Audit Container Registry access

March 29, 2026 ยท View on GitHub

SYNOPSIS

Ensure container registry audit diagnostic logs are enabled.

DESCRIPTION

Azure Container Registry (ACR) provides diagnostic logs that can be used to monitor and audit access to container images. Enabling audit logs helps you track who accesses your registry and when, which is important for security and compliance.

The following log categories should be enabled:

  • ContainerRegistryLoginEvents - Captures authentication events to the registry.
  • ContainerRegistryRepositoryEvents - Captures push and pull operations for container images.

Alternatively, you can enable the audit or allLogs category group to capture these and other audit events.

RECOMMENDATION

Consider configuring diagnostic settings to capture container registry audit logs for security investigation.

EXAMPLES

Configure with Azure template

To deploy container registries that pass this rule:

  • Deploy a diagnostic settings sub-resource (extension resource).
  • Enable ContainerRegistryLoginEvents and ContainerRegistryRepositoryEvents categories or audit category group or allLogs category group.

For example:

{
  "type": "Microsoft.ContainerRegistry/registries",
  "apiVersion": "2023-11-01-preview",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "sku": {
    "name": "Premium"
  },
  "properties": {
    "adminUserEnabled": false,
    "policies": {
      "quarantinePolicy": {
        "status": "enabled"
      }
    }
  },
  "resources": [
    {
      "type": "Microsoft.Insights/diagnosticSettings",
      "apiVersion": "2021-05-01-preview",
      "scope": "[format('Microsoft.ContainerRegistry/registries/{0}', parameters('name'))]",
      "name": "logs",
      "properties": {
        "workspaceId": "[parameters('workspaceId')]",
        "logs": [
          {
            "category": "ContainerRegistryLoginEvents",
            "enabled": true
          },
          {
            "category": "ContainerRegistryRepositoryEvents",
            "enabled": true
          }
        ]
      },
      "dependsOn": [
        "[parameters('name')]"
      ]
    }
  ]
}

Configure with Bicep

To deploy container registries that pass this rule:

  • Deploy a diagnostic settings sub-resource (extension resource).
  • Enable ContainerRegistryLoginEvents and ContainerRegistryRepositoryEvents categories or audit category group or allLogs category group.

For example:

resource registry 'Microsoft.ContainerRegistry/registries@2023-11-01-preview' = {
  name: name
  location: location
  sku: {
    name: 'Premium'
  }
  properties: {
    adminUserEnabled: false
    policies: {
      quarantinePolicy: {
        status: 'enabled'
      }
    }
  }
}

resource logs 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
  name: 'logs'
  scope: registry
  properties: {
    workspaceId: workspaceId
    logs: [
      {
        category: 'ContainerRegistryLoginEvents'
        enabled: true
      }
      {
        category: 'ContainerRegistryRepositoryEvents'
        enabled: true
      }
    ]
  }
}

Alternatively, you can use category groups:

resource logs 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
  name: 'logs'
  scope: registry
  properties: {
    workspaceId: workspaceId
    logs: [
      {
        categoryGroup: 'audit'
        enabled: true
      }
    ]
  }
}