Azure Remediation — April 2026
Implementation record for PSI Azure hardening rollout, controlled deploy validation, and DMT authentication incident response completed on 2026-04-02.
Scope
Production App Service targets:
erp-migration-apibom-explorer-webps-project-explorerredbook-webps-redbook-dashboardprgjsmes-prodpsredbookphotos
Control goals:
- Move sensitive settings to Key Vault references
- Disable SCM/FTP basic publishing credentials
- Standardize auth posture and document exceptions
- Validate with real deployment runs and endpoint probes
What changed
1) Key Vault references
Sensitive app settings were migrated to Key Vault references using ps-certificates-kv, with per-app mapping and rollout evidence.
2) Publishing credential hardening
For production targets, basic publishing credentials were disabled:
basicPublishingCredentialsPolicies/scm=falsebasicPublishingCredentialsPolicies/ftp=false
This deprecates publish-profile/local-git deployment patterns for these apps.
3) Deployment workflow validation
Real deploy runs were executed with workflow_dispatch (one app at a time), not just static config checks.
Final validated runs:
| App | Repo | Workflow | Run ID | Conclusion |
|---|---|---|---|---|
| bom-explorer-web | ProgressiveSurface/bom-explorer-web | azure-deploy.yml | 23659061 | success |
| erp-migration-api | ProgressiveSurface/erp-migration-tool | deploy.yml | 23678116 | success |
| prgjsmes-prod | ProgressiveSurface/PRGJSMES | deploy-production.yml | 23668556 | success |
| ps-project-explorer | ProgressiveSurface/project-explorer | azure-app-service.yml | 23662771 | success |
| ps-redbook-dashboard | ProgressiveSurface/redbook-dashboard | azure-deploy.yml | 23665741 | success |
| redbook-web | ProgressiveSurface/redbook-web | azure-deploy.yml | 23664276 | success |
4) ERP deploy pipeline fixes discovered during validation
ProgressiveSurface/erp-migration-tool workflow was updated to prevent false failures:
- Health gate accepts
200,401, or403for protected/reachable endpoints - Version-bump commit push made race-tolerant (
pull --rebase+ safe non-blocking fallback)
DMT incident record (HTTP 401)
Incident
After initial auth standardization, https://dmt.progressivesurface.com returned 401 to anonymous users.
Root cause
In authsettingsV2, disabling only platform.enabled was not sufficient while globalValidation.requireAuthentication=true remained set.
Remediation
erp-migration-api authsettingsV2 was corrected to app-layer/anonymous platform mode:
platform.enabled=falseglobalValidation.requireAuthentication=falseglobalValidation.unauthenticatedClientAction=AllowAnonymous- identity providers disabled in v2 config
Validation
dmt.progressivesurface.com returned 200 on both / and /api/health after the fix.
Cross-site regression scan
Custom domains were scanned for similar DMT-style auth regressions.
Result:
- No additional unintended DMT-like regression identified
quality.progressivesurface.comreturns401with EasyAuth required and is currently treated as intentional auth-enforced behavior
Evidence artifacts
Source files in C:\git\azure-audit-2026-04-02\:
rollout-ledger.csvremediation-status.csvauth-policy-matrix.csvdeployment-validation-runs.csvpage-access-probes.csvcross-site-auth-scan.csvexception-register.csvcredential-rotation-register.csv
Follow-up actions
- Continue retiring app-layer-only exceptions by app, with owner and expiry
- Complete upstream/manual secret rotations tracked in
credential-rotation-register.csv - Add alert rules for App Service HTTP 5xx and latency thresholds
Related Pages
- PSI Web App Compliance Standard — Canonical implementation and compliance baseline
- azure-security — Current security posture and recommendations
- deploy-to-azure — Deployment standard and hardening baseline
- azure-resources — Resource/app registration/deployment mapping
- erp-migration — ERP Migration Tool app documentation
Last updated: April 2026