Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
By default, access to pull or push content from an Azure container registry is only available to authenticated users. Enabling anonymous (unauthenticated) pull access makes all registry content publicly available for read (pull) actions. Use anonymous pull access in scenarios that don't require user authentication, such as distributing public container images.
Anonymous pull access is a preview feature, available in the Standard and Premium service tiers. To configure anonymous pull access, update a registry using the Azure CLI (version 2.21.0 or later). For information about installing or upgrading, see Install Azure CLI.
- Enable anonymous pull access by updating the properties of an existing registry.
- After enabling anonymous pull access, you can disable that access at any time.
- Only data-plane operations are available to unauthenticated clients.
- The registry might throttle a high rate of unauthenticated requests.
- If you previously authenticated to the registry, make sure you clear the credentials before attempting an anonymous pull operation.
Warning
Anonymous pull access currently applies to all repositories in the registry. If you manage repository access using non-Microsoft Entra token-based repository permissions or Microsoft Entra-based repository permissions, all users can still pull from those repositories in a registry enabled for unauthenticated anonymous pull. Please be aware of this when enabling unauthenticated anonymous pull access.
Configure anonymous pull access
Users can enable, disable, and query the status of anonymous pull access using the Azure CLI. The following examples demonstrate how to enable, disable, and query the status of anonymous pull access.
Enable anonymous pull access
Update a registry using the az acr update command and pass the --anonymous-pull-enabled parameter. By default, anonymous pull is disabled in the registry.
az acr update --name myregistry --anonymous-pull-enabled
Important
If you previously authenticated to the registry with Docker credentials, run docker logout to ensure that you clear the existing credentials before attempting anonymous pull operations. Otherwise, you might see an error message similar to "pull access denied".
Remember to always specify the fully qualified registry name (all lowercase) when using docker login and tagging images for pushing to your registry. In the examples provided, the fully qualified name is myregistry.azurecr.io.
If you previously authenticated to the registry with Docker credentials, run the following command to clear existing credentials or any previous authentication.
docker logout myregistry.azurecr.io
This step helps you attempt an anonymous pull operation. If you encounter any issues, you might see an error message similar to "pull access denied."
Disable anonymous pull access
Disable anonymous pull access by setting --anonymous-pull-enabled to false.
az acr update --name myregistry --anonymous-pull-enabled false
Query the status of anonymous pull access
You can query the status of "anonymous-pull" using the az acr show command with the --query parameter. Here's an example:
az acr show -n <registry_name> --query anonymousPullEnabled
The command returns a boolean value indicating whether "Anonymous Pull" is enabled (true) or disabled (false). This command streamlines the process of verifying the status of features within ACR.
Next steps
- Learn about using Microsoft Entra-based repository permissions.
- Learn about using non-Microsoft Entra token-based repository permissions.
- Learn about options to authenticate to an Azure container registry.