edits

v-thepet · v-thepet · commit 87d39c7cda3f · 2025-06-30T16:08:41.000-07:00
diff --git a/articles/app-service/deploy-configure-credentials.md b/articles/app-service/deploy-configure-credentials.md
@@ -5,37 +5,39 @@ author: cephalin
 ms.author: cephalin
 ms.reviewer: byvinyal
 ms.topic: how-to
-ms.date: 06/27/2025
+ms.date: 06/30/2025
 
 ---
 
 # Manage deployment credentials for Azure App Service
 
-You can deploy local apps to [Azure App Service](overview.md) by using [local Git deployment](deploy-local-git.md) or [FTP/S deployment](deploy-ftp.md). App Service supports two types of credentials you can use for secure local app deployment, *user-scope* and *app-scope* credentials. These deployment credentials are different from your Azure subscription credentials.
+You can deploy local apps to [Azure App Service](overview.md) by using [local Git deployment](deploy-local-git.md) or [FTP/S deployment](deploy-ftp.md). App Service supports two types of credentials for secure local app deployment: *user-scope* and *app-scope* credentials. These deployment credentials are different from your Azure subscription credentials. This article explains how to create and manage deployment credentials for local Git or FTP/S deployment. 
 
 [!INCLUDE [app-service-deploy-credentials](../../includes/app-service-deploy-credentials.md)]
 
 ## Prerequisites
 
-To access, set, or reset deployment user credentials, you must have contributor-level permissions on an App Service app.
+To access, set, or reset deployment user credentials, you must have **Contributor**-level permissions on an App Service app.
 
 <a name="disable-basic-authentication"></a>
 ### Basic authentication requirement
 
-To publish App Service apps via local Git or FTP/S, basic authentication must be enabled. **SCM Basic Auth Publishing Credentials** and **FTP Basic Auth Publishing Credentials** must both be set to **On** on the app's **Configuration** page in the Azure portal.
+To publish App Service apps via local Git or FTP/S, you must enable basic authentication. **SCM Basic Auth Publishing Credentials** and **FTP Basic Auth Publishing Credentials** must both be set to **On** on the app's **Configuration** page in the Azure portal.
 
 Basic authentication is less secure than other authentication methods and is disabled by default for new apps. When basic authentication is disabled, you can't view or set deployment credentials in the app's **Deployment Center** or use these credentials for publishing. For more information, see [Disable basic authentication in Azure App Service deployments](configure-basic-auth-disable.md).
 
 <a name="userscope"></a>
 ## Set user-scope credentials
 
-You can configure user-scope credentials by using Azure CLI or the Azure portal. 
+Both local Git and FTP/S deployment require a user name. The user name must be unique within Azure.
 
-- Both local Git and FTP/S deployment require a user name.
-  - The user name must be unique within Azure, and can't contain the `@` character.
-  - To authenticate to an FTP/S endpoint, the user name must follow the format `<app-name>\<user-name>`. Since user-scope credentials are linked to the user and not to the app, the username must be in this format to direct the sign-in action to the correct FTP/S endpoint for the app.
+- For local Git, the user name can't contain the `@` character.
 
-- For FTP/S deployment only, you also need a password. The password must be at least eight characters and contain capital letters, lowercase letters, numbers, and symbols. The JSON output shows the password as `null`. Local Git deployment doesn't require a password.
+- To authenticate to an FTP/S endpoint, the user name must follow the format `<app-name>\<user-name>`. Since user-scope credentials are linked to the user and not to the app, the username must be in this format to direct the sign-in action to the correct FTP/S endpoint for the app.
+
+For FTP/S deployment, you also need a password. The password must be at least eight characters and contain capital letters, lowercase letters, numbers, and symbols. The JSON output shows the password as `null`. Local Git deployment doesn't require a password.
+
+You can configure user-scope credentials by using Azure CLI or the Azure portal.
 
 # [Azure CLI](#tab/cli)
 
@@ -63,14 +65,16 @@ To configure deployment credentials:
 
 -----
 
-After you set the credentials, you can see your deployment user name on your app's **Overview** page in the Azure portal. If local Git deployment is configured, the label is **Git/deployment username**. Otherwise, the label is **FTP/deployment username**. The page doesn't show the password.
+After you set the credentials, you can see your deployment user name on your app's **Overview** page in the Azure portal. If local Git deployment is configured, the label is **Git/deployment username**. Otherwise, the label is **FTP/deployment username**.
+
+The portal doesn't show the password. If you forget your password, you can [reset your credentials](#reset-credentials) to get a new one.
 
 ![Screenshot that shows the Git deployment user name on an app's Overview page.](./media/app-service-deployment-credentials/deployment_credentials_overview.png)
 
 <a name="appscope"></a>
 ## Get application-scope credentials
 
-The application-scope credentials are automatically created along with the app. The FTP/S app-scope user name always follows the format `app-name\$app-name`. The local Git user name uses the format `$app-name`.
+The application-scope credentials are automatically created with the app. The FTP/S app-scope user name always follows the format `app-name\$app-name`. The local Git user name uses the format `$app-name`.
 
 >[!NOTE]
 >When you use `git remote add` in shells that use the dollar sign for variable interpolation, such as Bash, you must use `\$` to escape any dollar signs in the username or password to avoid authentication errors.
@@ -107,57 +111,56 @@ To get the application-scope credentials:
 
 1. In the Azure portal, select **Deployment Center** under **Deployment** in the left navigation menu of your app.
 1. On the **Deployment Center** page, select the **FTPS credentials** or **Local Git/FTPS credentials** tab.
-1. In the **Application-scope** section, view the **FTPS username**, the **Local Git username**, and the **Password**. Select the copy icons to copy the values.
+1. In the **Application-scope** section, view the **FTPS username**, **Local Git username**, and **Password**. Select the copy icons to copy the values.
 
 -----
 
-## Reset application-scope credentials
+## Reset credentials
 
-You can use Azure CLI, Azure PowerShell, or the Azure portal to reset your application-scope deployment credentials and get a new password. The app-scope user names remain at their autogenerated values.
+You can use Azure CLI, Azure PowerShell, or the Azure portal to reset your application-scope deployment credentials and get a new password. The app-scope user names retain their autogenerated values.
 
 In Azure CLI and the Azure portal, you can also reset your user-scope credentials by creating new ones. This action affects all the apps in your account that use the user-scope credentials.
 
-When you reset your deployment credentials, any external integrations and automation stop working and must be reconfigured with the new values. 
+When you reset your deployment credentials, any external integrations and automation via the publishing profile stop working and must be reconfigured with the new values.
 
 # [Azure CLI](#tab/cli)
 
-Reset the application-scope password by using the [`az resource invoke-action`](/cli/azure/resource#az-resource-invoke-action) command.
+In Azure CLI, reset the application-scope password by using the [`az resource invoke-action`](/cli/azure/resource#az-resource-invoke-action) command.
 
 ```azurecli-interactive
 az resource invoke-action --action newpassword --resource-group <group-name> --name <app-name> --resource-type Microsoft.Web/sites
 ```
 
-Reset the user-scope credentials by rerunning the [`az webapp deployment user set`](/cli/azure/webapp/deployment/user#az-webapp-deployment-user-set) command, supplying new user name and password values.
+Reset the user-scope credentials by rerunning the [`az webapp deployment user set`](/cli/azure/webapp/deployment/user#az-webapp-deployment-user-set) command to create new user name and password values.
 
 ```azurecli-interactive
 az webapp deployment user set --user-name <new-username> --password <new-password>
 ```
 
 # [Azure PowerShell](#tab/powershell)
 
-Reset the application-scope password by using the [`Invoke-AzResourceAction`](/powershell/module/az.resources/invoke-azresourceaction) command:
+In Azure PowerShell, reset the application-scope password by using the [`Invoke-AzResourceAction`](/powershell/module/az.resources/invoke-azresourceaction) command:
 
 ```azurepowershell-interactive
 Invoke-AzResourceAction -ResourceGroupName <group-name> -ResourceType Microsoft.Web/sites -ResourceName <app-name> -Action newpassword
 ```
 
 # [Azure portal](#tab/portal)
 
-From the left navigation menu of your app, select **Deployment Center** > **FTPS credentials** or **Local Git/FTPS credentials**.
+From the left navigation menu of your app in the Azure portal, select **Deployment Center** > **FTPS credentials** or **Local Git/FTPS credentials**.
 
 - To reset your app-scope credentials and get a new password, select **Reset** at the bottom of the **Application-scope** section.
 
 - To reset your user-scope credentials:
+  1. Select **Reset** at the bottom of the **User-scope** section. This selection deletes both user name and password, and disables user-scope credentials.
+  1. To reset and reenable your user-scope credentials, enter a new username and password, and select **Save**.
 
-  1. Select **Reset** at the bottom of the **User-scope** section. This action deletes both user name and password, and disables user-scope credentials.
-  1. To reenable and reset your user-scope credentials, enter a new username and password, and select **Save**.
-
-  This action takes effect across all the apps in your account that use the user-scope credentials.
+This action takes effect across all the apps in your account that use the user-scope credentials.
 
 -----
 
 ## Related content
 
 - [Disable basic authentication in Azure App Service deployments](configure-basic-auth-disable.md)
 - [Deploy to Azure App Service by using local Git](deploy-local-git.md)
-- [Deploy your app to Azure App Service using FTP/S](deploy-ftp.md).
+- [Deploy your app to Azure App Service using FTP/S](deploy-ftp.md)
diff --git a/includes/app-service-deploy-credentials.md b/includes/app-service-deploy-credentials.md
@@ -2,14 +2,14 @@
 author: cephalin
 ms.service: azure-app-service
 ms.topic: include
-ms.date: 04/20/2020
+ms.date: 06/30/2025
 ms.author: cephalin
 ---
 
-- **User-scope credentials** provide a user with one set of deployment credentials for their entire Azure account. A user who is granted app access via role-based access control (RBAC) or coadministrator permissions can use their user-level credentials until access is revoked.
+- **User-scope** or user-level credentials provide one set of deployment credentials for a user's entire Azure account. You can use your user-scope credentials to deploy any app to App Service via local Git or FTP/S in any subscription that your Azure account has permission to access. You don't share these credentials with any other Azure users.
 
-  You can use your user-scope credentials to deploy any app to App Service via local Git or FTP/S in any subscription that your Azure account has permission to access. You don't share these credentials with other Azure users.
+  A user who is granted app access via role-based access control (RBAC) or coadministrator permissions can use their user-level credentials until access is revoked. You can reset your user-scope credentials anytime.
 
-- **App-scope credentials** provide one set of credentials per app, which can be used to deploy that app only. The app-scope credentials for each app are generated automatically during app creation and can't be configured manually, but they can be reset anytime.
+- **App-scope** or app-level credentials provide one set of credentials per app, which can be used to deploy that app only. These credentials are generated automatically for each app at creation and can't be configured manually, but the password can be reset anytime.
 
   A user must have at least **Contributor** level permissions on an app, including the built-in **Website Contributor** role, to be granted access to app-level credentials via RBAC. **Reader** role can't publish and can't access these credentials.
