Azure DNS requirements for domain validation
Table of Contents
Expand all | Collapse all
-
- Activate Next-Generation Trust Security
-
-
- Configure AWS connection
- Configure Azure Key Vault connection
-
- Workload Identity Federation authentication
- Workload Identity Federation - Azure Identity Provider authentication
- Next-Gen Trust Security Generated Key authentication
- User permissions
- Workload Identity Federation authentication
- Next-Gen Trust Security Generated Key authentication
- User permissions
- Supported OIDC claims
-
-
-
-
- Create an F5 BIG-IP LTM machine
- Create a Microsoft Azure Private Key Vault machine
- Create a Microsoft IIS machine
- Create a Microsoft Windows (PowerShell) machine
- Create a Microsoft SQL Server machine
- Create a Common KeyStore machine
- Create a Citrix ADC machine
- Create an Imperva WAF machine
- Create a VMware NSX Advanced Load Balancer (AVI) machine
- Create an A10 Thunder ADC machine
- Create a Cloudflare machine
- Create Kemp Virtual LoadMaster machine
- Create a Palo Alto Panorama machine
-
- Provision to an F5 BIG-IP LTM
- Provision to a Microsoft Azure Private Key Vault
- Provision to Microsoft IIS
- Provision to Microsoft Windows (PowerShell)
- Provision to Microsoft SQL Server
- Provision to a Common KeyStore
- Provision to a Citrix ADC
- Provision to an Imperva WAF
- Provision to VMware NSX Advanced Load Balancer (AVI)
- Provision to an A10 Thunder ADC
- Provision to Cloudflare
- Provision to a Kemp Virtual LoadMaster
- Provision to Palo Alto Panorama
-
-
- 47-Day Validity Readiness TLS Certificates dashboard
- About the Certificate Inventory
- Managing certificate lifecycle settings
- Reissuing certificates in Next-Gen Trust Security
- Downloading certificates, certificate chains, and keystores
- Retiring, recovering, and deleting certificates
- Finding certificates in the certificate inventory
- Importing certificates from a CA using EJBCA
- Notification Center overview
- Domain-based validation for external emails
- Managing user accounts
- Troubleshooting
Azure DNS requirements for domain validation
When using Azure DNS with a certificate authority (CA) that supports the DNS-01 challenge method—such as Let's Encrypt or a custom ACMEv2 CA—Next-Gen Trust Security automates domain control validation by creating and deleting TXT records through the Azure API.
Required Azure properties
These Azure properties are required to enable secure automation with Azure DNS:
| Field | Purpose |
|---|---|
| Subscription ID | Identifies the Azure subscription hosting your DNS zones. |
| Resource Group | Identifies the resource group that contains those DNS zones. |
| Client ID | The application (service principal) ID registered in Azure AD. |
| Client Secret | Secret string that, with the Client ID, authenticates requests. |
| Tenant ID | Identifies your Azure Active Directory instance. |
Required permissions
To allow Next-Gen Trust Security to create and manage TXT records automatically, you must:
- Create a service principal (Azure AD application).
- Assign it the DNS Zone Contributor role at either the resource-group or DNS-zone scope.
This role lets Next-Gen Trust Security:
- Read DNS zones and records
- Create TXT records for validation
- Update or delete those records when validation completes
Tip: Need help creating a service principal? See Microsoft's guide.
You may need assistance from your Azure administrator to create the principal and assign roles.