Cannot deploy to Azure App Service from VS Code or CLI - azure

I am able to create a new Azure App Service on my Azure subscription from VS code. If I then try to deploy my python web application to the App Service that I just created I get a "401 - Unauthorized: Access" error. If I logon to the Azure portal I can view my newly created App Service. I can see on the Access Control page that I am listed as a contributor. I am not sure why I can not deploy my code or view files. Does anyone have suggestions as to security settings to check? I need to be able to deploy my code. Thank you.

#Kachopsticks, Apologies! If my response is to too late. To benefit the community, sharing the steps that could help isolate such issues:
There is a way to disable basic auth access to the WebDeploy port and SCM site with basicPublishingCredentialsPolicies, see if this is the case.
basicPublishingCredentialsPolicies --parent sites/ --set properties.allow=false
https://learn.microsoft.com/azure/app-service/deploy-configure-credentials?tabs=cli#webdeploy-and-scm
You could re-download the publish profile from Azure portal, and import publish settings in Visual Studio for deployment.
In the Azure portal, open the Azure App Service.
Go to Get publish profile and save the profile locally.
A file with a .publishsettings file extension has been generated in the location where you saved it and you may import that in VS and then attempt to re-deploy.
Additionally, Azure App Service supports two types of credentials for local-Git and FTP/S deployment:
User-level credentials one set of credentials for the entire Azure account.
App-level credentials (one set of credentials for each app. It can be used to deploy to that app only) -. They can't be configured manually, but can be reset anytime. For a user to be granted access to app-level credentials via (RBAC), that user must be contributor or higher on the app (including Website Contributor built-in role). Readers are not allowed to publish, and can't access those credentials.

Related

Issue with VSTS Release Definition

I have an ASP.NET MVC application and want to deploy it to Azure cloud service.
I have added Azure cloud service deployment task and trying to configure the subscription details using "New button". There are two fields which ask for user name and password. So I entered my credentials that I use to login to portal.azure.com. But I get an error during release process. Can you please help if I am missing anything?
2018-02-14T22:43:28.0976940Z ##[command]Import-Module -Name C:\Program Files\WindowsPowerShell\Modules\AzureRM.Profile\2.1.0\AzureRM.Profile.psm1 -Global
2018-02-14T22:43:28.1499971Z ##[command]Add-AzureAccount -Credential System.Management.Automation.PSCredential
2018-02-14T22:43:31.8827701Z ##[error]AADSTS50079: The user is required to use multi-factor authentication.
The Azure classic portal has been retired, so you need to use the new portal and add Azure Resource Manager (Azure RM) service endpoint).
The simple way to add Azure RM service endpoint:
Create a new build definition
Add Azure App Service Deploy task, select the item in Available Azure subscription
Click Authorize button
After that, it will add related service endpoint to your team project.
Another way is that, you can refer to this blog to add service endpoint:
Connect your Azure subscriptions to VSTS in 3 clicks
You can create a set of deployment credentials that's different from your microsoft account's credentials.
Everything is pretty well explained here:
When you log into Microsoft Azure you are logging in with a Microsoft Account. This account lets you add, modify, and remove
resources within your Azure subscription. Some Azure resources such
as Websites and Mobile Services require a separate deployment
credential to publish code. This separate deployment credential can
be confusing and I wanted to document a few key points:
The username you choose for the deployment credential must be unique
across all Azure subscribers.
The deployment credential you create is
tied to your Microsoft account and is the same credential for all
Azure resources which require a deployment credential.
You do not
want to share your deployment credential. Again, this credential has
access to publish code to all Websites and Mobile Services that your
Microsoft account can administer

Get publish profile returns unauthorised user

I'm trying to debug a web API on azure and need to access the logs from FTP
Whenever I try and download the publish profile in order to learn my FTP connection details, I get an error page saying credentials were incorrect
How can this be if I'm already logged in?
Make sure you have privileged permissions to the resources which you are trying to access.
Incase if you haven’t set the credentials for your Web API, suggest you set the credentials first using the azure portal.
Select your Azure Web App/API -> under deployment credentials set your FTP deployment credentials. For more details, you can refer the below screenshot.
You could also use Get-AzurePublishSettingsFile PowerShell cmdlet to download the publish settings profile file.

Deploying AzureRM Web App with VSTS automatically

I am trying to follow https://blogs.msdn.microsoft.com/tfssetup/2016/04/01/build-and-deploy-azure-web-apps-using-team-foundation-serverservices-vnext-builds/.
I have no issues deploying the web app manually from Visual Studio using PublishingSettings and Publish option. I just want to automate the process and I am stuck at this step:
The article clearly advises
Select the Certificate Based connection. This is very important when
you are trying to deploy. Credential based Microsoft Account
(#outlook, #hotmail) are no longer supported and only Organizational
accounts are. Even then, if they use Two-Factor Authentication(2FA),
the build will fail trying to connect to Azure.
This is correct and if I try to use Credentials, my deployment fails with unknown_user_type: Unknown User Type
There was an error with the Azure credentials used for deployment. message.
So >> Certificate. But in my PublishSettings file there is no Management Certificate and as per this article
Azure Management Certificates and Publishing Setting files (...) are
only intended and limited to manage Azure Service Management (ASM)
resources
I tried this option:
But VSTS is not connected to the Azure environment (considering that Azure belongs to one Customer and VSTS to another, is it even possible?).
My questions:
* Is it the deployment somehow possible with PublishSettings file?
* Should the "Credentials" option work if I am using an organizational account Me#Company.com?
* How else can I try?
EDIT
Your solution could be creating a service principal in Azure and connect it to VSTS. The automatic Build from VSTS should then be published to Azure automatically. Here you find how to setup the service principal and connect it to VSTS: https://www.petri.com/connect-visual-studio-team-services-azure-using-service-principal-name
I am not sure right now, whether you are using TFS or VSTS?! When I publish a Web App in VSTS, the ARM Service Endpoints works well:

Granting permissions to Azure Active Directory Web Application automatically

Our company is developing a system that is based on Azure components and a client desktop application that connects to Azure. The Azure components are being deployed automatically by our setup code via the Azure API and Azure deployment automation. One of these components being deployed is a Web App / API that we register in the Azure Active Directory. Our deployment code creates this app in Azure via the Azure API and sets the "Required permissions" for this app in Azure. The required permissions are:
Once the application is set up with Azure we then have our client desktop application. In our client desktop application the user can log into the Azure and then we want to access the created application. So our client desktop application basically displays the Azure login box to log into Azure and then it tries to access the Web application in Azure, and we got this:
OK, so I can manually solve it: if I log into Azure as Admin and I manually grant the permissions by clicking the "Grant Permissions" button, the message shown above will not be shown anymore and everything will work smoothly. The "Grant Permissions" button I click is this:
But unfortunately we cannot go this way of granting the permissions manually, we need to find a way to do it programmatically - by C# code. This is our business requirement. So the existing C# code creates the application in Azure AD, sets the required permissions for it, and the missing part is a C# snippet that will automatically grant the permissions - so that the users don't see the warning message above.
I've been looking into various online resources and haven't found a way to do it by C# code as yet - unfortunately. Is there a way to grant the permissions automatically? Any C# snippet? Azure API call? Powershell? Anything?
Regarding details of permissions that our application requests:
For the Microsoft Graph we required those permissions as Application Permissions:
And those as Delegated Permissions:
For Windows Azure Active Directory the required permissions are:
The question has been answered above by #Saca and #Nan Yu. It can be closed now. The solution based on creating OAuth2PermissionGrant and AppRoleAssignment objects for the ServicePrincipal of an application being created is the right way to solve the problem, I have managed to solve the problem this way.

How do I reset azure deployment credentials?

I have accidentally set a user name / password for FTP access through App -> Deployment Credentials -> FTP user name / password in azure portal.
I do not want FTP access to my sire / account. The action that I did set my user level credential for all apps on my account which is not what i desired.
How do I reset my credentials? I do not want a different FTP username, rather remove FTP access to my site completely. I followed the steps in this, but I cannot find the the "Quick Glance" menu in the new portal.
Use the 'Reset publish profile' button on the Overview blade of the App in the Azure portal.
It's situated in the top right here:
Edit 1:
Completely removing FTP access to the App Service is not (yet) supported, but the option is under review as you can read here: https://feedback.azure.com/forums/169385-web-apps/suggestions/8211222-option-to-disable-ftp-and-force-ftps-in-azure-we
Edit 2:
User-level credentials: one set of credentials for the entire Azure account. It can be used to deploy to App Service for any app, in any subscription, that the Azure account has permission to access. These are the default credentials set that you configure in App Services > <app_name> > Deployment credentials. This is also the default set that's surfaced in the portal GUI (such as the Overview and Properties of your app's resource blade).
Source: Configure deployment credentials for Azure App Service

Resources