diff --git a/pkg/fanal/image/registry/azure/azure.go b/pkg/fanal/image/registry/azure/azure.go
index fe348eaac9f5..3203829f3d3d 100644
--- a/pkg/fanal/image/registry/azure/azure.go
+++ b/pkg/fanal/image/registry/azure/azure.go
@@ -8,6 +8,8 @@ import (
 	"strings"
 
 	"github.com/Azure/azure-sdk-for-go/profiles/preview/preview/containerregistry/runtime/containerregistry"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
 	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
 	"golang.org/x/xerrors"
@@ -17,28 +19,41 @@ import (
 
 type Registry struct {
 	domain string
+	scope  string
+	cloud  cloud.Configuration
 }
 
 const (
-	azureURL = ".azurecr.io"
-	scope    = "https://management.azure.com/.default"
-	scheme   = "https"
+	azureURL      = ".azurecr.io"
+	chinaAzureURL = ".azurecr.cn"
+	scope         = "https://management.azure.com/.default"
+	chinaScope    = "https://management.chinacloudapi.cn/.default"
+	scheme        = "https"
 )
 
 func (r *Registry) CheckOptions(domain string, _ types.RegistryOptions) error {
-	if !strings.HasSuffix(domain, azureURL) {
-		return xerrors.Errorf("Azure registry: %w", types.InvalidURLPattern)
+	if strings.HasSuffix(domain, azureURL) {
+		r.domain = domain
+		r.scope = scope
+		r.cloud = cloud.AzurePublic
+		return nil
+	} else if strings.HasSuffix(domain, chinaAzureURL) {
+		r.domain = domain
+		r.scope = chinaScope
+		r.cloud = cloud.AzureChina
+		return nil
 	}
-	r.domain = domain
-	return nil
+
+	return xerrors.Errorf("Azure registry: %w", types.InvalidURLPattern)
 }
 
 func (r *Registry) GetCredential(ctx context.Context) (string, string, error) {
-	cred, err := azidentity.NewDefaultAzureCredential(nil)
+	opts := azcore.ClientOptions{Cloud: r.cloud}
+	cred, err := azidentity.NewDefaultAzureCredential(&azidentity.DefaultAzureCredentialOptions{ClientOptions: opts})
 	if err != nil {
 		return "", "", xerrors.Errorf("unable to generate acr credential error: %w", err)
 	}
-	aadToken, err := cred.GetToken(ctx, policy.TokenRequestOptions{Scopes: []string{scope}})
+	aadToken, err := cred.GetToken(ctx, policy.TokenRequestOptions{Scopes: []string{r.scope}})
 	if err != nil {
 		return "", "", xerrors.Errorf("unable to get an access token: %w", err)
 	}
diff --git a/pkg/fanal/image/registry/azure/azure_test.go b/pkg/fanal/image/registry/azure/azure_test.go
index c8c48574b61b..0fb4839e8fee 100644
--- a/pkg/fanal/image/registry/azure/azure_test.go
+++ b/pkg/fanal/image/registry/azure/azure_test.go
@@ -20,6 +20,10 @@ func TestRegistry_CheckOptions(t *testing.T) {
 			name:   "happy path",
 			domain: "test.azurecr.io",
 		},
+		{
+			name:   "china happy path",
+			domain: "test.azurecr.cn",
+		},
 		{
 			name:    "invalidURL",
 			domain:  "not-azurecr.io",