---
title: Admin user enabled for container registry
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > Admin user enabled for container registry
---

# Admin user enabled for container registry

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `ansible-azure-admin-user-enabled-for-container-registry` 

**Provider:** Azure

**Platform:** Ansible

**Severity:** Medium

**Category:** Access Control

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_containerregistry_module.html)

### Description{% #description %}

Enabling the admin user on an Azure Container Registry creates a shared username/password credential that can be leaked or abused to push or pull images, increasing the risk of unauthorized access and lateral movement.

For Ansible resources using `azure_rm_containerregistry` or `azure.azcollection.azure_rm_containerregistry`, the `admin_user_enabled` property must be set to `false` or omitted (it defaults to `false`). Tasks with `admin_user_enabled: true` are flagged. Use Azure AD RBAC with scoped service principals or managed identities for registry access instead.

Secure example (explicitly disabling the admin user):

```yaml
- name: Create secure Azure Container Registry
  azure.azcollection.azure_rm_containerregistry:
    name: myRegistry
    resource_group: myResourceGroup
    sku: Basic
    admin_user_enabled: false
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: Create an azure container registry
  azure.azcollection.azure_rm_containerregistry:
    name: myRegistry
    location: eastus
    resource_group: myResourceGroup
    admin_user_enabled: false
    sku: Premium
    tags:
      Release: beta1
      Environment: Production
- name: Create an azure container registry2
  azure.azcollection.azure_rm_containerregistry:
    name: myRegistry
    location: eastus
    resource_group: myResourceGroup
    admin_user_enabled: false
    sku: Premium
    tags:
      Release: beta1
      Environment: Production
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
---
- name: Create an azure container registry
  azure.azcollection.azure_rm_containerregistry:
    name: myRegistry
    location: eastus
    resource_group: myResourceGroup
    admin_user_enabled: true
    sku: Premium
    tags:
      Release: beta1
      Environment: Production
- name: Create an azure container registry2
  azure.azcollection.azure_rm_containerregistry:
    name: myRegistry
    location: eastus
    resource_group: myResourceGroup
    admin_user_enabled: "true"
    sku: Premium
    tags:
      Release: beta1
      Environment: Production
```