MicrosoftDocs
diff --git a/‎articles/app-service/deploy-ftp.md
Lines changed: 82 additions & 79 deletions b/‎articles/app-service/deploy-ftp.md
Lines changed: 82 additions & 79 deletions
diff --git a/‎articles/app-service/media/app-service-deploy-ftp/disable-ftp.png
61.1 KB b/‎articles/app-service/media/app-service-deploy-ftp/disable-ftp.png
61.1 KB
@@ -1,163 +1,166 @@
 ---
-title: Deploy content using FTP/S
-description: Learn how to deploy your app to Azure App Service using FTP or FTPS. Improve website security by disabling unencrypted FTP.
+title: Deploy content using FTP
+description: Learn how to deploy your app to Azure App Service using FTP or FTPS, and improve website security by disabling unencrypted FTP.
 
 ms.assetid: ae78b410-1bc0-4d72-8fc4-ac69801247ae
 ms.topic: article
-ms.date: 02/29/2024
+ms.date: 06/09/2025
 author: cephalin
 ms.author: cephalin
 ---
 
-# Deploy your app to Azure App Service using FTP/S
+# Deploy your app to Azure App Service using FTP
 
-This article shows you how to use FTP or FTPS to deploy your web app, mobile app backend, 
-or API app to [Azure App Service](./overview.md).
+This article shows you how to use File Transfer Protocol (FTP) or File Transfer Protocol Secure (FTPS) to deploy your web app, mobile app backend, or API app to [Azure App Service](overview.md).
 
-The FTP/S endpoint for your app is already active. No configuration is necessary to enable FTP/S deployment.
+FTPS is a more secure form of FTP that uses Transport Layer Security (TLS) and Secure Sockets Layer (SSL). For more information, see [Enforce FTPS](#enforce-ftps). In this article, the terms are interchangeable unless otherwise specified.
+
+The FTP endpoint for your app is already active. No configuration is necessary to enable FTP or FTPS deployment. 
 
 > [!NOTE]
-> When [FTP basic authentication is disabled](configure-basic-auth-disable.md), FTP/S deployment doesn't work, and you can't view or configure FTP credentials in the app's Deployment Center.
+> Both SCM Basic Auth Publishing Credentials and FTP Basic Auth Publishing Credentials must be enabled for FTP deployment to work. When [basic authentication is disabled](configure-basic-auth-disable.md), FTP deployment doesn't work, and you can't view or configure FTP credentials in the app's **Deployment Center**.
 
 ## Get deployment credentials
 
-1. Follow the instructions at [Configure deployment credentials for Azure App Service](deploy-configure-credentials.md) to copy the application-scope credentials or set the user-scope credentials. You can connect to the FTP/S endpoint of your app using either credentials.
-
-1. Craft the FTP username in the following format, depending on your choice of credential scope:
+To get credentials for deployment, follow the instructions at [Configure deployment credentials for Azure App Service](deploy-configure-credentials.md). Copy the application-scope credentials for your app, or set and copy user-scope credentials. You can connect to your app's FTP endpoint by using either set of credentials.
 
-    | Application-scope | User-scope |
-    | - | - |
-    |`<app-name>\$<app-name>`|`<app-name>\<deployment-user>`|
+For application-scope credentials, the FTP username format is `<app-name>\$<app-name>`. For user-scope credentials, the FTP username format is `<app-name>\<username>`. The App Service FTP endpoint is shared among apps, so because user-scope credentials aren't linked to a specific resource, you must prepend the username with the app name.
 
-    ---
+## Get FTP endpoint
 
-    In App Service, the FTP/S endpoint is shared among apps. Because the user-scope credentials aren't linked to a specific resource, you need to prepend the user-scope username with the app name as shown above.
+To get the FTP endpoint:
 
-## Get FTP/S endpoint
-    
 # [Azure portal](#tab/portal)
 
-In the same management page for your app where you copied the deployment credentials (**Deployment Center** > **FTP Credentials**), copy the **FTPS endpoint**.
+On the [Azure portal](https://portal.azure.com) page for your app, select **Deployment Center** under **Deployment** in the left navigation menu. On the **FTPS Credentials** tab, copy the **FTPS Endpoint** URL.
 
 # [Azure CLI](#tab/cli)
 
-Run the [az webapp deployment list-publishing-profiles](/cli/azure/webapp/deployment#az-webapp-deployment-list-publishing-profiles) command. The following example uses a [JMESPath query](/cli/azure/query-azure-cli) to extract the FTP/S endpoints from the output.
+Run the following [az webapp deployment list-publishing-profiles](/cli/azure/webapp/deployment#az-webapp-deployment-list-publishing-profiles) command, replacing the `<app-name>` and `<resource-group-name>` with your values. The following example uses a [JMESPath query](/cli/azure/query-azure-cli) to extract the FTP endpoints from the output.
 
 ```azurecli-interactive
-az webapp deployment list-publishing-profiles --name <app-name> --resource-group <group-name> --query "[?ends_with(profileName, 'FTP')].{profileName: profileName, publishUrl: publishUrl}"
+az webapp deployment list-publishing-profiles --name <app-name> --resource-group <resource-group-name> --query "[?ends_with(profileName, 'FTP')].{profileName: profileName, publishUrl: publishUrl}"
 ```
 
-Each app has two FTP/S endpoints, one is read-write, while the other is read-only (`profileName` contains `ReadOnly`) and is for data recovery scenarios. To deploy files with FTP, copy the URL of the read-write endpoint.
+Each app has two FTP endpoints, read-write and read-only, where `profileName` contains `ReadOnly` and is for data-recovery scenarios. For FTP deployment, copy the read-write URL.
 
 # [Azure PowerShell](#tab/powershell)
 
-Run the [Get-AzWebAppPublishingProfile](/powershell/module/az.websites/get-azwebapppublishingprofile) command. The following example extracts the FTP/S endpoint from the XML output.
+Run the following [Get-AzWebAppPublishingProfile](/powershell/module/az.websites/get-azwebapppublishingprofile) command, replacing the `<app-name>` and `<resource-group-name>` with your values. The following example extracts the FTP endpoint from the XML output.
 
 ```azurepowershell-interactive
-$xml = [xml](Get-AzWebAppPublishingProfile -Name <app-name> -ResourceGroupName <group-name> -OutputFile null)
+$xml = [xml](Get-AzWebAppPublishingProfile -Name <app-name> -ResourceGroupName <resource-group-name> -OutputFile null)
 $xml.SelectNodes("//publishProfile[@publishMethod=`"FTP`"]/@publishUrl").value
 ```
 
 -----
 
 ## Deploy files to Azure
 
-1. From your FTP client (for example, [Visual Studio](https://www.visualstudio.com/vs/community/), [Cyberduck](https://cyberduck.io/), or [WinSCP](https://winscp.net/index.php)), use the connection information you gathered to connect to your app.
-2. Copy your files and their respective directory structure to the [**/site/wwwroot** directory](https://github.com/projectkudu/kudu/wiki/File-structure-on-azure) in Azure (or the **/site/wwwroot/App_Data/Jobs/** directory for WebJobs).
-3. Browse to your app's URL to verify the app is running properly. 
+To deploy files to Azure with FTP:
+
+1. From your FTP client such as [Visual Studio](https://www.visualstudio.com/vs/community/), [Cyberduck](https://cyberduck.io/), or [WinSCP](https://winscp.net/index.php)), use your connection information to connect to your app.
+1. Copy your files and their directory structure to the [/site/wwwroot](https://github.com/projectkudu/kudu/wiki/File-structure-on-azure) directory in Azure or the */site/wwwroot/App_Data/Jobs/* directory for WebJobs.
+1. Browse to your app's URL to verify the app is running properly.
 
 > [!NOTE] 
-> Unlike [Git-based deployments](deploy-local-git.md) and [Zip deployment](deploy-zip.md), FTP deployment doesn't support build automation, such as: 
->
-> - dependency restores (such as NuGet, NPM, PIP, and Composer automations)
-> - compilation of .NET binaries
-> - generation of web.config (here is a [Node.js example](https://github.com/projectkudu/kudu/wiki/Using-a-custom-web.config-for-Node-apps))
-> 
-> Generate these necessary files manually on your local machine, and then deploy them together with your app.
->
+> Unlike [local Git deployment](deploy-local-git.md) and [ZIP deployment](deploy-zip.md), FTP deployment doesn't support build automation such as: 
+> - Restoring dependencies like NuGet, NPM, PIP, and Composer automation.
+> - Compiling .NET binaries.
+> - Generating a *web.config* file.
+> You must generate these necessary files manually on your local machine and then deploy them with your app. For a Node.js *web.config* example, see [Using a custom web.config for Node apps](https://github.com/projectkudu/kudu/wiki/Using-a-custom-web.config-for-Node-apps).
 
 ## Enforce FTPS
 
-For enhanced security, you should allow FTP over TLS/SSL only. You can also disable both FTP and FTPS if you don't use FTP deployment.
+For enhanced security, you should allow FTPS over TLS/SSL only. You can also disable both FTP and FTPS if you don't use FTP deployment.
+
+To disable unencrypted FTP:
 
 # [Azure portal](#tab/portal)
 
-1. In your app's resource page in [Azure portal](https://portal.azure.com), select **Configuration** > **General settings** from the left navigation.
+1. On the Azure portal page for your app, select **Configuration** under **Settings** in the left navigation menu.
+
+1. On the **General settings** tab of the **Configuration** page, under **Platform settings**, select **FTPS only** for **FTP state**. Or to disable both FTP and FTPS entirely, select **Disabled**.
 
-2. To disable unencrypted FTP, select **FTPS Only** in **FTP state**. To disable both FTP and FTPS entirely, select **Disabled**. When finished, select **Save**. If using **FTPS Only**, you must enforce TLS 1.2 or higher by navigating to the **TLS/SSL settings** page of your web app. TLS 1.0 and 1.1 aren't supported with **FTPS Only**.
+   ![Screenshot that shows setting FTP state to FTPS only.](./media/app-service-deploy-ftp/disable-ftp.png)
 
-    ![Disable FTP/S](./media/app-service-deploy-ftp/disable-ftp.png)
+1. If you select **FTPS only**, be sure TLS 1.2 or higher is enforced for **Minimum Inbound TLS Settings**. TLS 1.0 and 1.1 aren't supported for **FTPS only**.
+
+1. Select **Save**.
 
 # [Azure CLI](#tab/cli)
 
-Run the [az webapp config set](/cli/azure/webapp/deployment#az-webapp-deployment-list-publishing-profiles) command with the `--ftps-state` argument.
+Run the following [az webapp config set](/cli/azure/webapp/deployment#az-webapp-deployment-list-publishing-profiles) command, replacing the `<app-name>` and `<resource-group-name>` with your values. Use the `--ftps-state` argument set to `FtpsOnly` to enforce FTPS, or `Disabled` to disable both FTP and FTPS.
 
 ```azurecli-interactive
-az webapp config set --name <app-name> --resource-group <group-name> --ftps-state FtpsOnly
+az webapp config set --name <app-name> --resource-group <resource-group-name> --ftps-state FtpsOnly
 ```
 
-Possible values for `--ftps-state` are `AllAllowed` (FTP and FTPS enabled), `Disabled` (FTP and FTPS disabled), and `FtpsOnly` (FTPS only).
-
 # [Azure PowerShell](#tab/powershell)
 
-Run the [Set-AzWebApp](/powershell/module/az.websites/set-azwebapp) command with the `-FtpsState` parameter.
+Run the following [Set-AzWebApp](/powershell/module/az.websites/set-azwebapp) command, replacing the `<app-name>` and `<resource-group-name>` with your values. Use the `-FtpsState` parameter set to `FtpsOnly` to enforce FTPS, or `Disabled` to disable both FTP and FTPS..
 
 ```azurepowershell-interactive
-Set-AzWebApp -Name <app-name> -ResourceGroupName <group-name> -FtpsState FtpsOnly
+Set-AzWebApp -Name <app-name> -ResourceGroupName <-resource-group-name> -FtpsState FtpsOnly
 ```
 
-Possible values for `--ftps-state` are `AllAllowed` (FTP and FTPS enabled), `Disabled` (FTP and FTPS disabled), and `FtpsOnly` (FTPS only).
-
 -----
 
-[!INCLUDE [What happens to my app during deployment?](../../includes/app-service-deploy-atomicity.md)]
-
 ## Troubleshoot FTP deployment
 
- - [How can I troubleshoot FTP deployment?](#how-can-i-troubleshoot-ftp-deployment)
- - [I'm not able to FTP and publish my code. How can I resolve the issue?](#im-not-able-to-ftp-and-publish-my-code-how-can-i-resolve-the-issue)
- - [How can I connect to FTP in Azure App Service via passive mode?](#how-can-i-connect-to-ftp-in-azure-app-service-via-passive-mode)
- - [Why is my connection failing when attempting to connect over FTPS using explicit encryption?](#why-is-my-connection-failing-when-attempting-to-connect-over-ftps-using-explicit-encryption)
- - [How can I determine the method that was used to deploy my Azure App Service?](#how-can-i-determine-the-method-that-was-used-to-deploy-my-azure-app-service)
+- [How can I connect to FTP in App Service via passive mode?](#how-can-i-connect-to-ftp-in-azure-app-service-via-passive-mode)
+- [How can I determine what method was used to deploy my app?](#how-can-i-determine-what-method-was-used-to-deploy-my-app)
+- [What can happen to my app during deployment?](#what-can-happen-to-my-app-during-deployment)
+- [What's the first step in troubleshooting FTP deployment?](#whats-the-first-step-in-troubleshooting-ftp-deployment)
+- [Why can't I FTP and publish my code?](#why-cant-i-ftp-and-publish-my-code)
+- [Why does my connection fail when attempting to connect over FTPS using explicit encryption?](#why-does-my-connection-fail-when-attempting-to-connect-over-ftps-using-explicit-encryption)
+
+### How can I connect to FTP in Azure App Service via passive mode?
 
-#### How can I troubleshoot FTP deployment?
+Azure App Service supports connecting via both active and passive modes. Passive mode is preferred because deployment machines are usually behind a firewall in the operating system or as part of a home or business network. For an example of a passive mode connection, see [The Connection Page (Advanced Site Settings dialog)](https://winscp.net/docs/ui_login_connection).
 
-The first step for troubleshooting FTP deployment is isolating a deployment issue from a runtime application issue.
+### How can I determine what method was used to deploy my app?
 
-A deployment issue typically results in no files or wrong files deployed to your app. You can troubleshoot by investigating your FTP deployment or selecting an alternate deployment path (such as source control).
+You can find out how an app was deployed by checking the application settings under **Settings** > **Environmental variables** in the Azure portal. Select the **App settings** tab.
 
-A runtime application issue typically results in the right set of files deployed to your app but incorrect app behavior. You can troubleshoot by focusing on code behavior at runtime and investigating specific failure paths.
+- If the app was deployed using an external package URL, you see the `WEBSITE_RUN_FROM_PACKAGE` setting in the application settings with a URL value.
+- If the app was deployed using ZIP deploy, you see the `WEBSITE_RUN_FROM_PACKAGE` setting with a value of `1`.
 
-To determine a deployment or runtime issue, see [Deployment vs. runtime issues](https://github.com/projectkudu/kudu/wiki/Deployment-vs-runtime-issues).
+If the app was deployed using Azure DevOps, you can see the deployment history in the Azure DevOps portal. If Azure Functions Core Tools was used, you can see the deployment history in the Azure portal.
 
-#### I'm not able to FTP and publish my code. How can I resolve the issue?
-Check that you entered the correct [hostname](#get-ftps-endpoint) and [credentials](#get-deployment-credentials). Check also that the following FTP ports on your machine aren't blocked by a firewall:
+<a name="what-can-happen-to-my-app-during-deployment"></a>
+[!INCLUDE [What can happen to my app during deployment?](../../includes/app-service-deploy-atomicity.md)]
+
+### What's the first step in troubleshooting FTP deployment?
+
+The first step for troubleshooting FTP deployment is distinguishing between deployment issues and runtime application issues.
+
+- A deployment issue typically results in no files or wrong files deployed to your app. You can troubleshoot by investigating your FTP deployment or selecting an alternate deployment path, such as source control.
+- A runtime application issue typically results in the right set of files deployed to your app but incorrect app behavior. You can troubleshoot by focusing on code behavior at runtime and investigating specific failure paths.
+
+For more information, see [Deployment vs. runtime issues](https://github.com/projectkudu/kudu/wiki/Deployment-vs-runtime-issues).
+
+### Why can't I FTP and publish my code?
+
+Check that you entered the correct [hostname](#get-ftp-endpoint) and [credentials](#get-deployment-credentials). Check also that the following FTP ports on your machine aren't blocked by a firewall:
 
 - FTP control connection port: 21, 990
 - FTP data connection port: 989, 10001-10300
 
-#### How can I connect to FTP in Azure App Service via passive mode?
-Azure App Service supports connecting via both Active and Passive mode. Passive mode is preferred because your deployment machines are usually behind a firewall (in the operating system or as part of a home or business network). See an [example from the WinSCP documentation](https://winscp.net/docs/ui_login_connection). 
+### Why does my connection fail when attempting to connect over FTPS using explicit encryption?
 
-#### Why is my connection failing when attempting to connect over FTPS using explicit encryption?
-FTPS allows establishing the TLS secure connection in either an Explicit or Implicit way.
+FTPS allows establishing an Explicit or Implicit TLS secure connection.
 
- - If you connect with Implicit encryption, the connection is established via port 990.
  - If you connect with Explicit encryption, the connection is established via port 21.
+ - If you connect with Implicit encryption, the connection is established via port 990.
 
-The URL format you use can affect your connection success, and it also depends on the client application you use. The portal shows the URL as `ftps://`, but note:
-
- - If the URL you connect with starts with `ftp://`, the connection is implied to be on port 21.
- - If it starts with `ftps://`, the connection is implied to be Implicit and on port 990. 
-
- Make sure not to mix both, such as attempting to connect to `ftps://` and using port 21, as it will fail to connect, even if you wish to do Explicit encryption. This is due to an Explicit connection starting as a plain FTP connection before the AUTH method.
+The URL format you use can affect your connection success, depending on your client application. The portal might show the URL as `ftps://`, but if the URL you connect with starts with `ftp://`, the connection is implied to be on port 21. If the URL starts with `ftps://`, the connection is implied to be Implicit and on port 990.
 
-#### How can I determine the method that was used to deploy my Azure App Service?
-You can find out how an app was deployed by checking the application settings. If the app was deployed using an external package URL, you should see the `WEBSITE_RUN_FROM_PACKAGE` setting in the application settings with a URL value. Or if it was deployed using zip deploy, you should see the `WEBSITE_RUN_FROM_PACKAGE` setting with a value of `1`. If the app was deployed using Azure DevOps, you should see the deployment history in the Azure DevOps portal. If Azure Functions Core Tools is used, you should see the deployment history in the Azure portal.
+Make sure not to mix the settings, such as attempting to connect to `ftps://` by using port 21. This setting fails to connect even by using Explicit encryption, because an Explicit connection starts as a plain FTP connection before the AUTH method.
 
-## More resources
+## Related resources
 
-* [Local Git deployment to Azure App Service](deploy-local-git.md)
-* [Azure App Service Deployment Credentials](deploy-configure-credentials.md)
-* [Sample: Create a web app and deploy files with FTP (Azure CLI)](./scripts/cli-deploy-ftp.md).
-* [Sample: Upload files to a web app using FTP (PowerShell)](./scripts/powershell-deploy-ftp.md).
+- [Local Git deployment to Azure App Service](deploy-local-git.md)
+- [Azure App Service deployment credentials](deploy-configure-credentials.md)
+- [Sample: Create a web app and deploy files with FTP (Azure CLI)](./scripts/cli-deploy-ftp.md).
+- [Sample: Upload files to a web app using FTP (PowerShell)](./scripts/powershell-deploy-ftp.md).