![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 3%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 77%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
Hello Shib,
Thank you for reaching out on Microsoft Q&A!
To answer your follow-up question first: There is no mandatory Azure-enforced wait time required between deleting a custom domain from one API Management (APIM) instance and adding it to another.
However, the "silent deletion" you are experiencing occurs because Azure API Management performs an asynchronous validation after you save the custom domain. If any validation step fails in the background, APIM silently rolls back the operation, removing the hostname to prevent the gateway from entering an unstable state.
Based on official Microsoft documentation, here are the most common reasons this background validation fails during a migration to a Standard V2 instance, and how to resolve them:
1. Stale DNS Records and Propagation (Most Common): Even though there is no wait time on the Azure platform, you must wait for your DNS changes to propagate. If APIM checks the domain and the CNAME or TXT record still resolves to your old UK South Premium APIM, the validation will fail and the domain will be dropped.
- If using a Free Managed Certificate: You must update the TXT record for the new V2 instance. As noted in the official documentation:
"When enabling the free, managed certificate for API Management, also configure a TXT record in your DNS zone to establish your ownership of the domain name. The name of the record is your custom domain name prefixed by
apimuid... The value is a domain ownership identifier provided by your API Management instance." - Resolution: Ensure the
CNAMEpoints to the new UK West V2 default endpoint and theapimuidTXT record has been updated. Allow time for DNS propagation.
2. Key Vault Permissions for the New V2 Instance: If you are using a custom certificate stored in Azure Key Vault, your new UK West Standard V2 APIM must have explicit permissions to read it. Because this is a new APIM instance, it has a completely different Managed Identity than your old UK South APIM.
- As per the documentation:
"Depending on the permission model, configure either a key vault access policy or Azure RBAC access for an API Management managed identity."
- Resolution: If the new V2 identity lacks
GetandListpermissions for Secrets/Certificates in the Key Vault, the deployment will silently fail. Update your Key Vault Access Policies or RBAC role assignments to include the new UK West APIM identity.
3. Finding the Exact Error: Because the APIM portal silently drops the domain, you can find the actual error causing the rollback by looking at the Deployment logs:
- Navigate to the Resource Group containing your new UK West V2 APIM.
- Click on Deployments under the Settings menu on the left.
- Find the recent failed deployment (timestamped right after the custom domain disappeared).
- Look at the Operation details, which will reveal the specific error (e.g.,
KeyVaultAccessDenied,CertificateNotFound, orHostname already in use).
Once DNS has fully propagated to the new instance and Key Vault permissions are confirmed, the asynchronous validation will succeed and the domain will persist.
Note: This response is drafted with the help of AI systems.