Microsoft AzureOverview
Function App deployment credentials based on basic username and password authentication are weaker than Microsoft Entra-based deployment flows. If FTP or SCM basic publishing credentials remain enabled, stolen app-level or user-level credentials can be reused for code deployment or file access.
Disable basic publishing credentials and use deployment methods backed by Microsoft Entra ID, managed identities, service principals, or OIDC.
Remediation guidance
Remediation
Disable both FTP and SCM basic publishing credentials for the Function App.
Azure CLI
Disable FTP basic authentication:
az resource update \
--resource-group {{asset.azureResourceGroup}} \
--name ftp \
--namespace Microsoft.Web \
--resource-type basicPublishingCredentialsPolicies \
--parent sites/{{asset.name}} \
--set properties.allow=false
Disable SCM basic authentication:
az resource update \
--resource-group {{asset.azureResourceGroup}} \
--name scm \
--namespace Microsoft.Web \
--resource-type basicPublishingCredentialsPolicies \
--parent sites/{{asset.name}} \
--set properties.allow=false
Validate both policies:
az resource list \
--resource-group {{asset.azureResourceGroup}} \
--resource-type Microsoft.Web/sites/basicPublishingCredentialsPolicies \
--query '[?contains(id, `{{asset.name}}`)].{name:name,allowed:properties.allow}'
References
- https://learn.microsoft.com/en-us/azure/app-service/configure-basic-auth-disable
- https://learn.microsoft.com/en-us/azure/app-service/deploy-configure-credentials
Query logic
These are the stored checks tied to this control.
Azure Function Apps with basic publishing credentials enabled
Connectors
Microsoft Azure
Covered asset types
FunctionApp
Expected check: eq []
{
functionApps(
where: {
basicPublishingCredentials_SOME: {
allowed: { eq: true }
}
}
) {
...AssetFragment
}
}
