![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 84%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
2,473 questions
Hello Julien !
Thank you for posting on Microsoft Learn.
What’s happening?
$ConfirmUrl always builds the link from the first host name that APIM considers to be the “developer-portal” endpoint.
On a new portal that’s the built-in host <service>.developer.azure-api.net.
On an old/legacy portal it’s …portal.azure-api.net – that host was retired in October 2023, so it now serves a wild-card certificate that modern browsers flag as “unsafe” and then returns 503 / Service Unavailable. ([github.com](https://github.com/Azure/api-management-developer-portal/issues/1157"Guest user verification failed · Issue #1157 · Azure/api-management-developer-portal · GitHub"), [learn.microsoft.com](https://learn.microsoft.com/en-us/azure/api-management/developer-portal-self-host"Self-host the API Management developer portal - Azure API Management | Microsoft Learn"))
Because the host is wrong, the link both triggers a certificate warning and cannot resolve to a running site exactly what your users see.
How to fix it ?
Move the developer portal to the right host name (either the modern built-in one or your own custom domain).
Azure portal → your APIM → Custom domains → “Developer portal”.
Add portal.mycompany.com (or whatever you want) and upload/assign a TLS cert.
Make sure a CNAME in DNS points that name to the APIM gateway host.
Save – the APIM infrastructure update can take 15-30 min. ([learn.microsoft.com](https://learn.microsoft.com/en-us/azure/api-management/configure-custom-domain"Configure custom domain name for Azure API Management instance - Azure API Management | Microsoft Learn"))
Republish the portal (Developer portal → “Publish”) so that APIM marks the new host as the active one.
Send a new invitation – $ConfirmUrl will now come back as
https://portal.mycompany.com/confirm-v2/identities/basic/invite?...
with a valid cert and will open the sign-up page without errors.
If you can’t wait for the infrastructure change (or you’re self-hosting the portal), edit the Invite user email template:
<!-- old -->
<a href="$ConfirmUrl">$ConfirmUrl</a>
<!-- updated -->
<a href="https://portal.mycompany.com/confirm-v2/identities/basic/invite?$ConfirmQuery">
https://portal.mycompany.com/confirm-v2/identities/basic/invite?$ConfirmQuery
</a>
$ConfirmQuery is just the long query-string; you prepend the correct base URL and it is the same pattern is recommended by Microsoft for self-hosted portals – see the official docs snippet below. ([learn.microsoft.com](https://learn.microsoft.com/en-us/azure/api-management/developer-portal-self-host"Self-host the API Management developer portal - Azure API Management | Microsoft Learn"))
Why not just keep using $ConfirmUrl?
Because APIM currently has no setting that lets you rename the built-in host; the macro will always fall back to the obsolete portal.azure-api.net if that host is still registered internally. Overriding the link or assigning a proper custom domain are therefore the only reliable options. The APIM team have an open item about this behaviour (see GitHub issue #1157). ([github.com](https://github.com/Azure/api-management-developer-portal/issues/1157"Guest user verification failed · Issue #1157 · Azure/api-management-developer-portal · GitHub"))