From ac3bd1ef9559d24ed2c2391fd3e5614b962f1e02 Mon Sep 17 00:00:00 2001 From: Sarthak Sharma Date: Tue, 26 May 2026 20:45:15 +0530 Subject: [PATCH 1/4] Update managed identity configuration instructions Add note about Azure Container Registry configuration for managed identity. --- articles/app-service/configure-custom-container.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/articles/app-service/configure-custom-container.md b/articles/app-service/configure-custom-container.md index cdd348abc8006..76814ee1a6046 100644 --- a/articles/app-service/configure-custom-container.md +++ b/articles/app-service/configure-custom-container.md @@ -83,6 +83,19 @@ Supply the sign-in credentials for your private registry account in the *\ +az acr config authentication-as-arm update -r --status enabled +``` +For more information, see [Configure registry acceptance of Microsoft Entra +authentication scopes](/azure/container-registry/container-registry-disable-authentication-as-arm). + 1. Enable the [system-assigned managed identity](./overview-managed-identity.md) for the web app by using the [`az webapp identity assign`](/cli/azure/webapp/identity#az-webapp-identity-assign) command: ```azurecli-interactive From 58965c9d28fa524ec8b4a918a346cde9745aab4a Mon Sep 17 00:00:00 2001 From: Sarthak Sharma Date: Tue, 26 May 2026 22:19:39 +0530 Subject: [PATCH 2/4] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- articles/app-service/configure-custom-container.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/articles/app-service/configure-custom-container.md b/articles/app-service/configure-custom-container.md index 76814ee1a6046..c33f121407c9e 100644 --- a/articles/app-service/configure-custom-container.md +++ b/articles/app-service/configure-custom-container.md @@ -93,8 +93,7 @@ validation failed" error. To check and enable this setting, run the following co az acr config authentication-as-arm show -r az acr config authentication-as-arm update -r --status enabled ``` -For more information, see [Configure registry acceptance of Microsoft Entra -authentication scopes](/azure/container-registry/container-registry-disable-authentication-as-arm). +For more information, see [Configure registry acceptance of Microsoft Entra authentication scopes](/azure/container-registry/container-registry-disable-authentication-as-arm). 1. Enable the [system-assigned managed identity](./overview-managed-identity.md) for the web app by using the [`az webapp identity assign`](/cli/azure/webapp/identity#az-webapp-identity-assign) command: From cb8f4f0742228241282ed361ee1e4592430158e6 Mon Sep 17 00:00:00 2001 From: Sarthak Sharma Date: Tue, 26 May 2026 22:24:21 +0530 Subject: [PATCH 3/4] Update configure-custom-container.md --- .../app-service/configure-custom-container.md | 20 +++++++++---------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/articles/app-service/configure-custom-container.md b/articles/app-service/configure-custom-container.md index c33f121407c9e..ca0c4fb3e54d3 100644 --- a/articles/app-service/configure-custom-container.md +++ b/articles/app-service/configure-custom-container.md @@ -83,17 +83,15 @@ Supply the sign-in credentials for your private registry account in the *\ -az acr config authentication-as-arm update -r --status enabled -``` -For more information, see [Configure registry acceptance of Microsoft Entra authentication scopes](/azure/container-registry/container-registry-disable-authentication-as-arm). +> [!IMPORTANT] +> Your Azure Container Registry must allow ARM audience tokens for authentication in order to use managed identity to pull images. This is the default configuration, but if it was previously disabled, image pulls fail with an `UNAUTHORIZED` "token validation failed" error. To check and enable this setting, run the following commands: +> +> ```azurecli-interactive +> az acr config authentication-as-arm show -r +> az acr config authentication-as-arm update -r --status enabled +> ``` +> +> For more information, see [Configure registry acceptance of Microsoft Entra authentication scopes](/azure/container-registry/container-registry-disable-authentication-as-arm). 1. Enable the [system-assigned managed identity](./overview-managed-identity.md) for the web app by using the [`az webapp identity assign`](/cli/azure/webapp/identity#az-webapp-identity-assign) command: From 6e59e30f832750bc5225cb6963da1d93582a9ed0 Mon Sep 17 00:00:00 2001 From: Sarthak Sharma Date: Tue, 26 May 2026 22:27:16 +0530 Subject: [PATCH 4/4] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- articles/app-service/configure-custom-container.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/articles/app-service/configure-custom-container.md b/articles/app-service/configure-custom-container.md index ca0c4fb3e54d3..6f2b5acd18825 100644 --- a/articles/app-service/configure-custom-container.md +++ b/articles/app-service/configure-custom-container.md @@ -84,7 +84,7 @@ Supply the sign-in credentials for your private registry account in the *\ [!IMPORTANT] -> Your Azure Container Registry must allow ARM audience tokens for authentication in order to use managed identity to pull images. This is the default configuration, but if it was previously disabled, image pulls fail with an `UNAUTHORIZED` "token validation failed" error. To check and enable this setting, run the following commands: +> Your Azure Container Registry must allow ARM audience tokens for authentication in order to use managed identity to pull images. If this setting is disabled, image pulls fail with an `UNAUTHORIZED` "token validation failed" error. To check and enable this setting, run the following commands: > > ```azurecli-interactive > az acr config authentication-as-arm show -r