Share via

PowerShell Command for Azure App Service Deployment Returns 403 Forbidden Error

Srishti Purohit 0 Reputation points Microsoft Employee
2025-06-17T00:57:48.8433333+00:00

The following PowerShell command used for deploying an App Service is returning a runtime error that wasn't occurring before:

Invoke-RestMethod -Uri $kuduApiUrl -Headers @{Authorization = ("Bearer {0}" -f $accessToken)} -Method POST -InFile $ZipPackageFile -ContentType "multipart/form-data"

The error logs indicate a 403 Forbidden response:

##[debug]
##[debug]Script stack trace:
##[debug]at Invoke-ZipDeploy, D:\a\_work\1\ps\Publish-AzureWebApp.ps1: line 101
##[debug]at <ScriptBlock>, D:\a\_work\1\ps\Publish-AzureWebApp.ps1: line 163
##[debug]at <ScriptBlock>, D:\a\_work\_temp\9c96cb1f-d880-449c-9bec-3f6559156ed8.ps1: line 39
##[debug]at <ScriptBlock>, <No file>: line 1
##[debug]Exception:
##[debug]Microsoft.PowerShell.Commands.HttpResponseException: Response status code does not indicate success: 403 (Forbidden).
##[debug] at System.Management.Automation.MshCommandRuntime.ThrowTerminatingError(ErrorRecord errorRecord)

What permissions might have changed that could be causing this issue? PFA the PS file which is getting used in CD pipeline.

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,930 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bhargavi Naragani 5,270 Reputation points Microsoft External Staff Moderator
    2025-06-17T04:51:57.7266667+00:00

    Hi @Srishti Purohit,

    The 403 Forbidden error during the Kudu Zip Deploy indicates that the token or credentials used in your PowerShell deployment command no longer have sufficient access to perform the operation.

    This may be due to:

    • Expired or incorrectly scoped access token.
    • Recent changes to App Service authentication or publishing settings.
    • Use of a service principal or managed identity lacking the Contributor role.
    1. Use this format when acquiring the access token: 
         $resource = "https://management.azure.com/"
   $token = (Get-AzAccessToken -ResourceUrl $resource).Token
      However, the Kudu API requires a token scoped for https://{appname}.scm.azurewebsites.net. But Azure AD does not issue tokens directly for Kudu. So instead, use Basic Auth with Publishing Credentials, or use the Kudu Web Deploy profile.
    2. Use Basic Auth with Publishing Profile 
         # Get publishing profile XML from Azure (manual or via pipeline secure variable)
   $creds = ConvertTo-SecureString "<your-publishing-password>" -AsPlainText -Force
   $credential = New-Object System.Management.Automation.PSCredential ("$username", $creds)
   Invoke-RestMethod -Uri $kuduApiUrl -Credential $credential -Method POST -InFile $ZipPackageFile -ContentType "application/zip"
      https://learn.microsoft.com/en-us/azure/app-service/deploy-zip?tabs=cli#deploy-using-curl
    3. Use Publish-AzWebApp instead (simpler & secure) 
         Publish-AzWebApp -ResourceGroupName "<RGName>" -Name "<AppName>" -ArchivePath "<PathToZip>"
      https://learn.microsoft.com/en-us/powershell/module/az.websites/publish-azwebapp?view=azps-14.1.0
    4. If using Managed Identity or Service Principal, check that it has Contributor role on the App Service or Resource Group: 
         az role assignment list --assignee <principalId> --scope /subscriptions/<subId>/resourceGroups/<rg>/providers/Microsoft.Web/sites/<appname>
      https://learn.microsoft.com/en-us/azure/app-service/deploy-configure-credentials?tabs=cli#use-rbac-rules

    Hope this helps, if you have any further concerns or queries, please feel free to reach out to us.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.