Azure Storage
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,539 questions
Indirect CNAME validation for custom domain in Storage Accounts not working?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 31%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAD%3C/text%3E%3C/svg%3E)
Aditya Dhole
1
Reputation point
I am trying to map a custom domain to a Azure Storage blob service endpoint using indirect CNAME validation. For the purposes of this question, assume that the custom domain is www.example-domain.com. As per the official Azure documentation, I have created a CNAME record with my domain registrar, mapping the "asverify.www" subdomain to "asverify.<storage_account_name>.blob.core.windows.net.
Post this, I have logged on the Azure Portal and navigated to my storage account. There, under the Networking tab, I have selected the custom domain tab, and have entered the custom domain URL (www.example-domain.com). Since I want to use the Indirect CNAME Validation option, I checked the corresponding checkbox and clicked on 'Save'. I got a notification saying that the operation was successful.
However, when I inspect the Resource JSON of the storage account, I cannot see the parameter 'use_subdomain' or 'use_subdomain_name', which indicates whether indirect CNAME validation is set or not. Even when I retrieve the details of my storage account via Azure CLI, it shows the 'custom_domain' block within which, the name parameter is set to the custom domain URL, but the 'use_subdomain_name' parameter is set to null.
Please find the screenshot of the Resource JSON and output from Azure CLI below. These have been captured after the custom domain was successfully mapped to the blob storage endpoint, with indirect CNAME validation set to true (through Portal)
Resource JSON - Azure Portal
Azure CLI - output of command "az storage account show --ids <my-storage-account-id>"
(Relevant part is highlighted in bold)
{
"accessTier": "Hot",
"allowBlobPublicAccess": false,
"azureFilesIdentityBasedAuthentication": {
"activeDirectoryProperties": {
"azureStorageSid": "S-1-5-21-41432690-3719764436-1984117282-2110",
"domainGuid": "b63b4f44-58b9-49cf-8911-b36e8575d5eb",
"domainName": "User01",
"domainSid": "S-1-5-21-41432690-3719764436-1984117282",
"forestName": "User01.com",
"netBiosDomainName": "USER01"
},
"directoryServiceOptions": "AD"
},
"blobRestoreStatus": null,
"creationTime": "2021-07-23T06:04:02.212232+00:00",
"customDomain": {
"name": "www.example-domain.com",
"useSubDomainName": null
},
"enableHttpsTrafficOnly": false,
"encryption": {
"keySource": "Microsoft.Storage",
"keyVaultProperties": null,
"requireInfrastructureEncryption": null,
"services": {
"blob": {
"enabled": true,
"keyType": "Account",
"lastEnabledTime": "2021-07-23T06:04:02.305920+00:00"
},
"file": {
"enabled": true,
"keyType": "Account",
"lastEnabledTime": "2021-07-23T06:04:02.305920+00:00"
},
"queue": null,
"table": null
}
},
"failoverInProgress": null,
"geoReplicationStats": null,
"id": "/subscriptions<subscription-id>/resourceGroups/AZ-900RG/providers/Microsoft.Storage/storageAccounts/example266072021",
"identity": {
"principalId": null,
"tenantId": null
},
"isHnsEnabled": false,
"kind": "StorageV2",
"largeFileSharesState": null,
"lastGeoFailoverTime": null,
"location": "eastus",
"minimumTlsVersion": "TLS1_0",
"name": "example266072021",
"networkRuleSet": {
"bypass": "AzureServices",
"defaultAction": "Allow",
"ipRules": [],
"resourceAccessRules": [],
"virtualNetworkRules": []
},
"primaryEndpoints": {
"blob": "https://example266072021.blob.core.windows.net/",
"dfs": "https://example266072021.dfs.core.windows.net/",
"file": "https://example266072021.file.core.windows.net/",
"internetEndpoints": null,
"microsoftEndpoints": null,
"queue": "https://example266072021.queue.core.windows.net/",
"table": "https://example266072021.table.core.windows.net/",
"web": "https://example266072021.z13.web.core.windows.net/"
},
"primaryLocation": "eastus",
"privateEndpointConnections": [],
"provisioningState": "Succeeded",
"resourceGroup": "AZ-900RG",
"routingPreference": null,
"secondaryEndpoints": null,
"secondaryLocation": null,
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"statusOfPrimary": "available",
"statusOfSecondary": null,
"tags": {},
"type": "Microsoft.Storage/storageAccounts"
Could someone please let me know why this is happening, or if this is the intended behaviour (because in case of Resource JSON, even when indirect CNAME validation is set to false, the JSON does not contain the 'use_subdomain'/'use_subdomain_name' parameter)
Thanks in advance!
Azure Storage
{count} votes
-
Sumarigo-MSFT 47,471 Reputation points Microsoft Employee Moderator2021-07-26T12:25:16.253+00:00 @Aditya Dhole Firstly, apologies for the delay in responding here and any inconvenience this issue may have caused.. I am checking on this thread
-
Aditya Dhole 1 Reputation point
2021-07-27T05:49:51.193+00:00 Hi, any updates on this?
-
Sumarigo-MSFT 47,471 Reputation points Microsoft Employee Moderator
2021-07-27T07:05:42.727+00:00 @Aditya Dhole
think this is the reason why get storage account is not reflecting this info(Can you cross verify the Storage account again) before we start the further troubleshootingAlso check the REST doc: https://learn.microsoft.com/en-us/rest/api/storagerp/storage-accounts/update#customdomain
-
Aditya Dhole 1 Reputation point
2021-07-27T08:59:44.79+00:00 Yes, I have seen this before. This instruction actually confuses me, though I have followed it. The instruction mentioned in the screenshot and the REST doc means that the custom domain can be set only when we update an existing storage account, correct? That is my understanding of this statement.
If that is correct, I have been following this instruction. I create a new storage account, and then try to update it with a custom domain (with or without CNAME validation). As mentioned before, in both cases, the operation succeeds (I get a notification from the portal saying so) and this also gets reflected in the Resource JSON (with the 'custom_domain' block containing the name of the custom domain, but not containing the 'use_subdomain' parameter which would indicate whether the CNAME validation checkbox is selected or not)
Same happens when we retrieve storage account details via Azure CLI. The 'use_subdomain_name' parameter is set to null (which is wrong, since it should be 'true'/'false' as set through the Portal)
Could you please confirm if the 'use_subdomain_name' parameter is visible in the Resource JSON /Azure CLI output of the storage account on your side, when you configure a custom_domain in the account and what is its value?
-
Aditya Dhole 1 Reputation point
2021-07-27T11:59:08.61+00:00 any updates?
Sign in to comment
Sign in to answer