Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
To secure app deployment from a local computer, Azure App Service supports two types of credentials for local Git deployment and FTP/FTPS deployment. These credentials are different from your Azure subscription credentials.
User-level credentials: One set of credentials for the entire Azure account. These credentials can be used to deploy to App Service for any app in any subscription that the Azure account has permission to access. This credentials set is the default that surfaces in the portal's graphical environment, like in Overview and Properties on the app's resource pane. When a user is granted app access via role-based access control (RBAC) or coadministrator permissions, they can use their user-level credentials until access is revoked. Don't share these credentials with other Azure users.
App-level credentials: One set of credentials for each app. These credentials can be used to deploy to that app only. The credentials for each app are generated automatically at app creation. They can't be configured manually, but can be reset anytime. To grant a user access to app-level credentials via RBAC, that user must have Contributor level or higher permissions on the app (including the built-in Website Contributor role). Readers aren't allowed to publish, and can't access those credentials.
Note
When basic authentication is disabled, you can't view or configure deployment credentials in Deployment Center.
Configure user-scope credentials
Run the az webapp deployment user set command. Replace <username> and <password> with a deployment user's username and password.
- The username must be unique within Azure, and for local Git pushes, must not contain the @ symbol.
- The password must be at least eight characters long, with two of the following three elements: letters, numbers, and symbols.
az webapp deployment user set --user-name <username> --password <password>
The JSON output shows the password as null.
Use user-scope credentials with FTP/FTPS
To authenticate to an FTP/FTPS endpoint by using user-scope credentials, your username must follow this format:
<app-name>\<user-name>
Since user-scope credentials are linked to the user and not to a specific resource, the username must be in this format to direct the sign-in action to the right app endpoint.
Get application-scope credentials
Get the application-scope credentials by using the az webapp deployment list-publishing-profiles command. For example:
az webapp deployment list-publishing-profiles --resource-group <group-name> --name <app-name>
For local Git deployment, you can also use the az webapp deployment list-publishing-credentials command. When you use this command, you get a Git remote URI for your app that has the application-scope credentials already embedded. For example:
az webapp deployment list-publishing-credentials --resource-group <group-name> --name <app-name> --query scmUri
Note
The returned Git remote URI doesn't contain /<app-name>.git at the end. When you add the remote URI, make sure to append /<app-name>.git to avoid an error 22 with git-http-push. Additionally, when using git remote add ... via shells that use the dollar sign for variable interpolation (such as bash), escape any dollar signs \$ in the username or password. Failure to escape this character can result in authentication errors.
Reset application-scope credentials
Reset the application-scope credentials by using the az resource invoke-action command:
az resource invoke-action --action newpassword --resource-group <group-name> --name <app-name> --resource-type Microsoft.Web/sites
Disable basic authentication
See Disable basic authentication in App Service deployment.
Related content
Find out how to use these credentials to deploy your app from a local Git or by using FTP/FTPS.