We observed that granting Azure Reader role at subscription or resource group level allows users to pull container images from Azure Container Registry instances, thus potentially reveling confidential or sensitive data to unauthorised parties.
Continue reading The effect of granting Azure Reader role on Azure Container Registry instancesOrange Cyberdefense Switzerland's technical blog