Share via

Azure App Service managed certificates change unclear

A L 20 Reputation points
2025-07-23T02:24:23.08+00:00

In the email "Upcoming policy updates will impact Azure App Service managed certificates starting 28 July 2025"

It mentions that I would need to take action if "Your app uses nested or external endpoints". External endpoints isn't a term used in the configuration of App Services, at least in the portal. The closest I can see is in the networking section "Enabled with no access restrictions", which is the default.

I don't see a product in the portal called Azure Endpoints, just Private Endpoints.

Can I get some clarification?

Azure App Service
Azure App Service

Azure App Service is a service used to create and deploy scalable, mission-critical web apps.

Answer accepted by question author

  1. Bhargavi Naragani 7,940 Reputation points Microsoft External Staff Moderator
    2025-07-23T06:06:58.4566667+00:00

    Hi A L,

    The email you received refers to upcoming industry-mandated changes impacting Azure App Service Managed Certificates (ASMC) starting July 28, 2025, due to DigiCert's move to a new multi-perspective issuance corroboration (MPIC) platform. This change only affects App Service Managed Certificates (ASMC) and not third-party certificates like those from GoDaddy (Microsoft.CertificateRegistration RP).

    External endpoints and Azure endpoints refer specifically to Azure Traffic Manager (ATM) configurations, not directly to App Services or Private Endpoints.

    In Traffic Manager, there are three endpoint types:

    • Azure Endpoints: These directly connect to Azure resources (like an Azure Web App).
    • External Endpoints: These point to services outside Azure, like an on-prem server or a public web service.
    • Nested Endpoints: These refer to another Traffic Manager profile.

    So, if your app uses Traffic Manager and its endpoints are configured as External or Nested, ASMC will not work after July 28.

    • Ensure your endpoint is of type “Azure Endpoint.”
    • If you're using External or Nested Endpoints, you’ll need to either restructure your setup to use Azure Endpoints or, use a custom SSL certificate (not an ASMC).

    If your app is not using Traffic Manager at all, and it's publicly accessible without restrictions (i.e., no IP filtering, no private endpoints, etc.), you're not impacted by this scenario.

    1. Navigate to your Traffic Manager Profile in the Azure Portal.
    2. Click on Endpoints.
    3. Review each endpoint type listed.
      • If it's marked as Azure Endpoint, you're in good state.
      • If it says External or Nested, you’ll need to switch or use your own certificate.

    Traffic Manager Endpoint Types
    Azure App Service Managed Certificates Overview

    changes to Azure Service Managed Certificates (ASMS) that will apply from 28 July 2025

    Hope this helps, if you have any further concerns or queries, please feel free to reach out to us.

    2 people found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.