I have a Service Principal which has Owner access over a Subscription barring few network actions. In the same subscription I have a resource group where I have created an ACR. I am trying to login to the acr with my service principal and it is throwing Access Denied error.
As the SP has the owner permissions I expect that the it can login to the ACR.
az login --service-principal -u *** --password=*** --tenant *** --allow-no-subscriptions az acr login --name myregistry
WARNING: Unable to get AAD authorization tokens with message: An error occurred: CONNECTIVITY_REFRESH_TOKEN_ERROR Access to registry 'acrshto01.azurecr.io' was denied. Response code: 403. Please try running 'az login' again to refresh permissions.
In my case it was an issue with Network private access (with Premium tier).
Make sure you allowed the IP address to access the registry.