Skip to content

[App Service] Fix #30021: az webapp deployment source config: Detect SP auth and provide guidance#33053

Closed
seligj95 wants to merge 1 commit intoAzure:devfrom
seligj95:fix/30021-sp-deployment-source
Closed

[App Service] Fix #30021: az webapp deployment source config: Detect SP auth and provide guidance#33053
seligj95 wants to merge 1 commit intoAzure:devfrom
seligj95:fix/30021-sp-deployment-source

Conversation

@seligj95
Copy link
Copy Markdown
Contributor

@seligj95 seligj95 commented Mar 26, 2026

Description

This PR fixes issue #30021 where az webapp deployment source config --github-action fails with a cryptic "Cannot find User" error when called with Service Principal authentication.

Root Cause

The Azure App Service backend API requires a publishing user when isGitHubAction=true is set in the deployment source config request. Service Principals do not have publishing users, causing a 404 error from the backend.

Solution

Added client-side validation in the config_source_control function to detect when:

  1. The current authentication context is a Service Principal
  2. The --github-action flag is set to true

When both conditions are met, the CLI now raises a clear ValidationError directing users to use az webapp deployment github-actions add instead, which properly supports Service Principal authentication.

Changes

  • Added _is_service_principal_auth helper function to detect SP authentication
  • Added validation logic in config_source_control function
  • Added comprehensive unit tests covering:
    • SP + --github-action raises error
    • User + --github-action works normally
    • SP without --github-action works normally

Testing

All tests pass:

pytest src/azure-cli/azure/cli/command_modules/appservice/tests/latest/test_webapp_commands_thru_mock.py::TestServicePrincipalDeploymentSource -v
# 3 passed

Style checks pass:

azdev style appservice
# Pylint: PASSED
# Flake8: PASSED

Breaking Change

This is not a breaking change. The current behavior is already broken for Service Principals. This change adds validation to prevent a confusing backend error and provides clear guidance to users.

Related Issue

Fixes #30021

History Notes

App Service

Copilot AI review requested due to automatic review settings March 26, 2026 01:36
@azure-client-tools-bot-prd
Copy link
Copy Markdown

azure-client-tools-bot-prd bot commented Mar 26, 2026
edited
Loading

️✔️AzureCLI-FullTest
️✔️acr
️✔️latest
️✔️3.12
️✔️3.13
️✔️acs
️✔️latest
️✔️3.12
️✔️3.13
️✔️advisor
️✔️latest
️✔️3.12
️✔️3.13
️✔️ams
️✔️latest
️✔️3.12
️✔️3.13
️✔️apim
️✔️latest
️✔️3.12
️✔️3.13
️✔️appconfig
️✔️latest
️✔️3.12
️✔️3.13
️✔️appservice
️✔️latest
️✔️3.12
️✔️3.13
️✔️aro
️✔️latest
️✔️3.12
️✔️3.13
️✔️backup
️✔️latest
️✔️3.12
️✔️3.13
️✔️batch
️✔️latest
️✔️3.12
️✔️3.13
️✔️batchai
️✔️latest
️✔️3.12
️✔️3.13
️✔️billing
️✔️latest
️✔️3.12
️✔️3.13
️✔️botservice
️✔️latest
️✔️3.12
️✔️3.13
️✔️cdn
️✔️latest
️✔️3.12
️✔️3.13
️✔️cloud
️✔️latest
️✔️3.12
️✔️3.13
️✔️cognitiveservices
️✔️latest
️✔️3.12
️✔️3.13
️✔️compute_recommender
️✔️latest
️✔️3.12
️✔️3.13
️✔️computefleet
️✔️latest
️✔️3.12
️✔️3.13
️✔️config
️✔️latest
️✔️3.12
️✔️3.13
️✔️configure
️✔️latest
️✔️3.12
️✔️3.13
️✔️consumption
️✔️latest
️✔️3.12
️✔️3.13
️✔️container
️✔️latest
️✔️3.12
️✔️3.13
️✔️containerapp
️✔️latest
️✔️3.12
️✔️3.13
️✔️core
️✔️latest
️✔️3.12
️✔️3.13
️✔️cosmosdb
️✔️latest
️✔️3.12
️✔️3.13
️✔️databoxedge
️✔️latest
️✔️3.12
️✔️3.13
️✔️dls
️✔️latest
️✔️3.12
️✔️3.13
️✔️dms
️✔️latest
️✔️3.12
️✔️3.13
️✔️eventgrid
️✔️latest
️✔️3.12
️✔️3.13
️✔️eventhubs
️✔️latest
️✔️3.12
️✔️3.13
️✔️feedback
️✔️latest
️✔️3.12
️✔️3.13
️✔️find
️✔️latest
️✔️3.12
️✔️3.13
️✔️hdinsight
️✔️latest
️✔️3.12
️✔️3.13
️✔️identity
️✔️latest
️✔️3.12
️✔️3.13
️✔️iot
️✔️latest
️✔️3.12
️✔️3.13
️✔️keyvault
️✔️latest
️✔️3.12
️✔️3.13
️✔️lab
️✔️latest
️✔️3.12
️✔️3.13
️✔️managedservices
️✔️latest
️✔️3.12
️✔️3.13
️✔️maps
️✔️latest
️✔️3.12
️✔️3.13
️✔️marketplaceordering
️✔️latest
️✔️3.12
️✔️3.13
️✔️monitor
️✔️latest
️✔️3.12
️✔️3.13
️✔️mysql
️✔️latest
️✔️3.12
️✔️3.13
️✔️netappfiles
️✔️latest
️✔️3.12
️✔️3.13
️✔️network
️✔️latest
️✔️3.12
️✔️3.13
️✔️policyinsights
️✔️latest
️✔️3.12
️✔️3.13
️✔️postgresql
️✔️latest
️✔️3.12
️✔️3.13
️✔️privatedns
️✔️latest
️✔️3.12
️✔️3.13
️✔️profile
️✔️latest
️✔️3.12
️✔️3.13
️✔️rdbms
️✔️latest
️✔️3.12
️✔️3.13
️✔️redis
️✔️latest
️✔️3.12
️✔️3.13
️✔️relay
️✔️latest
️✔️3.12
️✔️3.13
️✔️resource
️✔️latest
️✔️3.12
️✔️3.13
️✔️role
️✔️latest
️✔️3.12
️✔️3.13
️✔️search
️✔️latest
️✔️3.12
️✔️3.13
️✔️security
️✔️latest
️✔️3.12
️✔️3.13
️✔️servicebus
️✔️latest
️✔️3.12
️✔️3.13
️✔️serviceconnector
️✔️latest
️✔️3.12
️✔️3.13
️✔️servicefabric
️✔️latest
️✔️3.12
️✔️3.13
️✔️signalr
️✔️latest
️✔️3.12
️✔️3.13
️✔️sql
️✔️latest
️✔️3.12
️✔️3.13
️✔️sqlvm
️✔️latest
️✔️3.12
️✔️3.13
️✔️storage
️✔️latest
️✔️3.12
️✔️3.13
️✔️synapse
️✔️latest
️✔️3.12
️✔️3.13
️✔️telemetry
️✔️latest
️✔️3.12
️✔️3.13
️✔️util
️✔️latest
️✔️3.12
️✔️3.13
️✔️vm
️✔️latest
️✔️3.12
️✔️3.13

@azure-client-tools-bot-prd
Copy link
Copy Markdown

azure-client-tools-bot-prd bot commented Mar 26, 2026

Hi @seligj95,
Since the current milestone time is less than 7 days, this pr will be reviewed in the next milestone.

@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 26, 2026

The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR.

Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions).
After that please run the following commands to enable git hooks:

pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>

@yonzhan
Copy link
Copy Markdown
Collaborator

yonzhan commented Mar 26, 2026

Thank you for your contribution! We will review the pull request and get back to you soon.

@azure-client-tools-bot-prd
Copy link
Copy Markdown

azure-client-tools-bot-prd bot commented Mar 26, 2026
edited
Loading

️✔️AzureCLI-BreakingChangeTest
️✔️Non Breaking Changes

@microsoft-github-policy-service microsoft-github-policy-service bot added the Auto-Assign Auto assign by bot label Mar 26, 2026
Copilot AI reviewed Mar 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses #30021 by adding client-side validation to az webapp deployment source config --github-action so that Service Principal authentication is detected early and a clear ValidationError guides users to az webapp deployment github-actions add.

Changes:

  • Added _is_service_principal_auth(cli_ctx) helper to detect Service Principal authentication.
  • Added validation in config_source_control to block --github-action when running under SP auth with a clear error message.
  • Added unit tests covering SP + GitHub Actions (error) and non-blocked paths.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.

File Description
src/azure-cli/azure/cli/command_modules/appservice/custom.py Adds SP-auth detection helper and validation guard in config_source_control.
src/azure-cli/azure/cli/command_modules/appservice/tests/latest/test_webapp_commands_thru_mock.py Adds unit tests validating the new SP + --github-action behavior.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@seligj95 seligj95 changed the title [App Service] Fix #30021: Detect SP auth in az webapp deployment source config [App Service] Fix #30021: az webapp deployment source config: Detect SP auth and provide guidance Mar 26, 2026
@seligj95
[App Service] Fix Azure#30021: Detect SP auth in deployment source co…
9903174 
…nfig

When az webapp deployment source config --github-action is called
with Service Principal authentication, the Azure API returns 404
trying to look up a publishing user. This change adds client-side
detection to provide a clear error message directing users to
az webapp deployment github-actions add, which supports SP auth.

Fixes Azure#30021

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@seligj95 seligj95 force-pushed the fix/30021-sp-deployment-source branch from 4e663c6 to 9903174 Compare March 26, 2026 02:03
@yonzhan yonzhan assigned yanzhudd and unassigned zhoxing-ms Mar 26, 2026
@seligj95
Copy link
Copy Markdown
Contributor Author

seligj95 commented Mar 26, 2026

Consolidated into #33075

@seligj95 seligj95 closed this Mar 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@NoriZC NoriZC Awaiting requested review from NoriZC NoriZC is a code owner

@yanzhudd yanzhudd Awaiting requested review from yanzhudd yanzhudd is a code owner

@teresaritorto teresaritorto Awaiting requested review from teresaritorto teresaritorto is a code owner

@jsntcy jsntcy Awaiting requested review from jsntcy

@zhoxing-ms zhoxing-ms Awaiting requested review from zhoxing-ms

@yonzhan yonzhan Awaiting requested review from yonzhan

@wangzelin007 wangzelin007 Awaiting requested review from wangzelin007

Assignees

@yanzhudd yanzhudd

Labels

act-observability-squad Auto-Assign Auto assign by bot Web Apps az webapp

Projects

None yet

Milestone

May 2026 (2026-05-05)

Development

Successfully merging this pull request may close these issues.

az webapp deployment source looks for user even if it is called by a Service Prinicpal

5 participants

@seligj95 @yonzhan @zhoxing-ms @yanzhudd