How to Enforce FTP Disablement on Newly Created App Service/Function Apps in Azure?

Question

How to Enforce FTP Disablement on Newly Created App Service/Function Apps in Azure?

Jizeth Esperanzate 56

Is there a way to enforce that newly created App Services and Function Apps will have the FTP disabled in Azure? I am aware that I can turn off the FTP manually by changing the configuration in the Azure Portal but is there a way to do it automatically/programmatically?

2 answers

Your answer

Answer 1

Stanislav Zhelyazkov 28,596 MVP Volunteer Moderator

Hi,
You can create your own Azure Policy definition that forbids app service to be created without FTP to be disabled. Azure Policy enforces no matter what you use - Portal, CLI, PS, Tempaltes, SDKs, etc. More about Azure Policy and creating custom policy definition.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Jizeth Esperanzate 56 Reputation points

2022-02-02T07:39:22.027+00:00

Hi Stan,

Thank you for your answer. Would you know if there's a way to override a policy? I've created a custom policy in my own tenant and it works fine. But when I tested it on my organization's tenant, it is not working. Maybe because my custom policy is overrided by existing policies in my organization's tenant which prevents my policy on configuring the resources' settings.
Stanislav Zhelyazkov 28,596 Reputation points MVP Volunteer Moderator

2022-02-02T07:45:03.463+00:00

Hi,
policy cannot be overridden but you can create exemption for it so it does not apply to certain scopes - management groups, subscriptions, resource groups, resources. But these exemptions are created after the policy is already applied. Are you sure that the besides importing the policy definition you also created policy assignment for it? Are you sure that the policy assignment is done on the scope where you see the policy not working? May be if it is not one of those two you can give more details to figure out the problem.
Jizeth Esperanzate 56 Reputation points

2022-02-07T02:44:14.187+00:00

Yes, I have created a custom policy definition and assigned it to my subscription. I tested it on my own tenant (where there are no other policies assigned), and the policy configures the FTP value to be disabled. But when I tested it on my organization's tenant (where there are many policies assigned), it only scans the app services if the FTP is disabled but it does not change it to disabled (unlike in my own tenant). I think it is caused by the other existing policies in my own tenant. So I am finding a way if my FTP policy can be prioritized first.
Stanislav Zhelyazkov 28,596 Reputation points MVP Volunteer Moderator

2022-02-07T08:07:03.29+00:00

Policies does not have prioritization. In general you should avoid having policies that contradict with each other. Please share the policy. Overall if you use Modify effect the value will be changed if you do a remediation or if someone updates some of the other policies of the resource. Modify also works when you deploy new resource to change the property to the desired value. Please share some more details.

Answer 2

SwathiDhanwada-MSFT 18,996 Moderator

@Jizeth Esperanzate As stan mentioned , you can create custom policy to disable FTP on your App services or function apps. Sample example is available here. Information related to sample has been taken from this post.

Share via

How to Enforce FTP Disablement on Newly Created App Service/Function Apps in Azure?

2 answers

Your answer