Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://learn.microsoft.com/azure/app-service/configure-basic-auth-disable below:

Disable Basic Authentication for Deployment - Azure App Service

This article discusses how to disable basic username and password authentication for deploying code to Azure App Service apps. The article explains several ways to disable basic authentication, fallback deployment methods if any, and how to monitor basic authentication access attempts.

App Service provides basic authentication for FTP and Web Deploy clients to connect using username and password deployment credentials. The basic authentication APIs are good for browsing your site's file system, uploading drivers and utilities, and deploying with MSBuild. For more information, see Configure deployment credentials for Azure App Service.

Enterprises often require more secure deployment methods than basic authentication, such as Microsoft Entra ID. Microsoft Entra OAuth 2.0 access tokens have a limited usable lifetime, are specific to the applications and resources they're issued for, and can't be reused. OAuth token-based authorization helps mitigate many problems with basic authentication.

Microsoft Entra also lets you deploy from other Azure services by using managed identities. For more information, see Authentication types by deployment method in Azure App Service.

• To disable basic authentication for FTP access to an app, you must have owner-level access to the app.
• To create and assign a role to prevent lower-privileged users from enabling basic authentication, you must have Owner or User Access Administrator permissions in the subscription.

For FTP deployment, basic authentication is controlled by the basicPublishingCredentialsPolicies/ftp flag or the FTP Basic Auth Publishing Credentials portal option.

For other deployment methods that use basic authentication, such as Visual Studio, local Git, and GitHub, basic authentication is controlled by the basicPublishingCredentialsPolicies/scm flag or the SCM Basic Auth Publishing Credentials portal option.

Note

SCM basic authentication is required for enabling FTP basic authentication.

To disable basic authentication:

• Azure portal
• Azure CLI

1. In the Azure portal, search for and select App Services, and then select your app.

2. On the app's left navigation menu, select Configuration > General settings.

3. Select Off for SCM Basic Auth Publishing Credentials, FTP Basic Auth Publishing Credentials, or both, and then select Save.

Run the following Azure CLI commands in the Bash environment of Azure Cloud Shell by selecting Open Cloud Shell at the upper right of the code block. Copy the code, replace any placeholders, paste it into the Cloud Shell, and run it.

To disable FTP basic authentication access, run the following command, replacing the placeholders with your app's resource group and name. You must have owner-level access to the app.

az resource update --resource-group <group-name> --name ftp --namespace Microsoft.Web --resource-type basicPublishingCredentialsPolicies --parent sites/<app-name> --set properties.allow=false

To disable basic authentication access for the Web Deploy port and Git deploy with https://<app-name>.scm.azurewebsites.net, run the following command. Replace the placeholders with your app's resource group and name.

az resource update --resource-group <resource-group> --name scm --namespace Microsoft.Web --resource-type basicPublishingCredentialsPolicies --parent sites/<app-name> --set properties.allow=false

To confirm that FTP access is blocked, try to connect to your app using FTP/FTPS. You should get a 401 Unauthenticated message.

To confirm that Git access is blocked, try local Git deployment. You should get an Authentication failed message.

When you disable basic authentication, deployment methods that depend on basic authentication no longer work. Some deployment methods have fallback deployment mechanisms.

The following table shows how various deployment methods behave when basic authentication is disabled, and the fallback mechanism if any. For more information, see Authentication types by deployment methods in Azure App Service.

To prevent lower-privileged users from enabling basic authentication for any app, you can create a custom role and assign the users to the role.

• Azure portal
• Azure CLI

1. In the Azure portal, select the subscription where you want to create the custom role.

2. On the left navigation menu, select Access Control (IAM) > Add > Add custom role.

3. On the Create a custom role page, give the role a name and then select Next.

4. In the Permissions tab, select Exclude permissions.

5. Search and select Microsoft Web Apps.

6. Search for and expand microsoft.web/sites/basicPublishingCredentialsPolicies.

7. Select the box for Write, and then select Add. This step adds the operation to NotActions for the role.

8. Select Exclude permissions again.

9. Search for and expand microsoft.web/sites/slots/basicPublishingCredentialsPolicies, select the Write box, and then select Add.

10. Your Permissions tab should now look like the following screenshot. Select Review + create, and then select Create.

You can now assign this role to your organization's users. For more information, see Create or update Azure custom roles by using the Azure portal.

Run the following command, replacing <role-name> with a name for the custom role and <subscription-guid> with your subscription ID.

az role definition create --role-definition '{
    "Name": "<role-name>",
    "IsCustom": true,
    "Description": "Prevents users from enabling basic authentication for all App Service apps or slots.",
    "NotActions": [
        "Microsoft.Web/sites/basicPublishingCredentialsPolicies/Write",
        "Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies/Write"
    ],
    "AssignableScopes": ["/subscriptions/<subscription-guid>"]
}'

You can now assign this role to your organization's users. For more information, see Create or update Azure custom roles using the Azure CLI.

All successful and attempted logins are logged to the Azure Monitor AppServiceAuditLogs log type. To audit attempted and successful logins on FTP and Web Deploy, follow the steps at Send logs to Azure Monitor and enable shipping of the AppServiceAuditLogs log type.

To confirm that the logs are shipped to your selected services, try logging in via FTP or Web Deploy. The following example shows a storage account log.

{
  "time": "2023-10-16T17:42:32.9322528Z",
  "ResourceId": "/SUBSCRIPTIONS/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/RESOURCEGROUPS/MYRESOURCEGROUP/PROVIDERS/MICROSOFT.WEB/SITES/MY-DEMO-APP",
  "Category": "AppServiceAuditLogs",
  "OperationName": "Authorization",
  "Properties": {
    "User": "$my-demo-app",
    "UserDisplayName": "$my-demo-app",
    "UserAddress": "24.19.191.170",
    "Protocol": "FTP"
  }
}

Azure Policy can help you enforce organizational standards and assess compliance at scale. You can use Azure Policy to audit for any apps that still use basic authentication, and remediate any noncompliant resources. The following list shows built-in policies for auditing and remediating basic authentication on App Service:

• Audit policy for FTP
• Audit policy for SCM
• Remediation policy for FTP
• Remediation policy for SCM

The following list shows corresponding policies for slots:

• Audit policy for FTP
• Audit policy for SCM
• Remediation policy for FTP
• Remediation policy for SCM

• Authentication types by deployment method in Azure App Service
• Configure continuous deployment to Azure App Service
• Deploy to Azure App Service by using GitHub Actions
• Deploy to Azure App Service by using Git locally
• Deploy your app to Azure App Service using FTP/S

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4