Configure deployment credentials for Azure App Service

To secure app deployment from a local computer, Azure App Service supports two types of credentials for local Git deployment and FTP/S deployment. These credentials are not the same as your Azure subscription credentials.

• User-level credentials: one set of credentials for the entire Azure account. It can be used to deploy to App Service for any app, in any subscription, that the Azure account has permission to access. It's the default set that's surfaced in the portal GUI (such as the Overview and Properties of the app's resource page). When a user is granted app access via Role-Based Access Control (RBAC) or coadmin permissions, that user can use their own user-level credentials until the access is revoked. Do not share these credentials with other Azure users.

• App-level credentials: one set of credentials for each app. It can be used to deploy to that app only. The credentials for each app are generated automatically at app creation. They can't be configured manually, but can be reset anytime. For a user to be granted access to app-level credentials via (RBAC), that user must be contributor or higher on the app (including Website Contributor built-in role). Readers are not allowed to publish, and can't access those credentials.

Note

The Development Center (Classic) page in the Azure portal, which is the old deployment experience, will be deprecated in March, 2021. This change will not affect any existing deployment settings in your app, and you can continue to manage app deployment in the Deployment Center page.

Configure user-scope credentials

Azure CLI

Run the az webapp deployment user set command. Replace <username> and <password> with a deployment user username and password.

• The username must be unique within Azure, and for local Git pushes, must not contain the ‘@’ symbol.
• The password must be at least eight characters long, with two of the following three elements: letters, numbers, and symbols.

az webapp deployment user set --user-name <username> --password <password>

The JSON output shows the password as null.

Azure PowerShell

You can't configure the user-scope credentials with Azure PowerShell. Use a different method, or consider using application-scope credentials.

Azure portal

You can configure your user-scope credentials in any app's resource page. Regardless in which app you configure these credentials, it applies to all apps for all subscriptions in your Azure account.

In the Azure portal, you must have at least one app before you can access the deployment credentials page. To configure your user-scope credentials:

1. From the left menu of your app, select > Deployment center > FTPS credentials or Local Git/FTPS credentials.

   

2. Scroll down to User scope, configure the Username and Password, and then select Save.

Once you have set your deployment credentials, you can find the Git deployment username in your app's Overview page,

If Git deployment is configured, the page shows a Git/deployment username; otherwise, an FTP/deployment username.

Note

Azure does not show your user-scope deployment password. If you forget the password, you can reset your credentials by following the steps in this section.

Use user-scope credentials with FTP/FTPS

Authenticating to an FTP/FTPS endpoint using user-scope credentials requires a username in the following format: <app-name>\<user-name>

Since user-scope credentials are linked to the user and not a specific resource, the username must be in this format to direct the sign-in action to the right app endpoint.

Get application-scope credentials

Azure CLI

Get the application-scope credentials using the az webapp deployment list-publishing-profiles command. For example:

az webapp deployment list-publishing-profiles --resource-group <group-name> --name <app-name>

For local Git deployment, you can also use the az webapp deployment list-publishing-credentials command to get a Git remote URI for your app, with the application-scope credentials already embedded. For example:

az webapp deployment list-publishing-credentials --resource-group <group-name> --name <app-name> --query scmUri

Azure PowerShell

Get the application-scope credentials using the Get-AzWebAppPublishingProfile command. For example:

Get-AzWebAppPublishingProfile -ResourceGroupName <group-name> -Name <app-name>

Azure portal

1. From the left menu of your app, select Deployment center > FTPS credentials or Local Git/FTPS credentials.

   

2. In the Application scope section, select the Copy link to copy the username or password.

Reset application-scope credentials

Azure CLI

Reset the application-scope credentials using the az resource invoke-action command:

az resource invoke-action --action newpassword --resource-group <group-name> --name <app-name> --resource-type Microsoft.Web/sites

Azure PowerShell

Reset the application-scope credentials using the Invoke-AzResourceAction command:

Invoke-AzResourceAction -ResourceGroupName <group-name> -ResourceType Microsoft.Web/sites -ResourceName <app-name> -Action newpassword

Azure portal

1. From the left menu of your app, select Deployment center > FTPS credentials or Local Git/FTPS credentials.

   

2. In the Application scope section, select Reset.

Disable basic authentication

Some organizations need to meet security requirements and would rather disable access via FTP or WebDeploy. This way, the organization's members can only access its App Services through APIs that are controlled by Azure Active Directory (Azure AD).

FTP

To disable FTP access to the site, run the following CLI command. Replace the placeholders with your resource group and site name.

az resource update --resource-group <resource-group> --name ftp --namespace Microsoft.Web --resource-type basicPublishingCredentialsPolicies --parent sites/<site-name> --set properties.allow=false

To confirm that FTP access is blocked, you can try to authenticate using an FTP client such as FileZilla. To retrieve the publishing credentials, go to the overview blade of your site and click Download Publish Profile. Use the file’s FTP hostname, username, and password to authenticate, and you will get a 401 error response, indicating that you are not authorized.

WebDeploy and SCM

To disable basic auth access to the WebDeploy port and SCM site, run the following CLI command. Replace the placeholders with your resource group and site name.

az resource update --resource-group <resource-group> --name scm --namespace Microsoft.Web --resource-type basicPublishingCredentialsPolicies --parent sites/<site-name> --set properties.allow=false

To confirm that the publish profile credentials are blocked on WebDeploy, try publishing a web app using Visual Studio 2019.

Disable access to the API

The API in the previous section is backed Azure role-based access control (Azure RBAC), which means you can create a custom role and assign lower-priveldged users to the role so they cannot enable basic auth on any sites. To configure the custom role, follow these instructions.

You can also use Azure Monitor to audit any successful authentication requests and use Azure Policy to enforce this configuration for all sites in your subscription.

Next steps

Find out how to use these credentials to deploy your app from local Git or using FTP/S.