Share via

Cannot migrate Azure CDN profile to Front Door. Step 4 fails when trying to access a resource group that no longer exists.

M. L 20 Reputation points
2025-04-24T23:07:58.36+00:00

Cannot migrate Azure CDN profile to Front Door.

Screenshot Azure Error

I believe I found the cause: a legacy custom domain pointing to a certificate in a key vault in a resource group that no longer exists. Why it didn't update the key vault resource group when I moved it years ago, idk.

I am unable to remove the certificate reference, because it's linked to a domain associated with the CDN profile- which I cannot edit due to this migration.

How do I solve this?

Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
826 questions
Accepted answer
  1. Sina Salam 20,106 Reputation points Moderator
    2025-04-25T02:03:25.0466667+00:00

    Hello M. L,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    I understand that you Cannot migrate Azure CDN profile to Front Door. Step 4 fails when trying to access a resource group that no longer exists.

    You would have some steps below to resolve the issue:

    1. If you haven’t already, try to abort the stuck migration by using the bash command: az cdn profile-migration abort --ids <CDN profile resource ID>
    2. If the migration has been aborted and you still cannot delete the custom domain use this PowerShell script: Register-AzProviderFeature -ProviderNamespace Microsoft.Cdn -FeatureName BypassCnameCheckForCustomDomainDeletion Then: Remove-AzCdnCustomDomain -EndpointName <endpoint> -ProfileName <profile> -ResourceGroupName <rg> -Name <domainName>
    3. Since the original Key Vault resource group no longer exists but Azure still references it, use Azure Resource Graph Explorer or REST API to find stale links: 
         Resources
   | where type == "Microsoft.Cdn/profiles/endpoints/customDomains"
   | project name, id, properties
      • Look for references in the customHttpsParameters pointing to the old Key Vault.
      • You cannot remove or update this if migration is still in progress. Aborting is required. If unsuccessful:
      • Open a support ticket via Priority Customer Support (PCS): The stale reference must be removed from the CDN endpoint metadata, which only Microsoft Support can do in some cases.
    4. Once the domain is deleted and the certificate/key vault reference is cleared:
      • Create a new custom domain or update your DNS records and restart the migration via portal or CLI.

    I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.