Azure Application not registered with AAD

Question

Getting below error while logging to container registry

Command:

docker login <MY_REGISTRY_NAME>.azurecr.io

Error Message:

Error response from daemon: Get https://<MY_REGISTRY_NAME>.azurecr.io/v2/: unauthorized: Application not registered with AAD

Answer 1

Go to Access Keys in Container Registry and enable the admin user, then use the autogenerated credentials to login via Docker

Answer 2

For me, the easiest way to get everything going was to read the documents from Docker at https://docs.docker.com/cloud/aci-integration/. Really, all you have to do is, create the container in Azure, open up PowerShell(if you haven't, install/import the azure modules,) and run the command "docker login azure." This will pop open a browser window and you can sign directly into your container from there. I haven't tried this with having multiple containers yet, as I only have a need for one so far, but I can't imagine it would be all the difficult.

Answer 3

TL;DR

Check the details for your authentication option and the login troubleshooting docs. The solution mentioned below works for individual login with Azure AD for Docker and Helm.

---

Although the accepted answer from @Anudeepa fixes the issue, this is not the desired purpose of the Admin account (see docs):

The admin account is designed for a single user to access the registry, mainly for testing purposes. We do not recommend sharing the admin account credentials among multiple users. All users authenticating with the admin account appear as a single user with push and pull access to the registry. Changing or disabling this account disables registry access for all users who use its credentials. Individual identity is recommended for users and service principals for headless scenarios.

So, the first address to tackle the issue should be the docs to troubleshoot login. The mentioned error message Error response from daemon: Get https://<MY_REGISTRY_NAME>.azurecr.io/v2/: unauthorized: Application not registered with AAD can have multiple causes.

Keep in mind that there are multiple options to authenticate to ACR.

I assume the question either refers to 1) Individual login with Azure AD or 2) Service principal.

My issue was with the Individual login as there is a gotcha. Your username must be 00000000-0000-0000-0000-000000000000 (this is not a placeholder for your own id). The following fixed the error for me:

USER_NAME="00000000-0000-0000-0000-000000000000"
PASSWORD=$(az acr login --name <MY_REGISTRY_NAME> \
--expose-token \
--output tsv \
--query accessToken)

echo "$PASSWORD" | docker login <MY_REGISTRY_NAME>.azurecr.io \
--username "$USER_NAME" \
--password-stdin

echo "$PASSWORD" | helm registry login tacto.azurecr.io \
--username "$USER_NAME" \
--password-stdin

Answer 4

For those of you who don't want to enable the admin user via the "Access Keys" section in the Container Registry, you can follow this link - https://learn.microsoft.com/en-us/azure/container-registry/container-registry-auth-service-principal - to create a service principal. Running the script provided in the mentioned link generates a ID password combination that can be used with your docker login commands (give the ID as username in the docker login command). This also ensures that if you want to run the docker commands via some scripts that you have written then you can use these credentials.

The command offers the capability of assigning fixed roles to the service principals that you are creating. Roles specific to just pull or push (which includes pull) can be assigned.

The thing that I am not clear about is why don't the users added via the Azure AD can't be used in the docker login commands but using service principals works. (If anyone has an idea about it then please feel free to share).

Answer 5

This can happen if you use the full registry name e.g. registryname.azurecr.io as the username instead of just registryname

The error message is annoyingly incorrect!

Answer 6

Like others have mentioned, you can use the admin user if you would like.

However, this might not be the ideal solution for larger organization. Instead you can use RBAC and Azure AD logins to manage access. Here are the steps I took:

1. Ensure you and your users have the required RBAC roles. Please refer to the following link for details: https://learn.microsoft.com/en-us/azure/container-registry/container-registry-roles?tabs=azure-cli
2. If you have not done so already, download the Azure CLI: https://learn.microsoft.com/en-us/cli/azure/install-azure-cli-windows?tabs=azure-cli
3. Log into the Azure CLI using the following command: az login
   A pop should appear allowing you to log in via your browser.
4. Ensure you are logged into the same subscription as your Azure Container Repository
5. Finally, log into your azure container repository with:
   az acr login --name <your-repo-name-here>.azurecr.io

That is it! I found this solution to make collaboration far easier. Hopefully it helps!

Answer 7

I had this error unauthorized: Application not registered with AAD when during docker login I used Service Principal's DisplayName instead of ApplicationId as a value of --username.

Get-AzADServicePrincipal -DisplayName <DisplayName> | Select ApplicationId

This way you can find out your Service Principal's ApplicationId by DisplayName in Azure Powershell. You can find it on Azure Portal as well.

Answer 8

1. Get credentials using az acr credential show --name testcontainerregistry
2. Use these credentials in docker login testcontainerregistry.azurecr.io