Share via

How to add a wildcard domain to Azure FrontDoor?

Justin 20 Reputation points
2025-01-24T00:07:16.47+00:00

Hi folks,

I'm trying to add a wildcard domain (eg. *.example.com) to our FrontDoor service.

It's so confusing. It says we have to BYOC our own Cert. We do have our own Cert and I think it's in our KeyVault.

We need to import the Certificate into the FrontDoor "Secrets" and it's never happening. We get the following error:

Failed to create the secret. Failed to create the secret 'blah'. Error: Customer key vault returned error that we do not recognize, please check the status of the provided key vault.

This is really frustrating. Can anyone please help?

Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
744 questions
Accepted answer
  1. Rohith Vinnakota 2,520 Reputation points Microsoft Vendor
    2025-01-24T15:39:14.1833333+00:00

    HI @Justin,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    The error message clearly indicates that Azure Front Door lacks the necessary permissions to access the secret in your Key Vault. Follow these steps to resolve the issue:

    1. Register Azure Front Door: Register the service principal for Azure Front Door as an app in your Microsoft Entra ID (Azure AD) using Azure PowerShell or the Azure CLI. The Application Id is 205478c0-bd83-4e1b-a9d6-db63a3e1e1c8.
    2. Grant Azure Front Door access to your key vault: In your key vault account, select Access policies and create a new access policy with Get Secret & Certificate permissions to allow Front Door to retrieve the certificate. In Select Principal, search for 205478c0-bd83-4e1b-a9d6-db63a3e1e1c8, and select Microsoft.AzureFrontDoor-Cdn. To select the Azure Key Vault certificate for Azure Front Door to deploy:
    3. You need to register Azure Front Door as an app in your Microsoft Entra ID by using Microsoft Graph PowerShell or the Azure CLI.
      • This action requires you to have Global Administrator permissions in Microsoft Entra ID. The registration only needs to be performed once per Microsoft Entra tenant.
        • The application IDs of 205478c0-bd83-4e1b-a9d6-db63a3e1e1c8 and d4631ece-daab-479b-be77-ccb713491fc0 are predefined by Azure for Azure Front Door Standard and Premium across all Azure tenants and subscriptions. Azure Front Door (classic) has a different application ID.
        1. And grant Azure Front Door access to your key vault.

    NOTE: If your key vault is protected with network access restrictions, make sure to allow trusted Microsoft services to access your key vault.

    Additional points to consider:

    • Azure Front Door doesn't support certificates with elliptic curve cryptography algorithms. Also, your certificate must have a complete certificate chain with leaf and intermediate certificates. The root CA also must be part of the Microsoft Trusted CA List.
    • We recommend that you use managed identity to allow access to your Key Vault certificates because app registration will be retired in the future.

    Refer: https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-configure-https-custom-domain?tabs=powershell#use-your-own-certificate

    https://learn.microsoft.com/en-us/azure/frontdoor/managed-identity

    Kindly let us know if the above helps or you need further assistance on this issue.

    Thanks,
    Rohith

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.