![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 25%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELN%3C/text%3E%3C/svg%3E)
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 74%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EME%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 83%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERV%3C/text%3E%3C/svg%3E)
Hello @Luis Nishimori
when a custom domain shows up as Rejected in Azure Front Door it means the certificate authority actually refused to issue the managed certificate for your domain. It isn’t just a DNS lookup problem—it’s a CA-level rejection. Here’s what you can check and try:
Click the “Rejected” status in the portal
- In your Front Door profile under Settings → Domains, click the domain name, then click the Rejected link.
- On the validation page, hit Regenerate. This gives you a fresh TXT validation token.
Verify you’re using the correct TXT record format
- For Front Door (both Classic and Standard/Premium), the TXT record name must be
_dnsauth.<your-subdomain>(notasuidor any other prefix). - Paste the new token exactly as shown in the portal.
- Set TTL to something low (e.g. 3600 seconds) so changes propagate quickly.
Check global propagation
- Use a tool like https://dnschecker.org/ to confirm your
_dnsauthTXT record is visible worldwide. - Remember stale DNS caches can linger, so you might need to wait up to an hour (TTL) or flush your local DNS cache (
ipconfig /flushdns).
Make sure there are no conflicting DNS records
- Don’t have other TXT records or CNAME/A records for the same name that could confuse the CA check.
- Confirm your CNAME for traffic routing points only to your Front Door endpoint (for example,
contoso.z01.azurefd.netor similar).
Re-validate in the portal
- After DNS propagates, go back to your domain in Front Door and click Refresh (or Retry).
- If the record matches what Front Door expects, the status should go to Approved within minutes.
Reference list:
- Domains in Azure Front Door → Domain validation states: https://learn.microsoft.com/azure/frontdoor/domain#domain-validation
- Add a custom domain to Azure Front Door: https://learn.microsoft.com/azure/frontdoor/front-door-custom-domain
- Troubleshoot custom domain problems in App Service (DNS record patterns): https://learn.microsoft.com/azure/app-service/troubleshoot-domain-ssl-certificates#custom-domain-problems
If the above steps didn't fix the issue, could you please check the private message and share the requested details there?
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 71%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGP%3C/text%3E%3C/svg%3E)