Azure – Front Door, Custom Domain - BYOC-In Secret not able to add the certificate

Rajasekar K 6 Reputation points
2022-12-02T04:42:09.58+00:00

I'm trying to setup a custom domain in Azure frontDoor using "GoDaddy" issued certificate. I did followed the steps given in the below Microsoft links.

https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-configure-https-custom-domain
https://learn.microsoft.com/en-us/azure/key-vault/certificates/tutorial-import-certificate?tabs=azure-portal

Note that there is no firewall enabled on Keyvault , Service Prinicple added, Access policy is set ( Get & List set for Secrets & Certificates ) and also my account has full access to Keyvault.

After successfully adding the certificate in the Keyvault , I am trying to add certificate in secret section in frontdoor but cant able to add i got error message attached.
266435-image.png

Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
858 questions
{count} votes

1 answer

Sort by: Most helpful
  1. GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator
    2022-12-05T13:28:35.067+00:00

    Hello @Rajasekar K ,

    I understand that you are trying to setup a custom domain in Azure FrontDoor and you have already added the Service Principle & Access policy in your Key Vault but when trying to add the GoDaddy issued certificate in the secret section of Frontdoor, you are getting the following error "Failed to create the secret. We don't have permission to access this secret. Go to access policies in your key vault account to give Microsoft.AzureFrontDoor-cdn or managed identities permission to get secrets".

    To be able to add the certificate to the secret section of Front Door, the below 2 steps must be completed first and sometimes, it may take more than 1 try. So request you to check if both the below steps have been completed and re-try them just to be sure and then try adding the certificate:

    1) Register Azure Front Door:
    Register the service principal for Azure Front Door as an app in your Azure Active Directory (Azure AD) by using Azure PowerShell or the Azure CLI.
    The Application Id is "205478c0-bd83-4e1b-a9d6-db63a3e1e1c8"
    Refer: https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-configure-https-custom-domain#register-azure-front-door

    2) Grant Azure Front Door access to your key vault:
    In your key vault account, select Access policies and create a new access policy with Get Secret & Certificate permissions to allow Front Door to retrieve the certificate. In Select principal, search for 205478c0-bd83-4e1b-a9d6-db63a3e1e1c8, and select Microsoft.AzureFrontDoor-Cdn
    Refer: https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-configure-https-custom-domain#grant-azure-front-door-access-to-your-key-vault

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.