Share via

APIM custom domain registration fails

Georgi D 25 Reputation points
2026-04-10T22:05:38.5566667+00:00

Hello Everyone,

When trying to add custom domain to APIM (with custom certificate provisioned in the Key Vault), after clicking on the Save button, initially it looks like successfully added, but a few seconds later, it disappears.
The APIM enters Updating state for about 22 minutes and after that an error is observed in the Activity Log:

Unable to Update API service at this time. Please check resource group deployment logs for specific errors, correct them and try again.

Here is the correlation Id: 

correlationId 09eaadd4-dccc-4a66-b568-22cbef86fe05 and TimeStamp 4/10/2026 8:46:02 PM

A few things to mention:

  • the provisioned certificate has been verified and is OK
  • managed system identity has been assigned with the required role for reading certificates from the Key Vault
  • CNAME DNS record was created pointing to <apim-service-name>.azure-api.net
  • following the recommendation in this article, apimuid TXT record was also created but didn't solve the problem
  • the issue is with one specific custom domain, which was previously assigned to App Service (Function App). The assignment has been removed, also the corresponding asuid TXT DNS record was deleted.

Is there any way to get more information out of this error?
If you need more information on our side, just let me know.

Kindest regards,

Georgi

Azure API Management
Azure API Management

An Azure service that provides a hybrid, multi-cloud management platform for APIs.

Answer accepted by question author

Rakesh Mishra 9,680 Reputation points Microsoft External Staff Moderator
2026-04-10T23:22:07.7233333+00:00

Hi Georgi,

Thank you for providing those details. We connected over email and with the help of backend team the issue is resolved now as confirmed.

Below is the summary of issue and resolution.

Issue:
Custom domain still had TXT record but point to wrong value.

Resolution Steps taken:

Verify the domain ownership by creating a DNS TXT record with as below

  • Record name: asuid.xxx.xxx.xxxx.xxx.com
  • Required value:  XXXXXXXXXXXXXXXXX

Also, please create a CNAME record pointing the custom host name to the APIM default name and then retry the operation.

Performed a new test and this time it worked! The custom domain was successfully added to the APIM!

But ideally, if right CNAME record without TXT is set up, the issue would not happen. 

Was this answer helpful?

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest

  1. AI answer

    2026-04-10T22:05:55.45+00:00

    The behavior matches a failed hostname update when using a Key Vault certificate with API Management. The most common cause in this scenario is that the API Management managed identity still doesn’t have effective permission to read the certificate/secret in the target Key Vault, even if it appears configured.

    Use the following checks and fixes end‑to‑end:

    1. Verify the managed identity is enabled on the APIM instance
      1. In Azure portal, open the API Management instance.
      2. Under SecurityManaged identities, confirm Status is set to On.
    2. Confirm Key Vault access policy (or equivalent permission model)
      1. Open the Key vaults resource that stores the custom-domain certificate.
      2. Go to Access policies.
      3. Look for a service principal whose name matches the API Management instance.
      4. Open that entry and verify:
        • Secret permissions includes at least Get.
        • Key permissions and Certificate permissions are not required for this scenario.
      5. If the APIM identity is missing:
        • Select Add access policy.
        • Configure from template: None.
        • Select principal: search for the API Management instance name and select it.
        • Secret permissions: select Get.
        • Key permissions: None.
        • Certificate permissions: None.
        • Select OK, then Save to apply the policy.
    3. Retry adding the custom domain with the Key Vault certificate
      1. Return to the API Management instance → Custom domains.
      2. Reconfigure the hostname using the certificate from the same Key Vault/secret.
      3. Save and wait for the update to complete.

    If the original failure was due to Key Vault access being forbidden, correcting the managed identity and access policy as above resolves the “Failed to update API Management service hostnames”–type errors and allows the custom domain to remain configured.

    If the issue persists after confirming the above, check for:

    • Any network restrictions that might block APIM from reaching the Key Vault (for example, if APIM is in a VNET and Key Vault isn’t reachable). The documentation notes that hostname certificate retrieval from Key Vault can fail if connectivity or configuration changes prevent APIM from fetching the certificate; once configuration is corrected, APIM refreshes the hostname certificate within a few hours.

    Because the domain was previously used on App Service, also ensure there is no conflicting binding on other Azure resources, but for the specific APIM error pattern described, Key Vault access for the APIM managed identity is the primary focus.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.