You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
# Disable basic authentication in Azure App Service deployments
13
13
14
-
This article discusses how to disable basic username and password authentication for deploying code to Azure App Service apps. The article explains several ways to disable basic authentication, fallback deployment methods if any, and how to monitor basic authentication attempts.
14
+
This article discusses how to disable basic username and password authentication for deploying code to Azure App Service apps. The article explains several ways to disable basic authentication, fallback deployment methods if any, and how to monitor basic authentication access attempts.
15
15
16
16
App Service provides basic authentication for FTP and web deployment clients to connect using username and password deployment credentials. The basic authentication APIs are good for browsing your site's file system, uploading drivers and utilities, and deploying with MSBuild. For more information, see [Configure deployment credentials for Azure App Service](deploy-configure-credentials.md).
17
17
@@ -21,7 +21,7 @@ Microsoft Entra also lets you deploy from other Azure services by using managed
21
21
22
22
## Prerequisites
23
23
24
-
- To disable using basic authentication for FTP access to an app, you must have owner-level access to the app.
24
+
- To disable basic authentication for FTP access to an app, you must have owner-level access to the app.
25
25
- To create and assign a role to prevent lower-privileged users from enabling basic authentication, you must have **Owner** or **User Access Administrator** permissions in the subscription.
26
26
27
27
## Disable basic authentication
@@ -33,6 +33,8 @@ For other deployment methods that use basic authentication, such as Visual Studi
33
33
>[!NOTE]
34
34
>SCM basic authentication is required for enabling FTP basic authentication.
35
35
36
+
To disable basic authentication:
37
+
36
38
### [Azure portal](#tab/portal)
37
39
38
40
1. In the [Azure portal](https://portal.azure.com), search for and select **App Services**, and then select your app.
@@ -45,15 +47,15 @@ For other deployment methods that use basic authentication, such as Visual Studi
45
47
46
48
### [Azure CLI](#tab/cli)
47
49
48
-
Run the following Azure CLI commands in the Bash environment of Azure Cloud Shell by selecting **Open Cloud Shell** at the upper right of the code block.
50
+
Run the following Azure CLI commands in the Bash environment of Azure Cloud Shell by selecting **Open Cloud Shell** at the upper right of the code block. Copy the code, replace any placeholders, paste it into the Cloud Shell and run it.
49
51
50
52
To disable FTP basic authentication access, run the following command, replacing the placeholders with your app's resource group and name. You must have owner-level access to the app.
To disable basic authentication access for the Web Deploy port and Git deploy `https://\<app-name>.scm.azurewebsites.net`, run the following command. Replace the placeholders with your app's resource group and name.
58
+
To disable basic authentication access for the Web Deploy port and Git deploy with `https://<app-name>.scm.azurewebsites.net`, run the following command. Replace the placeholders with your app's resource group and name.
@@ -89,7 +91,7 @@ The following table shows how various deployment methods behave when basic authe
89
91
90
92
### Visual Studio basic authentication disabled warning
91
93
92
-
Visual Studio requires basic authentication to deploy to Azure App Service. If you disable basic authentication, a Visual Studio warning reminds you that your app configuration changed and you can no longer deploy to your app. Either you disabled basic authentication on the app yourself, or your organization policy disabled basic authentication for App Service apps.
94
+
Visual Studio requires basic authentication to deploy to Azure App Service. If a Visual Studio warning states that your app configuration changed and you can no longer deploy to your app, either you disabled basic authentication on the app or your organization policy disabled basic authentication for App Service apps.
93
95
94
96
## Create a custom role to prevent enabling basic authentication
95
97
@@ -106,7 +108,7 @@ To prevent lower-privileged users from enabling basic authentication for any app
106
108
1. Select the box for **Write**, and then select **Add**. This step adds the operation to **NotActions** for the role.
107
109
1. Select **Exclude permissions** again.
108
110
1. Search for and expand **microsoft.web/sites/slots/basicPublishingCredentialsPolicies**, select the **Write** box, and then select **Add**.
109
-
1. Your **Permissions** tab should look like the following screenshot. Select **Review + create**, and then select **Create**.
111
+
1. Your **Permissions** tab should now look like the following screenshot. Select **Review + create**, and then select **Create**.
110
112
111
113
:::image type="content" source="media/configure-basic-auth-disable/custom-role-no-basic-auth.png" alt-text="Screenshot that shows excluding Write for basicPublishingCredentialsPolicies.":::
112
114
@@ -122,7 +124,7 @@ az role definition create --role-definition '{
122
124
"IsCustom": true,
123
125
"Description": "Prevents users from enabling basic authentication for all App Service apps or slots.",
0 commit comments