services / Azure / App Service deployment (publishing) user
The subscription-scoped App Service deployment (publishing) user that holds the FTP/Git deployment credentials used to push code to web apps.
Reads do not return the plaintext password (write-only), but the account controls code deployment to App Service sites.
Microsoft.Web/publishingusers/write
Sets the deployment publishing user's username/password, letting an attacker establish known credentials for persistent Git/FTP code-push access, push code that runs under app identities (lateral movement), and alter deployed application content.
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security
© 2023–present P0 Security and contributors to the IAM Privilege Catalog