New Policy (Azure Web Apps): Web apps should have basic local authentication methods disabled for FTP deployments

[tdefise]

Policy

• Name: Web App should have basic local authentication methods disabled for FTP deployments
• Description: Disabling local authentication methods for FTP deployments improves security by ensuring that Web apps exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth.
• Category: App Service
• Supported effect(s): AuditIfNotExists, Disabled
• Parameters: None

Description

Audit if basic local authentication methods for FTP deployments is disabled

Details

App Service provides basic authentication for FTP and WebDeploy clients to connect to it by using deployment credentials.
These APIs are great for browsing your site’s file system, uploading drivers and utilities, and deploying with MsBuild. However, enterprises often require more secure deployment methods than basic authentication, such as Microsoft Entra ID authentication (see Authentication types by deployment methods in Azure App Service).
Microsoft Entra uses OAuth 2.0 token-based authorization and has many benefits and improvements that help mitigate the issues in basic authentication. For example, OAuth access tokens have a limited usable lifetime, and are specific to the applications and resources for which they're issued, so they can't be reused. Microsoft Entra also lets you deploy from other Azure services using managed identities.

Source: https://learn.microsoft.com/en-us/azure/app-service/configure-basic-auth-disable?tabs=portal

Contribution Rules

• Contain a single Policy in a folder by itself with 3 files: azurepolicy.json, azurepolicy.rules.json, and azurepolicy.parameters.json
• Used Confirm-PolicyDefinitionIsValid.ps1
• Used Out-FormattedPolicyDefinition.ps1