You deployed your Function app, asked Defender for Cloud or Azure Advisor for some recommendations – and this recommendation “FIX: FTPS should be required in function apps” popped up on the top of the list? Don’t worry – this is a behavior which is there by default, and it takes just few clicks to correct. You can do it in Azure Portal or Powershell. To do it in Azure Portal, go through:
1) Find your Function app and go to “Configuration”
2) Click “General settings”
3) In the “FTPS state” change the value from “All allowed” to “FTPS only”
4) Click the “Save” button to perform the change
Fix “FTPS should be required in function apps” in Powershell
### Find your function app by its name. In the example, the function app is named
PS> Get-AzWebApp -Name FunctionApp123456
Name State ResourceGroup EnabledHostNames Location
---- ----- ------------- ---------------- --------
FunctionApp123456 Running FunctionApp123456_group {functionapp123456.azurewebsites.net, functionapp… Central US
### Check the current value of the setting
PS> $FunctionApp= Get-AzWebApp -Name FunctionApp123456
PS> $FunctionApp.SiteConfig.FtpsState
AllAllowed
### Update the value
PS> Set-AzWebApp -Name FunctionApp123456 -ResourceGroupName FunctionApp123456_group -FtpsState FtpsOnly
Name State ResourceGroup EnabledHostNames Location
---- ----- ------------- ---------------- --------
FunctionApp123456 Running FunctionApp123456_group {functionapp123456.azurewebsites.net, functionapp… Central US
### Validate the change was successful
PS> $FunctionApp= Get-AzWebApp -Name FunctionApp123456
PS> $FunctionApp.SiteConfig.FtpsState
FtpsOnly
Impact
You might not even realize there was FTP somewhere in your Function App. Yet, this is not a protocol used by the end-users of the App, this is a protocol you may use to deploy your code. And FTP protocol is unencrypted. Yes – the communication over FTP is being performed in “plain text”. That is why FTPS is a secured version – it introduces TLS encryption into the communication. This way any third party who is able to tap into the communication channels – will only be able to establish who is sending traffic and where, but will not have access to any contents of the traffic itself. Using FTPS, the code you are transferring is safe from prying eyes, and from modifications along the way.
But I always deploy by FTPS anyway, so why reconfigure?
First of all – as you have seen – this reconfiguration takes close to no time. So the time or complexity is not an excuse. And there is no drawback to enforcing FTPS. Literally every modern software you use for deploying will be able to use FTPS if it knows how to use FTP in the first place. Yet, with establishing the proper guide-rails of security – you’re preparing for future human error from your side or from any other administrator having access to your function app. The client used for deployment can be misconfigured, or a new employee might fall into some issues with establishing FTPS connection – so he will fix it by the easiest way possible – “not using FTPS”.
While you’re at it – there is also another setting which is there by default and is bringing risk to your organization by not employing a proper level of encryption. Enforce HTTPS on your function apps as one of the first things you ever do with them.