Merge pull request #263129 from cephalin/mideploy

GitHub Actions deploy with OIDC UI

Author: v-ccolin

.openpublishing.redirection.app-service.json

@@ -685,14 +685,19 @@
             "redirect_url": "/azure/app-service/deploy-configure-credentials",
             "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/app-service/deploy-content-sync.md",
+            "redirect_url": "/azure/app-service/deploy-continuous-deployment",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/app-service/app-service-deploy-content-sync.md",
-            "redirect_url": "/azure/app-service/deploy-content-sync",
+            "redirect_url": "/azure/app-service/deploy-continuous-deployment",
             "redirect_document_id": false
         },
         {
             "source_path_from_root": "/articles/app-service-web/app-service-deploy-content-sync.md",
-            "redirect_url": "/azure/app-service/deploy-content-sync",
+            "redirect_url": "/azure/app-service/deploy-continuous-deployment",
             "redirect_document_id": false
         },
         {

articles/app-service/configure-basic-auth-disable.md

@@ -3,7 +3,7 @@ title: Disable basic authentication for deployment
 description: Learn how to secure App Service deployment by disabling basic authentication.
 keywords: azure app service, security, deployment, FTP, MsDeploy
 ms.topic: article
-ms.date: 11/05/2023
+ms.date: 01/26/2024
 author: cephalin
 ms.author: cephalin
 ---
@@ -12,7 +12,7 @@ ms.author: cephalin
 
 This article shows you how to disable basic authentication (username and password authentication) when deploying code to App Service apps.
 
-App Service provides basic authentication for FTP and WebDeploy clients to connect to it by using [deployment credentials](deploy-configure-credentials.md). These APIs are great for browsing your site’s file system, uploading drivers and utilities, and deploying with MsBuild. However, enterprises often require more secure deployment methods than basic authentication, such as [Microsoft Entra ID](/entra/fundamentals/whatis) authentication (see [Authentication types by deployment methods in Azure App Service](deploy-authentication-types.md)). Entra ID uses OAuth 2.0 token-based authorization and has many benefits and improvements that help mitigate the issues in basic authentication. For example, OAuth access tokens have a limited usable lifetime, and are specific to the applications and resources for which they're issued, so they can't be reused. Entra ID also lets you deploy from other Azure services using managed identities.
+App Service provides basic authentication for FTP and WebDeploy clients to connect to it by using [deployment credentials](deploy-configure-credentials.md). These APIs are great for browsing your site’s file system, uploading drivers and utilities, and deploying with MsBuild. However, enterprises often require more secure deployment methods than basic authentication, such as [Microsoft Entra ID](/entra/fundamentals/whatis) authentication (see [Authentication types by deployment methods in Azure App Service](deploy-authentication-types.md)). Microsoft Entra uses OAuth 2.0 token-based authorization and has many benefits and improvements that help mitigate the issues in basic authentication. For example, OAuth access tokens have a limited usable lifetime, and are specific to the applications and resources for which they're issued, so they can't be reused. Microsoft Entra also lets you deploy from other Azure services using managed identities.
 
 ## Disable basic authentication
 
@@ -54,10 +54,22 @@ To confirm that Git access is blocked, try [local Git deployment](deploy-local-g
 
 ## Deployment without basic authentication
 
-When you disable basic authentication, deployment methods based on basic authentication stop working, such as FTP and local Git deployment. For alternate deployment methods, see [Authentication types by deployment methods in Azure App Service](deploy-authentication-types.md).
-
-<!-- Azure Pipelines with App Service deploy task (manual config) need the newer version hosted agent that supports vs2022.
-OIDC GitHub actions -->
+When you disable basic authentication, deployment methods that depend on basic authentication stop working. The following table shows how various deployment methods behave when basic authentication is disabled, and if there's any fallback mechanism. For more information, see [Authentication types by deployment methods in Azure App Service](deploy-authentication-types.md).
+
+| Deployment method | When basic authentication is disabled |
+|-|-|
+| Visual Studio deployment | Doesn't work. |
+| [FTP](deploy-ftp.md) | Doesn't work. |
+| [Local Git](deploy-local-git.md) | Doesn't work. |
+| Azure CLI | In Azure CLI 2.48.1 or higher, the following commands fall back to Microsoft Entra authentication:<br/>- [az webapp up](/cli/azure/webapp#az-webapp-up)<br/>- [az webapp deploy](/cli/azure/webapp#az-webapp-deploy)<br/>- [az webapp deployment source config-zip](/cli/azure/webapp/deployment/source#az-webapp-deployment-source-config-zip)<br/>- [az webapp log deployment show](/cli/azure/webapp/log/deployment#az-webapp-log-deployment-show)<br/>- [az webapp log deployment list](/cli/azure/webapp/log/deployment#az-webapp-log-deployment-list)<br/>- [az webapp log download](/cli/azure/webapp/log#az-webapp-log-download)<br/>- [az webapp log tail](/cli/azure/webapp/log#az-webapp-log-tail)<br/>- [az webapp browse](/cli/azure/webapp#az-webapp-browse)<br/>- [az webapp create-remote-connection](/cli/azure/webapp#az-webapp-create-remote-connection)<br/>- [az webapp ssh](/cli/azure/webapp#az-webapp-ssh)<br/>- [az functionapp deploy](/cli/azure/functionapp#az-functionapp-deploy)<br/>- [az functionapp log deployment list](/cli/azure/functionapp/log/deployment#az-functionapp-log-deployment-list)<br/>- [az functionapp log deployment show](/cli/azure/functionapp/log/deployment#az-functionapp-log-deployment-show)<br/>- [az functionapp deployment source config-zip](/cli/azure/functionapp/deployment/source#az-functionapp-deployment-source-config-zip) |
+| [Maven plugin](https://github.com/microsoft/azure-maven-plugins) or [Gradle plugin](https://github.com/microsoft/azure-gradle-plugins) | Works. |
+| [GitHub with App Service Build Service](deploy-continuous-deployment.md?tabs=github) | Doesn't work. |
+| [GitHub Actions](deploy-continuous-deployment.md?tabs=github) | - An existing GitHub Actions workflow that uses **basic authentication** can't authenticate. In the Deployment Center, disconnect the existing GitHub configuration and create a new GitHub Actions configuration with the **user-assigned identity** option instead. <br/> - If the existing GitHub Actions deployment is [manually configured](deploy-github-actions.md), try using a service principal or OpenID Connect instead. <br/> - For new GitHub Actions configuration in the Deployment Center, use the **user-assigned identity** option. |
+| Deployment in [create wizard](https://portal.azure.com/#create/Microsoft.WebSite) | When **Basic authentication** is set to **Disable** and **Continuous deployment** set to **Enable**, GitHub Actions is configured with the **user-assigned identity** option (OpenID Connect). |
+| [Azure Repos with App Service Build Service](deploy-continuous-deployment.md?tabs=github) | Doesn't work. |
+| [BitBucket](deploy-continuous-deployment.md?tabs=bitbucket) | Doesn't work. |
+| [Azure Pipelines](deploy-azure-pipelines.md) with [AzureWebApp](/azure/devops/pipelines/tasks/reference/azure-web-app-v1) task | Works. |
+| [Azure Pipelines](deploy-azure-pipelines.md) with [AzureRmWebAppDeployment](/azure/devops/pipelines/tasks/deploy/azure-rm-web-app-deployment) task | - Use the latest AzureRmWebAppDeployment task to get fallback behavior. <br/> - The **Publish Profile (`PublishProfile`)** connection type doesn't work, because it uses basic authentication. Change the connection type to **Azure Resource Manager (`AzureRM`)**. <br/> - On non-Windows Pipelines agents, authentication works. <br/> - On Windows agents, the [deployment method used by the task](/azure/devops/pipelines/tasks/reference/azure-rm-web-app-deployment-v4#deployment-methods) might need to be modified. When Web Deploy is used (`DeploymentType: 'webDeploy'`) and basic authentication is disabled, the task authenticates with a Microsoft Entra token. There are additional requirements if you're not using the `windows-latest` agent or if you're using a self-hosted agent. For more information, see [I can't Web Deploy to my Azure App Service using Microsoft Entra authentication from my Windows agent](/azure/devops/pipelines/tasks/reference/azure-rm-web-app-deployment-v4#i-cant-web-deploy-to-my-azure-app-service-using-microsoft-entra-id-authentication-from-my-windows-agent).<br/> - Other deployment methods work, such as **zip deploy** or **run from package**. |
 
 ## Create a custom role with no permissions for basic authentication
 
@@ -152,3 +164,8 @@ The following are corresponding policies for slots:
 - [Remediation policy for FTP](https://ms.portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff493116f-3b7f-4ab3-bf80-0c2af35e46c2)
 - [Remediation policy for SCM](https://ms.portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2c034a29-2a5f-4857-b120-f800fe5549ae)
 
+## Frequently asked questions
+
+#### Why do I get a warning in Visual Studio saying that basic authentication is disabled?
+
+Visual Studio requires basic authentication to deploy to Azure App Service. The warning reminds you that the configuration on your app changed and you can no longer deploy to it. Either you disabled basic authentication on the app yourself, or your organization policy enforces that basic authentication is disabled for App Service apps.