Microsoft.Cdn profiles/customDomains

Bicep resource definition

The profiles/customDomains resource type can be deployed with operations that target:

Resource groups - See resource group deployment commands

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Cdn/profiles/customDomains resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.Cdn/profiles/customDomains@2025-09-01-preview' = {
  parent: resourceSymbolicName
  name: 'string'
  properties: {
    azureDnsZone: {
      id: 'string'
    }
    extendedProperties: {
      {customized property}: 'string'
    }
    hostName: 'string'
    mtlsSettings: {
      scenario: 'string'
      // For remaining properties, see AFDDomainMtlsParameters objects
    }
    preValidatedCustomDomainResourceId: {
      id: 'string'
    }
    tlsSettings: {
      certificateType: 'string'
      cipherSuiteSetType: 'string'
      customizedCipherSuiteSet: {
        cipherSuiteSetForTls12: [
          'string'
        ]
        cipherSuiteSetForTls13: [
          'string'
        ]
      }
      minimumTlsVersion: 'string'
      secret: {
        id: 'string'
      }
    }
  }
}

AFDDomainMtlsParameters objects

Set the scenario property to specify the type of object.

For ClientCertificateRequiredAndOriginValidates, use:

{
  scenario: 'ClientCertificateRequiredAndOriginValidates'
}

For ClientCertificateRequiredAndValidated, use:

{
  allowedFqdns: [
    'string'
  ]
  certificateRevocationCheck: 'string'
  scenario: 'ClientCertificateRequiredAndValidated'
  secrets: [
    {
      id: 'string'
    }
  ]
}

For ClientCertificateValidatedIfPresented, use:

{
  allowedFqdns: [
    'string'
  ]
  certificateRevocationCheck: 'string'
  scenario: 'ClientCertificateValidatedIfPresented'
  secrets: [
    {
      id: 'string'
    }
  ]
}

For CompleteMtlsPassthroughToOrigin, use:

{
  scenario: 'CompleteMtlsPassthroughToOrigin'
}

Property Values

Microsoft.Cdn/profiles/customDomains

Name	Description	Value
name	The resource name	string (required)
parent	In Bicep, you can specify the parent resource for a child resource. You only need to add this property when the child resource is declared outside of the parent resource. For more information, see Child resource outside parent resource.	Symbolic name for resource of type: profiles
properties	The JSON object that contains the properties of the domain to create.	AFDDomainProperties

AFDDomainHttpsCustomizedCipherSuiteSet

Name	Description	Value
cipherSuiteSetForTls12	Cipher suites for TLS 1.2. Required at least one in minimumTlsVersion TLS 1.2.	String array containing any of: 'DHE_RSA_AES128_GCM_SHA256' 'DHE_RSA_AES256_GCM_SHA384' 'ECDHE_RSA_AES128_GCM_SHA256' 'ECDHE_RSA_AES128_SHA256' 'ECDHE_RSA_AES256_GCM_SHA384' 'ECDHE_RSA_AES256_SHA384'
cipherSuiteSetForTls13	Cipher suites for TLS 1.3. Required at least one in minimumTlsVersion TLS 1.2, TLS 1.3.	String array containing any of: 'TLS_AES_128_GCM_SHA256' 'TLS_AES_256_GCM_SHA384'

AFDDomainHttpsParameters

Name	Description	Value
certificateType	Defines the source of the SSL certificate.	'AzureFirstPartyManagedCertificate' 'CustomerCertificate' 'ManagedCertificate' (required)
cipherSuiteSetType	cipher suite set type that will be used for Https	'Customized' 'TLS10_2019' 'TLS12_2022' 'TLS12_2023'
customizedCipherSuiteSet	Customized cipher suites object that will be used for Https when cipherSuiteSetType is Customized.	AFDDomainHttpsCustomizedCipherSuiteSet
minimumTlsVersion	TLS protocol version that will be used for Https when cipherSuiteSetType is Customized.	'TLS10' 'TLS12' 'TLS13'
secret	Resource reference to the secret. ie. subs/rg/profile/secret	ResourceReference

AFDDomainMtlsParameters

Name	Description	Value
scenario	Set to 'ClientCertificateRequiredAndOriginValidates' for type ClientCertificateRequiredAndOriginValidatesAdvancedSettings. Set to 'ClientCertificateRequiredAndValidated' for type ClientCertificateRequiredAndValidatedAdvancedSettings. Set to 'ClientCertificateValidatedIfPresented' for type ClientCertificateValidatedIfPresentedAdvancedSettings. Set to 'CompleteMtlsPassthroughToOrigin' for type CompleteMtlsPassthroughToOriginAdvancedSettings.	'ClientCertificateRequiredAndOriginValidates' 'ClientCertificateRequiredAndValidated' 'ClientCertificateValidatedIfPresented' 'CompleteMtlsPassthroughToOrigin' (required)

AFDDomainProperties

Name	Description	Value
azureDnsZone	Resource reference to the Azure DNS zone	ResourceReference
extendedProperties	Key-Value pair representing migration properties for domains.	AFDDomainPropertiesExtendedProperties
hostName	The host name of the domain. Must be a domain name.	string (required)
mtlsSettings	The configuration specifying how to enable mutual TLS for the domain, including specifying allowed FQDNs and which server certificate(s) to use.	AFDDomainMtlsParameters
preValidatedCustomDomainResourceId	Resource reference to the Azure resource where custom domain ownership was prevalidated	ResourceReference
tlsSettings	The configuration specifying how to enable HTTPS for the domain - using AzureFrontDoor managed certificate or user's own certificate. If not specified, enabling ssl uses AzureFrontDoor managed certificate by default.	AFDDomainHttpsParameters

AFDDomainPropertiesExtendedProperties

Name	Description	Value

ClientCertificateRequiredAndOriginValidatesAdvancedSettings

Name	Description	Value
scenario	Supported scenarios for establishing mTLS connection.	'ClientCertificateRequiredAndOriginValidates' (required)

ClientCertificateRequiredAndValidatedAdvancedSettings

Name	Description	Value
allowedFqdns	List of FQDNs that will be accepted for mutual TLS validation.	string Constraints: Pattern = `^((?!xn--)[a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,61}$`[]
certificateRevocationCheck	Set to Enabled by default. If set to Disabled, revocation status of client certificate chain will be checked before establishing mutual TLS connection.	'Disabled' 'Enabled'
scenario	Supported scenarios for establishing mTLS connection.	'ClientCertificateRequiredAndValidated' (required)
secrets	List of one or two of Resource References (ie. subs/rg/profile/secret) to Secrets of type MtlsCertificateChain to use in mutual TLS handshake as the trusted issuer certificate chain.	ResourceReference[] (required)

ClientCertificateValidatedIfPresentedAdvancedSettings

Name	Description	Value
allowedFqdns	List of FQDNs that will be accepted for mutual TLS validation.	string Constraints: Pattern = `^((?!xn--)[a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,61}$`[]
certificateRevocationCheck	Set to Enabled by default. If set to Disabled, revocation status of client certificate chain will be checked before establishing mutual TLS connection.	'Disabled' 'Enabled'
scenario	Supported scenarios for establishing mTLS connection.	'ClientCertificateValidatedIfPresented' (required)
secrets	List of one or two of Resource References (ie. subs/rg/profile/secret) to Secrets of type MtlsCertificateChain to use in mutual TLS handshake as the trusted issuer certificate chain.	ResourceReference[] (required)

CompleteMtlsPassthroughToOriginAdvancedSettings

Name	Description	Value
scenario	Supported scenarios for establishing mTLS connection.	'CompleteMtlsPassthroughToOrigin' (required)

ResourceReference

Name	Description	Value
id	Resource ID.	string

Usage Examples

Bicep Samples

A basic example of deploying Front Door (standard/premium) Custom Domain.

param resourceName string = 'acctest0001'

resource dnsZone 'Microsoft.Network/dnsZones@2018-05-01' = {
  name: '${resourceName}.com'
  location: 'global'
}

resource profile 'Microsoft.Cdn/profiles@2021-06-01' = {
  name: resourceName
  location: 'global'
  properties: {
    originResponseTimeoutSeconds: 120
  }
  sku: {
    name: 'Premium_AzureFrontDoor'
  }
}

resource customDomain 'Microsoft.Cdn/profiles/customDomains@2021-06-01' = {
  parent: profile
  name: resourceName
  properties: {
    azureDnsZone: {
      id: dnsZone.id
    }
    hostName: 'fabrikam.acctest0001.com'
    tlsSettings: {
      certificateType: 'ManagedCertificate'
      minimumTlsVersion: 'TLS12'
    }
  }
}

Azure Quickstart Samples

The following Azure Quickstart templates contain Bicep samples for deploying this resource type.

Bicep File	Description
Front Door Premium with blob origin and Private Link	This template creates a Front Door Premium and an Azure Storage blob container, and uses a private endpoint for Front Door to send traffic to the storage account.
Front Door Standard/Premium with Azure DNS and custom domain	This template creates a Front Door Standard/Premium including a custom domain on Azure DNS and Microsoft-managed certificate.
Front Door Standard/Premium with custom domain	This template creates a Front Door Standard/Premium including a custom domain and Microsoft-managed certificate.
Front Door Standard/Premium with domain and certificate	This template creates a Front Door Standard/Premium including a custom domain and customer-managed certificate.
FrontDoor CDN with WAF, Domains and Logs to EventHub	This template creates a new Azure FrontDoor cdn profile. Create WAF with custom and managed rules, cdn routes, origin and groups with their association with WAF and routes, configures custom domains, create event hub and diagnostic settings for sending CDN access logs using event hub.

ARM template resource definition

The profiles/customDomains resource type can be deployed with operations that target:

Resource groups - See resource group deployment commands

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Cdn/profiles/customDomains resource, add the following JSON to your template.

{
  "type": "Microsoft.Cdn/profiles/customDomains",
  "apiVersion": "2025-09-01-preview",
  "name": "string",
  "properties": {
    "azureDnsZone": {
      "id": "string"
    },
    "extendedProperties": {
      "{customized property}": "string"
    },
    "hostName": "string",
    "mtlsSettings": {
      "scenario": "string"
      // For remaining properties, see AFDDomainMtlsParameters objects
    },
    "preValidatedCustomDomainResourceId": {
      "id": "string"
    },
    "tlsSettings": {
      "certificateType": "string",
      "cipherSuiteSetType": "string",
      "customizedCipherSuiteSet": {
        "cipherSuiteSetForTls12": [ "string" ],
        "cipherSuiteSetForTls13": [ "string" ]
      },
      "minimumTlsVersion": "string",
      "secret": {
        "id": "string"
      }
    }
  }
}

AFDDomainMtlsParameters objects

Set the scenario property to specify the type of object.

For ClientCertificateRequiredAndOriginValidates, use:

{
  "scenario": "ClientCertificateRequiredAndOriginValidates"
}

For ClientCertificateRequiredAndValidated, use:

{
  "allowedFqdns": [ "string" ],
  "certificateRevocationCheck": "string",
  "scenario": "ClientCertificateRequiredAndValidated",
  "secrets": [
    {
      "id": "string"
    }
  ]
}

For ClientCertificateValidatedIfPresented, use:

{
  "allowedFqdns": [ "string" ],
  "certificateRevocationCheck": "string",
  "scenario": "ClientCertificateValidatedIfPresented",
  "secrets": [
    {
      "id": "string"
    }
  ]
}

For CompleteMtlsPassthroughToOrigin, use:

{
  "scenario": "CompleteMtlsPassthroughToOrigin"
}

Property Values

Microsoft.Cdn/profiles/customDomains

Name	Description	Value
apiVersion	The api version	'2025-09-01-preview'
name	The resource name	string (required)
properties	The JSON object that contains the properties of the domain to create.	AFDDomainProperties
type	The resource type	'Microsoft.Cdn/profiles/customDomains'

AFDDomainHttpsCustomizedCipherSuiteSet

Name	Description	Value
cipherSuiteSetForTls12	Cipher suites for TLS 1.2. Required at least one in minimumTlsVersion TLS 1.2.	String array containing any of: 'DHE_RSA_AES128_GCM_SHA256' 'DHE_RSA_AES256_GCM_SHA384' 'ECDHE_RSA_AES128_GCM_SHA256' 'ECDHE_RSA_AES128_SHA256' 'ECDHE_RSA_AES256_GCM_SHA384' 'ECDHE_RSA_AES256_SHA384'
cipherSuiteSetForTls13	Cipher suites for TLS 1.3. Required at least one in minimumTlsVersion TLS 1.2, TLS 1.3.	String array containing any of: 'TLS_AES_128_GCM_SHA256' 'TLS_AES_256_GCM_SHA384'

AFDDomainHttpsParameters

Name	Description	Value
certificateType	Defines the source of the SSL certificate.	'AzureFirstPartyManagedCertificate' 'CustomerCertificate' 'ManagedCertificate' (required)
cipherSuiteSetType	cipher suite set type that will be used for Https	'Customized' 'TLS10_2019' 'TLS12_2022' 'TLS12_2023'
customizedCipherSuiteSet	Customized cipher suites object that will be used for Https when cipherSuiteSetType is Customized.	AFDDomainHttpsCustomizedCipherSuiteSet
minimumTlsVersion	TLS protocol version that will be used for Https when cipherSuiteSetType is Customized.	'TLS10' 'TLS12' 'TLS13'
secret	Resource reference to the secret. ie. subs/rg/profile/secret	ResourceReference

AFDDomainMtlsParameters

Name	Description	Value
scenario	Set to 'ClientCertificateRequiredAndOriginValidates' for type ClientCertificateRequiredAndOriginValidatesAdvancedSettings. Set to 'ClientCertificateRequiredAndValidated' for type ClientCertificateRequiredAndValidatedAdvancedSettings. Set to 'ClientCertificateValidatedIfPresented' for type ClientCertificateValidatedIfPresentedAdvancedSettings. Set to 'CompleteMtlsPassthroughToOrigin' for type CompleteMtlsPassthroughToOriginAdvancedSettings.	'ClientCertificateRequiredAndOriginValidates' 'ClientCertificateRequiredAndValidated' 'ClientCertificateValidatedIfPresented' 'CompleteMtlsPassthroughToOrigin' (required)

AFDDomainProperties

Name	Description	Value
azureDnsZone	Resource reference to the Azure DNS zone	ResourceReference
extendedProperties	Key-Value pair representing migration properties for domains.	AFDDomainPropertiesExtendedProperties
hostName	The host name of the domain. Must be a domain name.	string (required)
mtlsSettings	The configuration specifying how to enable mutual TLS for the domain, including specifying allowed FQDNs and which server certificate(s) to use.	AFDDomainMtlsParameters
preValidatedCustomDomainResourceId	Resource reference to the Azure resource where custom domain ownership was prevalidated	ResourceReference
tlsSettings	The configuration specifying how to enable HTTPS for the domain - using AzureFrontDoor managed certificate or user's own certificate. If not specified, enabling ssl uses AzureFrontDoor managed certificate by default.	AFDDomainHttpsParameters

AFDDomainPropertiesExtendedProperties

Name	Description	Value

ClientCertificateRequiredAndOriginValidatesAdvancedSettings

Name	Description	Value
scenario	Supported scenarios for establishing mTLS connection.	'ClientCertificateRequiredAndOriginValidates' (required)

ClientCertificateRequiredAndValidatedAdvancedSettings

Name	Description	Value
allowedFqdns	List of FQDNs that will be accepted for mutual TLS validation.	string Constraints: Pattern = `^((?!xn--)[a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,61}$`[]
certificateRevocationCheck	Set to Enabled by default. If set to Disabled, revocation status of client certificate chain will be checked before establishing mutual TLS connection.	'Disabled' 'Enabled'
scenario	Supported scenarios for establishing mTLS connection.	'ClientCertificateRequiredAndValidated' (required)
secrets	List of one or two of Resource References (ie. subs/rg/profile/secret) to Secrets of type MtlsCertificateChain to use in mutual TLS handshake as the trusted issuer certificate chain.	ResourceReference[] (required)

ClientCertificateValidatedIfPresentedAdvancedSettings

Name	Description	Value
allowedFqdns	List of FQDNs that will be accepted for mutual TLS validation.	string Constraints: Pattern = `^((?!xn--)[a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,61}$`[]
certificateRevocationCheck	Set to Enabled by default. If set to Disabled, revocation status of client certificate chain will be checked before establishing mutual TLS connection.	'Disabled' 'Enabled'
scenario	Supported scenarios for establishing mTLS connection.	'ClientCertificateValidatedIfPresented' (required)
secrets	List of one or two of Resource References (ie. subs/rg/profile/secret) to Secrets of type MtlsCertificateChain to use in mutual TLS handshake as the trusted issuer certificate chain.	ResourceReference[] (required)

CompleteMtlsPassthroughToOriginAdvancedSettings

Name	Description	Value
scenario	Supported scenarios for establishing mTLS connection.	'CompleteMtlsPassthroughToOrigin' (required)

ResourceReference

Name	Description	Value
id	Resource ID.	string

Usage Examples

Azure Quickstart Templates

The following Azure Quickstart templates deploy this resource type.

Template	Description
Front Door Premium with blob origin and Private Link	This template creates a Front Door Premium and an Azure Storage blob container, and uses a private endpoint for Front Door to send traffic to the storage account.
Front Door Standard/Premium with Azure DNS and custom domain	This template creates a Front Door Standard/Premium including a custom domain on Azure DNS and Microsoft-managed certificate.
Front Door Standard/Premium with custom domain	This template creates a Front Door Standard/Premium including a custom domain and Microsoft-managed certificate.
Front Door Standard/Premium with domain and certificate	This template creates a Front Door Standard/Premium including a custom domain and customer-managed certificate.
FrontDoor CDN with WAF, Domains and Logs to EventHub	This template creates a new Azure FrontDoor cdn profile. Create WAF with custom and managed rules, cdn routes, origin and groups with their association with WAF and routes, configures custom domains, create event hub and diagnostic settings for sending CDN access logs using event hub.

Terraform (AzAPI provider) resource definition

The profiles/customDomains resource type can be deployed with operations that target:

Resource groups

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Cdn/profiles/customDomains resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.Cdn/profiles/customDomains@2025-09-01-preview"
  name = "string"
  parent_id = "string"
  body = {
    properties = {
      azureDnsZone = {
        id = "string"
      }
      extendedProperties = {
        {customized property} = "string"
      }
      hostName = "string"
      mtlsSettings = {
        scenario = "string"
        // For remaining properties, see AFDDomainMtlsParameters objects
      }
      preValidatedCustomDomainResourceId = {
        id = "string"
      }
      tlsSettings = {
        certificateType = "string"
        cipherSuiteSetType = "string"
        customizedCipherSuiteSet = {
          cipherSuiteSetForTls12 = [
            "string"
          ]
          cipherSuiteSetForTls13 = [
            "string"
          ]
        }
        minimumTlsVersion = "string"
        secret = {
          id = "string"
        }
      }
    }
  }
}

AFDDomainMtlsParameters objects

Set the scenario property to specify the type of object.

For ClientCertificateRequiredAndOriginValidates, use:

{
  scenario = "ClientCertificateRequiredAndOriginValidates"
}

For ClientCertificateRequiredAndValidated, use:

{
  allowedFqdns = [
    "string"
  ]
  certificateRevocationCheck = "string"
  scenario = "ClientCertificateRequiredAndValidated"
  secrets = [
    {
      id = "string"
    }
  ]
}

For ClientCertificateValidatedIfPresented, use:

{
  allowedFqdns = [
    "string"
  ]
  certificateRevocationCheck = "string"
  scenario = "ClientCertificateValidatedIfPresented"
  secrets = [
    {
      id = "string"
    }
  ]
}

For CompleteMtlsPassthroughToOrigin, use:

{
  scenario = "CompleteMtlsPassthroughToOrigin"
}

Property Values

Microsoft.Cdn/profiles/customDomains

Name	Description	Value
name	The resource name	string (required)
parent_id	The ID of the resource that is the parent for this resource.	ID for resource of type: profiles
properties	The JSON object that contains the properties of the domain to create.	AFDDomainProperties
type	The resource type	"Microsoft.Cdn/profiles/customDomains@2025-09-01-preview"

AFDDomainHttpsCustomizedCipherSuiteSet

Name	Description	Value
cipherSuiteSetForTls12	Cipher suites for TLS 1.2. Required at least one in minimumTlsVersion TLS 1.2.	String array containing any of: 'DHE_RSA_AES128_GCM_SHA256' 'DHE_RSA_AES256_GCM_SHA384' 'ECDHE_RSA_AES128_GCM_SHA256' 'ECDHE_RSA_AES128_SHA256' 'ECDHE_RSA_AES256_GCM_SHA384' 'ECDHE_RSA_AES256_SHA384'
cipherSuiteSetForTls13	Cipher suites for TLS 1.3. Required at least one in minimumTlsVersion TLS 1.2, TLS 1.3.	String array containing any of: 'TLS_AES_128_GCM_SHA256' 'TLS_AES_256_GCM_SHA384'

AFDDomainHttpsParameters

Name	Description	Value
certificateType	Defines the source of the SSL certificate.	'AzureFirstPartyManagedCertificate' 'CustomerCertificate' 'ManagedCertificate' (required)
cipherSuiteSetType	cipher suite set type that will be used for Https	'Customized' 'TLS10_2019' 'TLS12_2022' 'TLS12_2023'
customizedCipherSuiteSet	Customized cipher suites object that will be used for Https when cipherSuiteSetType is Customized.	AFDDomainHttpsCustomizedCipherSuiteSet
minimumTlsVersion	TLS protocol version that will be used for Https when cipherSuiteSetType is Customized.	'TLS10' 'TLS12' 'TLS13'
secret	Resource reference to the secret. ie. subs/rg/profile/secret	ResourceReference

AFDDomainMtlsParameters

Name	Description	Value
scenario	Set to 'ClientCertificateRequiredAndOriginValidates' for type ClientCertificateRequiredAndOriginValidatesAdvancedSettings. Set to 'ClientCertificateRequiredAndValidated' for type ClientCertificateRequiredAndValidatedAdvancedSettings. Set to 'ClientCertificateValidatedIfPresented' for type ClientCertificateValidatedIfPresentedAdvancedSettings. Set to 'CompleteMtlsPassthroughToOrigin' for type CompleteMtlsPassthroughToOriginAdvancedSettings.	'ClientCertificateRequiredAndOriginValidates' 'ClientCertificateRequiredAndValidated' 'ClientCertificateValidatedIfPresented' 'CompleteMtlsPassthroughToOrigin' (required)

AFDDomainProperties

Name	Description	Value
azureDnsZone	Resource reference to the Azure DNS zone	ResourceReference
extendedProperties	Key-Value pair representing migration properties for domains.	AFDDomainPropertiesExtendedProperties
hostName	The host name of the domain. Must be a domain name.	string (required)
mtlsSettings	The configuration specifying how to enable mutual TLS for the domain, including specifying allowed FQDNs and which server certificate(s) to use.	AFDDomainMtlsParameters
preValidatedCustomDomainResourceId	Resource reference to the Azure resource where custom domain ownership was prevalidated	ResourceReference
tlsSettings	The configuration specifying how to enable HTTPS for the domain - using AzureFrontDoor managed certificate or user's own certificate. If not specified, enabling ssl uses AzureFrontDoor managed certificate by default.	AFDDomainHttpsParameters

AFDDomainPropertiesExtendedProperties

Name	Description	Value

ClientCertificateRequiredAndOriginValidatesAdvancedSettings

Name	Description	Value
scenario	Supported scenarios for establishing mTLS connection.	'ClientCertificateRequiredAndOriginValidates' (required)

ClientCertificateRequiredAndValidatedAdvancedSettings

Name	Description	Value
allowedFqdns	List of FQDNs that will be accepted for mutual TLS validation.	string Constraints: Pattern = `^((?!xn--)[a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,61}$`[]
certificateRevocationCheck	Set to Enabled by default. If set to Disabled, revocation status of client certificate chain will be checked before establishing mutual TLS connection.	'Disabled' 'Enabled'
scenario	Supported scenarios for establishing mTLS connection.	'ClientCertificateRequiredAndValidated' (required)
secrets	List of one or two of Resource References (ie. subs/rg/profile/secret) to Secrets of type MtlsCertificateChain to use in mutual TLS handshake as the trusted issuer certificate chain.	ResourceReference[] (required)

ClientCertificateValidatedIfPresentedAdvancedSettings

Name	Description	Value
allowedFqdns	List of FQDNs that will be accepted for mutual TLS validation.	string Constraints: Pattern = `^((?!xn--)[a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,61}$`[]
certificateRevocationCheck	Set to Enabled by default. If set to Disabled, revocation status of client certificate chain will be checked before establishing mutual TLS connection.	'Disabled' 'Enabled'
scenario	Supported scenarios for establishing mTLS connection.	'ClientCertificateValidatedIfPresented' (required)
secrets	List of one or two of Resource References (ie. subs/rg/profile/secret) to Secrets of type MtlsCertificateChain to use in mutual TLS handshake as the trusted issuer certificate chain.	ResourceReference[] (required)

CompleteMtlsPassthroughToOriginAdvancedSettings

Name	Description	Value
scenario	Supported scenarios for establishing mTLS connection.	'CompleteMtlsPassthroughToOrigin' (required)

ResourceReference

Name	Description	Value
id	Resource ID.	string

Usage Examples

Terraform Samples

A basic example of deploying Front Door (standard/premium) Custom Domain.

terraform {
  required_providers {
    azapi = {
      source = "Azure/azapi"
    }
  }
}

provider "azapi" {
  skip_provider_registration = false
}

variable "resource_name" {
  type    = string
  default = "acctest0001"
}

variable "location" {
  type    = string
  default = "westeurope"
}

resource "azapi_resource" "resourceGroup" {
  type     = "Microsoft.Resources/resourceGroups@2020-06-01"
  name     = var.resource_name
  location = var.location
}

resource "azapi_resource" "dnsZone" {
  type                      = "Microsoft.Network/dnsZones@2018-05-01"
  parent_id                 = azapi_resource.resourceGroup.id
  name                      = "${var.resource_name}.com"
  location                  = "global"
  schema_validation_enabled = false
  response_export_values    = ["*"]
}

resource "azapi_resource" "profile" {
  type      = "Microsoft.Cdn/profiles@2021-06-01"
  parent_id = azapi_resource.resourceGroup.id
  name      = var.resource_name
  location  = "global"
  body = {
    properties = {
      originResponseTimeoutSeconds = 120
    }
    sku = {
      name = "Premium_AzureFrontDoor"
    }
  }
  schema_validation_enabled = false
  response_export_values    = ["*"]
}

resource "azapi_resource" "customDomain" {
  type      = "Microsoft.Cdn/profiles/customDomains@2021-06-01"
  parent_id = azapi_resource.profile.id
  name      = var.resource_name
  body = {
    properties = {
      azureDnsZone = {
        id = azapi_resource.dnsZone.id
      }
      hostName = "fabrikam.${var.resource_name}.com"
      tlsSettings = {
        certificateType   = "ManagedCertificate"
        minimumTlsVersion = "TLS12"
      }
    }
  }
  schema_validation_enabled = false
  response_export_values    = ["*"]
}

Feedback

Was this page helpful?

Last updated on 2025-10-22