Failed to provision revision for container app because unauthorized

Question

Failed to provision revision for container app because unauthorized

Ryan Thomas 0

Here is the exact error:
Failed to provision revision for container app '--------'. Error details: The following field(s) are either invalid or missing. Field 'template.containers.--------.image' is invalid with details: 'Invalid value: "+++++++++.azurecr.io/api:latest": GET https:: UNAUTHORIZED: authentication required, visit https://aka.ms/acr/authorization for more information.; [map[Action:pull Name:api Type:repository]]';.. (Code: ContainerAppOperationError)

But as you can see here, I have all of the required role permissions assigned already
User's image

Pravallika KV 11,030 Reputation points Microsoft External Staff Moderator

2026-03-09T17:36:56.49+00:00
Hi @Ryan Thomas ,

Thanks for reaching out to Microsoft Q&A.

Please provide below details:

Are you using a Consumption-only environment or a VNet-integrated environment?

Is there a private endpoint or firewall on your ACR?

Which identity did you assign those roles to (Container App's Managed identity or the service principal)?
Ryan Thomas 0 Reputation points

2026-03-09T17:43:15.8133333+00:00
Hi Pravallika, thanks for reaching out. Here are the answers to your questions:

I'm not sure because the environment is being created automatically when I try creating the container app

No private endpoints or firewall on my ACR

Here are all the role assignments I have set up:
Pravallika KV 11,030 Reputation points Microsoft External Staff Moderator

2026-03-09T17:50:31.6133333+00:00
Thanks for sharing the details @Ryan Thomas .

Please follow below steps and check if it still throws the error:

Enable and verify the Container App’s managed identity

In the Azure portal, go to your Container App =>Identity.

If system-assigned identity is “Off”, turn it “On” and save.

Note the Principal ID.

Assign AcrPull on your ACR to that identity

Go to your ACR resource =>Access control (IAM) =>Role assignments.

Click “Add role assignment” =>select “AcrPull” =>Assign access to “Managed identity” =>select the Container App’s principal ID.

Save.

Configure the registry credentials on the Container App

In the portal, open your Container App =>Configuration =>Container =>Registry credentials.

Select “Managed identity” and point it at your ACR login server (e.g. myregistry.azurecr.io).

Save and wait for a new revision to deploy.

Or with Azure CLI (replace placeholders):

az containerapp identity assign \ --name my-container-app \ --resource-group my-rg az role assignment create \ --assignee <CONTAINER-APP-PRINCIPAL-ID> \ --role AcrPull \ --scope /subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.ContainerRegistry/registries/<acr-name> az containerapp registry set \ --name my-container-app \ --resource-group my-rg \ --server <acr-name>.azurecr.io \ --identity system

Redeploy your app or restart the latest revision:

In Container App =>Revisions, select the failing revision and click Restart.

Check the events/logs, this will force a fresh token pull.
Ryan Thomas 0 Reputation points

2026-03-09T18:00:42.99+00:00
To your reply that said :

Configure the registry credentials on the Container App

In the portal, open your Container App =>Configuration =>Container =>Registry credentials.

Select “Managed identity” and point it at your ACR login server (e.g. myregistry.azurecr.io).

Save and wait for a new revision to deploy.

In the container app, there is no configuration option, and no containers show up because the app failed to deploy to the error stated in the original question. Is there a way past this point?
Pravallika KV 11,030 Reputation points Microsoft External Staff Moderator

2026-03-09T18:06:05.65+00:00

You can try with the CLI commands mentioned in the same point.
Ryan Thomas 0 Reputation points

2026-03-09T18:11:08.7933333+00:00

I get this error when trying anything in the CLI:

Is it because i'm signed in as an internal user in the portal? I'm not able to sign in as my internal user UPN in the CLI because it requires an actual email
Pravallika KV 11,030 Reputation points Microsoft External Staff Moderator

2026-03-09T18:13:16.46+00:00

You can run these commands directly in Azure Portal=>Bash
Ryan Thomas 0 Reputation points

2026-03-09T18:16:30.63+00:00

Sorry about all of this as I am new to Azure. I was able to run the command through bash, but I get this error now:
Pravallika KV 11,030 Reputation points Microsoft External Staff Moderator

2026-03-12T22:25:41.6166667+00:00

@Ryan Thomas Have you tried with User Assigned Managed identity instead of system assigned as well?

1 answer

Your answer

Pravallika KV 11,030 Reputation points Microsoft External Staff Moderator

2026-03-09T17:36:56.49+00:00

Hi @Ryan Thomas ,

Thanks for reaching out to Microsoft Q&A.

Please provide below details:

Are you using a Consumption-only environment or a VNet-integrated environment?

Is there a private endpoint or firewall on your ACR?

Which identity did you assign those roles to (Container App's Managed identity or the service principal)?
Ryan Thomas 0 Reputation points

2026-03-09T17:43:15.8133333+00:00

Hi Pravallika, thanks for reaching out. Here are the answers to your questions:

I'm not sure because the environment is being created automatically when I try creating the container app

No private endpoints or firewall on my ACR

Here are all the role assignments I have set up:
Pravallika KV 11,030 Reputation points Microsoft External Staff Moderator

2026-03-09T17:50:31.6133333+00:00

Thanks for sharing the details @Ryan Thomas .

Please follow below steps and check if it still throws the error:

Enable and verify the Container App’s managed identity

In the Azure portal, go to your Container App =>Identity.

If system-assigned identity is “Off”, turn it “On” and save.

Note the Principal ID.

Assign AcrPull on your ACR to that identity

Go to your ACR resource =>Access control (IAM) =>Role assignments.

Click “Add role assignment” =>select “AcrPull” =>Assign access to “Managed identity” =>select the Container App’s principal ID.

Save.

Configure the registry credentials on the Container App

In the portal, open your Container App =>Configuration =>Container =>Registry credentials.

Select “Managed identity” and point it at your ACR login server (e.g. myregistry.azurecr.io).

Save and wait for a new revision to deploy.

Or with Azure CLI (replace placeholders):

az containerapp identity assign \ --name my-container-app \ --resource-group my-rg az role assignment create \ --assignee <CONTAINER-APP-PRINCIPAL-ID> \ --role AcrPull \ --scope /subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.ContainerRegistry/registries/<acr-name> az containerapp registry set \ --name my-container-app \ --resource-group my-rg \ --server <acr-name>.azurecr.io \ --identity system

Redeploy your app or restart the latest revision:

In Container App =>Revisions, select the failing revision and click Restart.

Check the events/logs, this will force a fresh token pull.
Ryan Thomas 0 Reputation points

2026-03-09T18:00:42.99+00:00

To your reply that said :

Configure the registry credentials on the Container App

In the portal, open your Container App =>Configuration =>Container =>Registry credentials.

Select “Managed identity” and point it at your ACR login server (e.g. myregistry.azurecr.io).

Save and wait for a new revision to deploy.

In the container app, there is no configuration option, and no containers show up because the app failed to deploy to the error stated in the original question. Is there a way past this point?
Pravallika KV 11,030 Reputation points Microsoft External Staff Moderator

2026-03-09T18:06:05.65+00:00

You can try with the CLI commands mentioned in the same point.
Ryan Thomas 0 Reputation points

2026-03-09T18:11:08.7933333+00:00

I get this error when trying anything in the CLI:

Is it because i'm signed in as an internal user in the portal? I'm not able to sign in as my internal user UPN in the CLI because it requires an actual email
Pravallika KV 11,030 Reputation points Microsoft External Staff Moderator

2026-03-09T18:13:16.46+00:00

You can run these commands directly in Azure Portal=>Bash
Ryan Thomas 0 Reputation points

2026-03-09T18:16:30.63+00:00

Sorry about all of this as I am new to Azure. I was able to run the command through bash, but I get this error now:
Pravallika KV 11,030 Reputation points Microsoft External Staff Moderator

2026-03-12T22:25:41.6166667+00:00

@Ryan Thomas Have you tried with User Assigned Managed identity instead of system assigned as well?

Answer 1

The error means Azure Container Apps cannot authenticate to Azure Container Registry when pulling the image, even though the registry roles look correct. The usual causes are:

The container app is not actually configured to use a managed identity for image pull.
The managed identity that has AcrPull is not the same identity the container app is using.
ACR is not configured to accept ARM/managed-identity tokens.

Use these checks and fixes:

Verify ACR is configured for managed identity auth
Run:
```
   az acr config authentication-as-arm show -r <REGISTRY>
```
If it is disabled, enable it:
```
   az acr config authentication-as-arm update -r <REGISTRY> --status enabled
```
This is required for both system-assigned and user-assigned managed identities to pull images from ACR.
Confirm which identity the container app uses for image pull
In the Container App resource in the portal:
- Go to Identity and check whether System assigned is On and/or which User-assigned identity is attached.
- Then go to Application → Containers → Edit and deploy and verify:
  - Image source is Azure Container Registry.
  - Authentication type is Managed identity.
  - Managed identity is set to the same identity that has AcrPull on the registry.
If using system-assigned managed identity
Follow the documented flow:
- In Edit a container, set:
  - Image source = Azure Container Registry
  - Authentication type = Managed identity
  - Managed identity = System assigned
- Save and create the new revision. The portal then attempts to automatically add the AcrPull role to that system-assigned identity. If it fails, manually assign AcrPull on the registry to the system-assigned identity and redeploy.
If using user-assigned managed identity
Ensure:
- The user-assigned identity is attached to the container app.
- That same identity has AcrPull on the registry (scope can be the registry or the specific repo).
- The container definition’s Authentication type is Managed identity and the selected identity is this user-assigned identity.
Redeploy a new revision after fixing configuration
Once ACR is configured for ARM tokens and the correct identity is selected in the container app, create a new revision (for example via Edit and deploy). The unauthorized error should stop once the identity and ACR configuration match.

If the error persists, also confirm that the image name and tag (api:latest in the error) exist in the registry and that there are no network/firewall rules blocking the Container Apps environment from reaching the registry.

References:

Share via

Failed to provision revision for container app because unauthorized

1 answer

Your answer