Disable basic authentication in App Service deployments

This article shows you how to disable basic authentication (username and password authentication) when deploying code to App Service apps.

App Service provides basic authentication for FTP and WebDeploy clients to connect to it by using deployment credentials. These APIs are great for browsing your site’s file system, uploading drivers and utilities, and deploying with MsBuild. However, enterprises often require more secure deployment methods than basic authentication, such as Microsoft Entra ID authentication (see Authentication types by deployment methods in Azure App Service). Microsoft Entra uses OAuth 2.0 token-based authorization and has many benefits and improvements that help mitigate the issues in basic authentication. For example, OAuth access tokens have a limited usable lifetime, and are specific to the applications and resources for which they're issued, so they can't be reused. Microsoft Entra also lets you deploy from other Azure services using managed identities.

Disable basic authentication

Two different controls for basic authentication are available. Specifically:

  • For FTP deployment, basic authentication is controlled by the basicPublishingCredentialsPolicies/ftp flag (FTP Basic Auth Publishing Credentials option in the portal).
  • For other deployment methods that use basic authentication, such as Visual Studio, local Git, and GitHub, basic authentication is controlled by the basicPublishingCredentialsPolicies/scm flag (SCM Basic Auth Publishing Credentials option in the portal).
  1. In the Azure portal, search for and select App Services, and then select your app.

  2. In the app's left menu, select Configuration > General settings.

  3. For SCM Basic Auth Publishing Credentials or FTP Basic Auth Publishing Credentials, select Off, then select Save.

    A screenshot showing how to disable basic authentication for Azure App Service in the Azure portal.

To confirm that FTP access is blocked, try connecting to your app using FTP/S. You should get a 401 Unauthenticted message.

To confirm that Git access is blocked, try local Git deployment. You should get an Authentication failed message.

Deployment without basic authentication

When you disable basic authentication, deployment methods that depend on basic authentication stop working.

The following table shows how various deployment methods behave when basic authentication is disabled, and if there's any fallback mechanism. For more information, see Authentication types by deployment methods in Azure App Service.

Deployment method When basic authentication is disabled
Visual Studio deployment Doesn't work.
FTP Doesn't work.
Local Git Doesn't work.
Azure CLI  In Azure CLI 2.48.1 or higher, the following commands fall back to Microsoft Entra authentication:
- az webapp up
- az webapp deploy
- az webapp deployment source config-zip
- az webapp log deployment show
- az webapp log deployment list
- az webapp log download
- az webapp log tail
- az webapp browse
- az webapp create-remote-connection
- az webapp ssh
- az functionapp deploy
- az functionapp log deployment list
- az functionapp log deployment show
- az functionapp deployment source config-zip 
Maven plugin or Gradle plugin Works.
Deployment in create wizard When Basic authentication is set to Disable and Continuous deployment set to Enable.

Create a custom role with no permissions for basic authentication

To prevent a lower-priveldged user from enabling basic authentication for any app, you can create a custom role and assign the user to the role.

  1. In the Azure portal, in the top menu, search for and select the subscription you want to create the custom role in.

  2. From the left navigation, select Access Control (IAM) > Add > Add custom role.

  3. Set the Basic tab as you wish, then select Next.

  4. In the Permissions tab, and select Exclude permissions.

  5. Find and select Microsoft Web Apps, then search for the following operations:

    Operation Description
    microsoft.web/sites/basicPublishingCredentialsPolicies/ftp FTP publishing credentials for App Service apps.
    microsoft.web/sites/basicPublishingCredentialsPolicies/scm SCM publishing credentials for App Service apps.
    microsoft.web/sites/slots/basicPublishingCredentialsPolicies/ftp FTP publishing credentials for App Service slots.
    microsoft.web/sites/slots/basicPublishingCredentialsPolicies/scm SCM publishing credentials for App Service slots.
  6. Under each of these operations, select the box for Write, then select Add. This step adds the operation as NotActions for the role.

    Your Permissions tab should look like the following screenshot:

    A screenshot showing the creation of a custom role with all basic authentication permissions excluded.

  7. Select Review + create, then select Create.

  8. You can now assign this role to your organization’s users.

For more information, see Create or update Azure custom roles using the Azure portal

Monitor for basic authentication attempts

All successful and attempted logins are logged to the Azure Monitor AppServiceAuditLogs log type. To audit the attempted and successful logins on FTP and WebDeploy, follow the steps at Send logs to Azure Monitor and enable shipping of the AppServiceAuditLogs log type.

To confirm that the logs are shipped to your selected service(s), try logging in via FTP or WebDeploy. The following example shows a Storage Account log.

{
  "time": "2023-10-16T17:42:32.9322528Z",
  "ResourceId": "/SUBSCRIPTIONS/EF90E930-9D7F-4A60-8A99-748E0EEA69DE/RESOURCEGROUPS/MYRESOURCEGROUP/PROVIDERS/MICROSOFT.WEB/SITES/MY-DEMO-APP",
  "Category": "AppServiceAuditLogs",
  "OperationName": "Authorization",
  "Properties": {
    "User": "$my-demo-app",
    "UserDisplayName": "$my-demo-app",
    "UserAddress": "24.19.191.170",
    "Protocol": "FTP"
  }
}

Azure Policy can help you enforce organizational standards and to assess compliance at-scale. You can use Azure Policy to audit for any apps that still use basic authentication, and remediate any noncompliant resources. The following are built-in policies for auditing and remediating basic authentication on App Service:

The following are corresponding policies for slots: