> ## Documentation Index
> Fetch the complete documentation index at: https://docs.backline.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Azure ACR Integration

> Scan container images in Azure Container Registry

## Overview

The Azure ACR (Azure Container Registry) integration enables Backline to scan your container images hosted in Azure for security vulnerabilities. Backline uses a service principal with AcrPull permissions to access and scan your container registries.

## What You Can Do

With the ACR integration, Backline can:

* Scan container images in your Azure registries
* Analyze image layers for vulnerabilities
* Detect security issues in dependencies
* Track image security across versions
* Monitor compliance with security policies

## Prerequisites

Before connecting ACR, ensure you have:

* Azure CLI installed and logged in (`az login`)
* An Azure account with ACR registries
* Permissions to create service principals and assign roles
* Access to the resource groups containing your ACRs

## Connecting ACR

Backline provides automated scripts to simplify the ACR integration setup process.

<Steps>
  <Step title="Run the Installation Script">
    Use the automated script to create a service principal and grant AcrPull permissions to your ACRs.

    See the [Azure Integration Scripts README](https://github.com/Backline-labs/azure-integration/blob/main/scripts/azure/README.md) for detailed instructions and options.

    **Quick example:**

    ```bash theme={null}
    ./scripts/azure/install_azure_integration.sh --acr myacr --rg mygroup
    ```
  </Step>

  <Step title="Copy Your Tenant ID">
    After running the script, it will output your **Tenant ID** and **Backline App ID**. Save the Tenant ID - you'll need it for the Backline UI.
  </Step>

  <Step title="Configure in Backline UI">
    Go to the Integration Hub in Backline and configure the ACR integration using your **Tenant ID**.
  </Step>
</Steps>

## Setup Scripts

The integration uses two main scripts:

* [**`install_azure_integration.sh`**](https://github.com/Backline-labs/azure-integration/blob/main/scripts/azure/install_azure_integration.sh) - Creates service principal and grants AcrPull access
* [**`cleanup_azure_integration.sh`**](https://github.com/Backline-labs/azure-integration/blob/main/scripts/azure/cleanup_azure_integration.sh) - Removes access or deletes the service principal

## What the Setup Script Does

The installation script automatically:

1. Creates a service principal for Backline AI (App ID: `3fc75f55-e53f-4950-9127-665106cded58`)
2. Assigns the `AcrPull` role to specified container registries
3. Outputs your **Tenant ID** (required for Backline UI configuration)

<Tip>
  The scripts are idempotent and safe to run multiple times. Use `--dry-run` to preview changes before applying them.
</Tip>

## After Connection

Once ACR is connected, Backline will:

1. List all registries and repositories
2. Begin scanning tagged images
3. Analyze vulnerabilities in image layers
4. Provide remediation guidance

## Image Scanning

Backline examines:

* All images in connected registries
* Base image vulnerabilities
* Application dependencies within containers
* Configuration weaknesses

<Note>
  Initial scans may take time depending on image size and quantity. Backline performs incremental scans for efficiency.
</Note>

## Managing the Integration

### Adding More ACRs

To add additional ACRs to the integration, simply run the installation script again with the new ACRs:

```bash theme={null}
./scripts/azure/install_azure_integration.sh --acr newacr --rg newgroup
```

The script is idempotent and will only add new permissions without affecting existing ones.

### Removing ACR Access

To remove Backline access from specific ACRs or remove the integration entirely, use the [**`cleanup_azure_integration.sh`**](https://github.com/Backline-labs/azure-integration/blob/main/scripts/azure/cleanup_azure_integration.sh) script:

**Remove specific ACR:**

```bash theme={null}
./scripts/azure/cleanup_azure_integration.sh --acr myacr --rg mygroup
```

**Remove all ACR access and delete service principal:**

```bash theme={null}
./scripts/azure/cleanup_azure_integration.sh --all --yes
```

See the [cleanup script documentation](https://github.com/Backline-labs/azure-integration/blob/main/scripts/azure/README.md#cleanup_azure_integrationsh) for more options.

<Warning>
  Removing the service principal (`--all`) will stop scanning of all Azure container images. Existing findings remain but won't be refreshed.
</Warning>