Thanks for logging this idea. It’s definitely a valid request and we’ll leave it under review to see it collects more support from users.
As a reference, take a look at the deployment credentials doc we have out: https://docs.microsoft.com/en-us/azure/app-service-web/app-service-deployment-credentials
OdedJoshua Summers commented
There should be an ability to not only audit the user accounts that can deploy to a web app, but allow us to remove a deployment credential from a valid AAD user account without doing the following:
1) Delete the user from AAD and recreate them
2) Remove that user from all subscriptions or resources where you have web apps...permanently
Right now, to truly secure a subscription after a user has established a deployment credential, you have to rebuild the entire subscription. Imagine having N number of administrators and they all created their own credential...with a password that never expires or requires changing.
From a security perspective, this is a BIG deal and has implication on auditing for those familiar with PCI-DSSJoshua Summers commented
The Publish profile for a web app does not respect the FTP credentials a user has associated to their account. This is another part of the auditing that should be rectifiedJoshua Summers supported this idea ·