disable quarantine from container registry

Question

disable quarantine from container registry

Michael Heberle 25

Azure Support Ticket

Subject: Urgent: Unable to Disable Quarantine Policy on ACR - Production Deployment Blocked

Service: Azure Container Registry Subscription ID: blinded Resource Group: blinded Container Registry Name: blinded

Problem Description

We are experiencing a critical production deployment blockage for our application. All attempts to deploy our Azure Container Apps are failing because they are unable to pull images from our Azure Container Registry (blinded).

The deployment logs show a clear error message: IMAGE_QUARANTINED: The image is quarantined.

This issue has blocked our critical "Wave 4" release for over 48 hours.

Technical Details and Evidence

The JSON representation of our ACR's policies confirms that the quarantinePolicy is enabled:

JSON

"policies"

This is preventing our Container Apps from pulling any images, causing the entire Bicep deployment to fail. Here is a sample error from the deployment logs for one of the container apps:

JSON

Troubleshooting Steps Already Taken

We have performed extensive troubleshooting and have ruled out all other potential causes:

Content Trust: We have successfully disabled the trustPolicy using the Azure CLI (az acr config content-trust update --status disabled).

RBAC Permissions: We have verified that all relevant user accounts and the Container Apps' Managed Identities have the necessary AcrPull and AcrPush roles assigned.

Admin Credentials: The docker push command fails with a 403 error even when using the ACR's admin user credentials, proving this is a policy issue, not a user permission issue.

Portal and CLI: We have been unable to find a setting in the Azure Portal or a command in the Azure CLI (including older versions) that allows us to directly disable this quarantinePolicy. The portal shows "Microsoft Defender for Cloud" as "Off," which seems to contradict the policy's enabled status.

Urgent Request

We require your assistance to manually disable the quarantinePolicy for our Azure Container Registry: blinded.

This is the final blocker for our critical production deployment. Please escalate this issue as appropriate.

Thank you.

Michael Heberle 25 Reputation points

2025-08-07T20:42:38.2666667+00:00

full json snippets that dont display properly above:

"policies": { "quarantinePolicy": { "status": "enabled" }, "trustPolicy": { "type": "Notary", "status": "enabled" } }

{ "code": "ContainerAppOperationError", "message": "Failed to provision revision for container app 'gateway-prodwave4rqkd4r'. Error details: The following field(s) are either invalid or missing. Field 'template.containers.asa-gateway.image' is invalid with details: 'Invalid value: "asaengineprodregistry.azurecr.io/asa-gateway:wave4-fresh-build": GET https:: IMAGE_QUARANTINED: The image is quarantined.; map[]';.." }
Michael Heberle 25 Reputation points

2025-08-08T04:39:39.0666667+00:00

az acr quarantine delete --name <acr-name> --image <image-name>:<tag> actually worked. please add to your documentation!
Anusree Nashetty 5,820 Reputation points Microsoft External Staff Moderator

2025-08-08T07:11:48.5633333+00:00

Hello Michael Heberle,

As the information provided by Himanshu Shekhar worked for you, could you please Accept Answer on it, so that it will be benefit to others in the community.

Thank you for the response, will we take your advice into consideration.

Accepted answer

0 additional answers

Your answer

Michael Heberle 25 Reputation points

2025-08-07T20:42:38.2666667+00:00

full json snippets that dont display properly above:

"policies": { "quarantinePolicy": { "status": "enabled" }, "trustPolicy": { "type": "Notary", "status": "enabled" } }

{ "code": "ContainerAppOperationError", "message": "Failed to provision revision for container app 'gateway-prodwave4rqkd4r'. Error details: The following field(s) are either invalid or missing. Field 'template.containers.asa-gateway.image' is invalid with details: 'Invalid value: "asaengineprodregistry.azurecr.io/asa-gateway:wave4-fresh-build": GET https:: IMAGE_QUARANTINED: The image is quarantined.; map[]';.." }
Michael Heberle 25 Reputation points

2025-08-08T04:39:39.0666667+00:00

az acr quarantine delete --name <acr-name> --image <image-name>:<tag> actually worked. please add to your documentation!
Anusree Nashetty 5,820 Reputation points Microsoft External Staff Moderator

2025-08-08T07:11:48.5633333+00:00

Hello Michael Heberle,

As the information provided by Himanshu Shekhar worked for you, could you please Accept Answer on it, so that it will be benefit to others in the community.

Thank you for the response, will we take your advice into consideration.

Answer 1

Hello Michael Heberle ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

Please follow the below suggested steps for removing the image from Quarantine using the Azure CLI command:

az acr quarantine delete --name <acr-name> --image <image-name>:<tag>

Replace <acr-name> with the name of your ACR instance, <image-name> with the name of your image, and <tag> with the tag of your image.

This command removes the image from Quarantine and makes it available for use.

Note: Quarantine is a feature of Azure Container Registry that allows you to prevent images with known vulnerabilities from being used.

By default, Quarantine is not enabled for new ACR instances.

Hope this helps.

Share via

disable quarantine from container registry

Azure Support Ticket

Problem Description

Technical Details and Evidence

Troubleshooting Steps Already Taken

Urgent Request

0 additional answers

Your answer