diff --git a/azurerm/resource_arm_container_group.go b/azurerm/resource_arm_container_group.go
index eeb974cdd4bc8..049651805271c 100644
--- a/azurerm/resource_arm_container_group.go
+++ b/azurerm/resource_arm_container_group.go
@@ -56,18 +56,25 @@ func resourceArmContainerGroup() *schema.Resource {
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"server": {
-							Type:     schema.TypeString,
-							Required: true,
+							Type:         schema.TypeString,
+							Required:     true,
+							ValidateFunc: validation.NoZeroValues,
+							ForceNew:     true,
 						},
 
 						"username": {
-							Type:     schema.TypeString,
-							Required: true,
+							Type:         schema.TypeString,
+							Required:     true,
+							ValidateFunc: validation.NoZeroValues,
+							ForceNew:     true,
 						},
 
 						"password": {
-							Type:     schema.TypeString,
-							Required: true,
+							Type:         schema.TypeString,
+							Required:     true,
+							Sensitive:    true,
+							ValidateFunc: validation.NoZeroValues,
+							ForceNew:     true,
 						},
 					},
 				},
@@ -229,7 +236,6 @@ func resourceArmContainerGroupCreate(d *schema.ResourceData, meta interface{}) e
 	IPAddressType := d.Get("ip_address_type").(string)
 	tags := d.Get("tags").(map[string]interface{})
 	restartPolicy := d.Get("restart_policy").(string)
-	imageCredentials := expandContainerImageRegistryCredentials(d)
 
 	containers, containerGroupPorts, containerGroupVolumes := expandContainerGroupContainers(d)
 	containerGroup := containerinstance.ContainerGroup{
@@ -245,7 +251,7 @@ func resourceArmContainerGroupCreate(d *schema.ResourceData, meta interface{}) e
 			},
 			OsType:                   containerinstance.OperatingSystemTypes(OSType),
 			Volumes:                  containerGroupVolumes,
-			ImageRegistryCredentials: imageCredentials,
+			ImageRegistryCredentials: expandContainerImageRegistryCredentials(d),
 		},
 	}
 
@@ -303,9 +309,8 @@ func resourceArmContainerGroupRead(d *schema.ResourceData, meta interface{}) err
 	}
 	flattenAndSetTags(d, resp.Tags)
 
-	imageRegistryCredentials := flattenContainerImageRegistryCredentials(resp.ImageRegistryCredentials)
-	if imageRegistryCredentials != nil {
-		d.Set("image_registry_credential", imageRegistryCredentials)
+	if imageRegCreds := flattenContainerImageRegistryCredentials(d, resp.ImageRegistryCredentials); imageRegCreds != nil {
+		d.Set("image_registry_credential", imageRegCreds)
 	}
 
 	d.Set("os_type", string(resp.OsType))
@@ -588,10 +593,11 @@ func expandContainerImageRegistryCredentials(d *schema.ResourceData) *[]containe
 	return &output
 }
 
-func flattenContainerImageRegistryCredentials(credsPtr *[]containerinstance.ImageRegistryCredential) []interface{} {
+func flattenContainerImageRegistryCredentials(d *schema.ResourceData, credsPtr *[]containerinstance.ImageRegistryCredential) []interface{} {
 	if credsPtr == nil {
 		return nil
 	}
+	configsOld := d.Get("image_registry_credential").([]interface{})
 
 	creds := *credsPtr
 	output := make([]interface{}, len(creds))
@@ -600,13 +606,20 @@ func flattenContainerImageRegistryCredentials(credsPtr *[]containerinstance.Imag
 		if cred.Server != nil {
 			credConfig["server"] = *cred.Server
 		}
-		if cred.Password != nil {
-			credConfig["password"] = *cred.Password
-		}
 		if cred.Username != nil {
 			credConfig["username"] = *cred.Username
 		}
 
+		for i, configsOld := range configsOld {
+			data := configsOld.(map[string]interface{})
+			oldServer := data["server"].(string)
+			if cred.Server != nil && *cred.Server == oldServer {
+				if v, ok := d.GetOk(fmt.Sprintf("image_registry_credential.%d.password", i)); ok {
+					credConfig["password"] = v.(string)
+				}
+			}
+		}
+
 		output = append(output, credConfig)
 	}
 	return output
diff --git a/azurerm/resource_arm_container_group_test.go b/azurerm/resource_arm_container_group_test.go
index 5b9e655e6e98d..f210a73a9acf0 100644
--- a/azurerm/resource_arm_container_group_test.go
+++ b/azurerm/resource_arm_container_group_test.go
@@ -11,12 +11,40 @@ import (
 	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/utils"
 )
 
-func TestAccAzureRMContainerGroup_linuxBasic(t *testing.T) {
+func TestAccAzureRMContainerGroup_imageRegistryCredentials(t *testing.T) {
 	resourceName := "azurerm_container_group.test"
 	ri := acctest.RandInt()
 
 	config := testAccAzureRMContainerGroup_linuxBasic(ri, testLocation())
 
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckAzureRMContainerGroupDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: config,
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMContainerGroupExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "image_registry_credential.#:", "2"),
+					resource.TestCheckResourceAttr(resourceName, "image_registry_credential.0.server", "hub.docker.com"),
+					resource.TestCheckResourceAttr(resourceName, "image_registry_credential.0.username", "yourusername"),
+					resource.TestCheckResourceAttr(resourceName, "image_registry_credential.0.password:", "yourpassword"),
+					resource.TestCheckResourceAttr(resourceName, "image_registry_credential.1.server", "mine.acr.io"),
+					resource.TestCheckResourceAttr(resourceName, "image_registry_credential.1.username", "acrusername"),
+					resource.TestCheckResourceAttr(resourceName, "image_registry_credential.1.password:", "acrpassword"),
+				),
+			},
+		},
+	})
+}
+
+func TestAccAzureRMContainerGroup_linuxBasic(t *testing.T) {
+	resourceName := "azurerm_container_group.test"
+	ri := acctest.RandInt()
+
+	config := testAccAzureRMContainerGroup_imageRegistryCredentials(ri, testLocation())
+
 	resource.Test(t, resource.TestCase{
 		PreCheck:     func() { testAccPreCheck(t) },
 		Providers:    testAccProviders,
@@ -176,6 +204,54 @@ resource "azurerm_container_group" "test" {
 `, ri, location, ri)
 }
 
+func testAccAzureRMContainerGroup_imageRegistryCredentials(ri int, location string) string {
+	return fmt.Sprintf(`
+resource "azurerm_resource_group" "test" {
+  name     = "acctestRG-%d"
+  location = "%s"
+}
+
+resource "azurerm_container_group" "test" {
+  name                = "acctestcontainergroup-%d"
+  location            = "${azurerm_resource_group.test.location}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+  ip_address_type     = "public"
+  os_type             = "linux"
+
+  container {
+    name   = "hw"
+    image  = "microsoft/aci-helloworld:latest"
+    cpu    = "0.5"
+    memory = "0.5"
+	port   = "80"
+  }
+  
+  image_registry_credential {
+    server   = "hub.docker.com"
+    username = "yourusername"
+    password = "yourpassword"
+  }
+
+  image_registry_credential {
+    server   = "mine.acr.io"
+    username = "acrusername"
+    password = "acrpassword"
+  }
+
+  container {
+    name   = "sidecar"
+    image  = "microsoft/aci-tutorial-sidecar"
+    cpu    = "0.5"
+    memory = "0.5"
+  }
+
+  tags {
+    environment = "Testing"
+  }
+}
+`, ri, location, ri)
+}
+
 func testAccAzureRMContainerGroup_linuxBasicUpdated(ri int, location string) string {
 	return fmt.Sprintf(`
 resource "azurerm_resource_group" "test" {