Skip to content

DevSecOps – Improve App Service Deployment Security with Microsoft Entra ID authentication

Photo by Pixabay: https://www.pexels.com/photo/door-handle-key-keyhole-279810/

In November 16 update the Azure DevOps received a feature called “AzureRmWebAppDeployment task supports Microsoft Entra ID authentication”. I haven’t noticed a lot of drumming around this topic even though, that it will improve deployment pipeline security quite a bit. Until now if you have used Azure App Service Deploy task in Azure DevOps, you have most likely deployed your app by using basic authentication. The Azure DevOps uses deployment credentials (that are available for App Services) to deploy the new version of your Web App. We can verify this by looking through the deployment logs from any of the app service release pipelines that uses app service deploy task. For example in this case I’m using the App Service Deploy task and If I scroll right a bit…

Deployment log shows basic auth in msdeploy.exe line
msdeploy task is called, so that line is app service deployment…

…on the right (not visible in the picture) the log says “Password=’***’,AuthType=’Basic’ -setParam:name=’IIS Web Application Name’“. This indicates that the deployment is really using the basic authentication. This has been the default way to do the deployment, but now there is better and more secure way to do it.

Microsoft Entra ID Authentication

The App Service Deploy tasks V3 and V4 have been updated to support App Service with basic authentication disabled. If basic authentication is disabled on the App Service, these tasks will use Microsoft Entra ID authentication to perform deployments to the App Service Kudu endpoint. This requires a recent version of msdeploy.exe installed on the agent, which is the case on the windows-2022/windows-latest hosted agents.

If you disable the basic authentication and run the deployment with any older or not supported agent, you will receive an error “App Service is configured to not use basic authentication. This requires Web Deploy msdeploy.exe version 7.1.7225 or higher.

Azure AD is now known as Microsoft Entra ID
Microsoft Entra ID formerly known as Azure AD

Disable Basic Auth

To change our deployment model from basic authentication into Microsoft Entra ID authentication we just need to disable the basic auth from App Service and ensure that we are using latest hosted agents. Disabling basic auth is quite straight forward action. Just log into Azure Portal, navigate to App Services configuration page, set Basic Auth Publishing Credentials to Off and click save. If you are using deployment slots, you need to do this also for the slot.

App Service configuration page can be used to disable the basic auth credentials
Disable Basic Auth Publishing Credentials from configuration page.

Now to ensure, that deployment is using the new Entra ID auth, we can run the release pipeline again and check the deployment logs. The Msdeploy line should indicate the new auth with “UserName=’user’,Password=’***’,AuthType=’Bearer‘” text.

I don’t have exact information what is happening behind the scene, but using bearer token based authentication is more secure than basic authentication. You can read more about differences between authentication types from this page. What I think is happening behind the scene is, that Azure DevOps is using the service principal in the service connection to authenticate with Azure and fetches the token for deployment this way. This mitigates the need of using username and password to deploy the app and also mitigates the risk of leaking deployment credentials. However I don’t know how the msdeploy is really doing the deployment and this is just a sophisticated guess.

Summary

Disabling basic authentication is an easy way to improve the pipeline security. Just make sure you are using latest hosted agents or update the msdeploy to version 7.1.7225 or higher. Also remember to do the change for deployment slots, because they are most likely your deployment targets. After setting everything up check the log files and make sure, that msdeploy is run by using bearer authtype parameter.