Azure managed identity to authenticate to an Azure container registry
How to use managed identities for App Service and Azure Functions

If you have any further queries, do let us know. If the comment is helpful, please click "Accept Answer" and "Upvote".

Thank you.

Sai Krishna Katakam 1,510 Reputation points Microsoft Vendor

2024-12-11T21:23:01.4466667+00:00

Hi xdf1038,

I wanted to check if you had the opportunity to review the information which was provided in my previous posted comment.

If it was helpful, please click "Accept Answer" and "Upvote" on his post to let us know.

Thank You.

xdf1038 20 Reputation points

2024-12-17T13:59:49.3733333+00:00

I was not able to confirm that this solves my problem but it sounds reasonable

Sai Krishna Katakam 1,510 Reputation points Microsoft Vendor

2024-12-18T01:34:53.5066667+00:00

Hi xdf1038,

Thank you for your feedback! If you face any issues while trying this solution, please let me know. I’ll be happy to help further!
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

How to Allow Customers to Access Azure Container Registry from Another Tenant?

0 additional answers

Your answer