![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 69%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYL%3C/text%3E%3C/svg%3E)
Azure Container Registry
An Azure service that provides a registry of Docker and Open Container Initiative images.
455 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 3%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESK%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 8%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAA%3C/text%3E%3C/svg%3E)
Hello @yuxuan li ,
Thank you for your question, let me answer your questions as below:
- How does the username and password-based ACR authentication work behind the scenes? Does it involve or bypass AAD?
When you use a username and password generated by Azure Container Registry (ACR), it does not directly involve Azure Active Directory (AAD) for each authentication request. Instead, ACR provides an admin account with a username and password that can be used for direct authentication.
Here’s how it works:
- Admin Account: ACR allows you to enable an admin user account, which provides a username and password specifically for the registry.
- Direct Authentication: This username and password can be used directly with Docker commands (e.g.,
docker login) to authenticate and interact with the registry. - Is it possible to use dSTS-based tokens for ACR authentication? Is there a way for us to have a dSTS dependency for ACR authentication?
Currently, ACR primarily supports authentication through AAD tokens. The available methods include:
- Individual login with Microsoft Entra ID: Using personal or service principal credentials.
- Service principal: For headless authentication scenarios.
- Managed identities: For Azure resources
There is no direct support for using dSTS-based tokens for ACR authentication. ACR relies on AAD for token issuance and validation, and there isn’t a documented method to replace this with dSTS tokens.
Given your requirements to avoid dependencies on AAD (ESTS), you might consider the following alternatives:
- Service Principal with Certificates: Instead of using username and password, you can use a service principal with certificate-based authentication. This enhances security and can be managed more easily3.
- Managed Identities: If your service is running on Azure, using managed identities can simplify the authentication process without needing to manage credentials directly1.
If avoiding AAD entirely is a strict requirement, you might need to explore other container registry solutions that support different authentication mechanisms.
Would you like more details on any of these alternatives or have other questions?