December 23rd, 2024

Security updates to Azure publishing from Visual Studio

Brady Gaster
Brady Gaster
Principal Program Manager

Visual Studio 2022 introduces a new feature to improve the security of publishing applications to Azure App Service. This feature is designed to disable Basic Authentication and enable integrated security for a more secure publishing process.

Disabling basic Auth

Basic Authentication has been identified as a less secure method for managing app deployments. Visual Studio 2022 addresses this issue by offering you an option to disable Basic Authentication, which enhances security by using integrated authentication.

The problem with Basic Authentication

Basic Authentication involves sending user credentials in a format that is not highly secure, making it vulnerable to interception. This poses a risk to the integrity of applications.

Secure publishing with integrated authentication

The new feature in Visual Studio 2022 disables Basic Authentication and enables integrated security for publishing to Azure App Service. This ensures that publishing credentials is handled securely, reducing the risks associated with Basic Authentication.

When publishing to an Azure App Service that has Basic Authentication enabled (which is not recommended), users will see the Turn on Basic Authentication option, and it will be unchecked by default. Customers who need to retain Basic Authentication can check the box, but given the recommendation is to disable Basic Authentication it’s unchecked by default, so you start secure if this is the first time you’re publishing or, you get secure once you go through the publishing process after you update Visual Studio.

publishing a new app service (basic auth available)

If you’ve created the Web App recently via the portal or this or any future version of Visual Studio, Basic Authentication will be disabled by default. For any Web App that’s already got Basic Authentication disabled, we circumvent inadvertently making the Web App less secure by disabling the checkbox altogether, so you stay secure.

publishing a new app service (basic auth not available)

This feature improves the overall security of the publishing process, ensuring that sensitive credentials are not exposed. It also simplifies the process by defaulting to a more secure option, reducing the need for manual security configurations. If, at any point, you need to re-enable Basic Authentication, this is always possible in the Azure Portal.

Conclusion

We deeply appreciate your invaluable feedback, which plays a crucial role in enhancing Visual Studio. Thank you for being a vital part of our community.

Category
AdministrationReliabilityTeam and DevelopmentVisual Studio
Topics
AuthenticationAzure App Services

Author

Brady Gaster
Brady Gaster
Principal Program Manager

Brady Gaster is a program manager in the ASP.NET team at Microsoft, where he works on SignalR, microservices and APIs, and integration with Azure service teams in hopes to make it exciting for developers who work on .NET apps to party in the cloud. You can find Brady on Twitter or Twitch at @bradygaster when he's not learning with (or from) his 2 sons, tinkering with code, or making music in his basement using various synthesizers and guitars.

Read next