-
Notifications
You must be signed in to change notification settings - Fork 1.1k
/
ACR_AdminAccountDisabled_Modify.json
62 lines (62 loc) · 1.97 KB
/
ACR_AdminAccountDisabled_Modify.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
{
"properties": {
"displayName": "Configure container registries to disable local admin account.",
"description": "Disable admin account for your registry so that it is not accessible by local admin. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication.",
"policyType": "BuiltIn",
"mode": "Indexed",
"metadata": {
"version": "1.0.1",
"category": "Container Registry"
},
"version": "1.0.1",
"parameters": {
"effect": {
"type": "String",
"defaultValue": "Modify",
"allowedValues": [
"Modify",
"Disabled"
],
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.ContainerRegistry/registries"
},
{
"field": "Microsoft.ContainerRegistry/registries/adminUserEnabled",
"equals": true
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"conflictEffect": "audit",
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"operations": [
{
"operation": "addOrReplace",
"field": "Microsoft.ContainerRegistry/registries/adminUserEnabled",
"value": false
}
]
}
}
},
"versions": [
"1.0.1"
]
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/79fdfe03-ffcb-4e55-b4d0-b925b8241759",
"name": "79fdfe03-ffcb-4e55-b4d0-b925b8241759"
}