Role-Based Access Control

With most modern services in Azure, you can easily define granular access rights using RBAC. Azure Container Registry is no exception to this, and you can enforce strict access rules using RBAC.

Practices:

• Assign the 'Reader' role to identities/users/principals who should only pull images, but never modify or make other changes.

• Stay on top of your RBAC assignments; Ensure there's no delegated access, and that there's no inherited access for certain accounts with a lot of privileges.

• Microsoft provides a pretty nice overview of the Azure Container Roles and permissions.