Skip to content

Set-AzWebApp is silently changing public network access settings #28211

New issue
New issue
Open
Open
Set-AzWebApp is silently changing public network access settings#28211
Labels
App Servicesaka WebSitesService AttentionThis issue is responsible by Azure service team.bugThis issue requires a change to an existing behavior in the product in order to be resolved.customer-reported
@MasterChiefmas

Description

@MasterChiefmas
MasterChiefmas
opened on Jul 17, 2025

Description

It appears that when Set-AzWebApp is called, in certain circumstances, it will change or trigger a change where the public network access value of the app is set to default. The expected behavior is that it does not affect this setting, which does not appear to be normally adjustable from this module at all.

This creates a problem in that if you have a private endpoint enabled, but also public access enabled, either all or with restrictions, reverting to default disables all public access, which we discovered the hard way. This also discards any exceptions, requiring them to all be recreated in the case that was the setting being used.

I have not tested it with all properties, but it happens with setting affinity and https only, and I suspect it will happen with any change.

I believe it will also happen without a private endpoint if public network access has been explicitly set to public, but in that case, changing to default does not impact the end result.

I don't believe this is documented as something that occurs. Additionally, changing properties from the portal does not cause this.

Edit: Did additional testing, the az cli also does not cause this silent change to happen.

Edit #2: I've realized that the source of the issue here appears to actually be in Get-AzWebApp. I just realized that the object returned from Get-AzWebApp contains a property SiteConfig which contains an object of type Microsoft.Azure.Management.WebSites.Models.SiteConfig. This object is incompletely filled out though. The PublicNetworAccess property is there, but it is always null, so when the updated app is piped back into Set-AzWebApp, it resets the value.

I may close this and open a new ticket that refers to this. I'm not sure if I should or not.

Issue script & Debug output

N/A - command succeeds

Environment data

Name                           Value
----                           -----
PSVersion                      7.5.2
PSEdition                      Core
GitCommitId                    7.5.2
OS                             Microsoft Windows 10.0.22631
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     5.1.1                 Az.Accounts                         {Add-AzEnvironment, Clear-AzConfig, Clear-AzConte…
Script     3.4.1                 Az.Websites                         {Add-AzWebAppAccessRestrictionRule, Add-AzWebAppT

Error output

N/A - command succeeds

Metadata

Metadata

Assignees

No one assigned

    Labels

    App Servicesaka WebSitesService AttentionThis issue is responsible by Azure service team.bugThis issue requires a change to an existing behavior in the product in order to be resolved.customer-reported

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions