Azure DNS requirements for domain validation¶
When using Azure DNS with a certificate authority (CA) that supports the DNS-01 challenge method—such as Let's Encrypt or a custom ACMEv2 CA—TLS Protect Cloud automates domain control validation by creating and deleting TXT records through the Azure API.
Required Azure properties¶
These Azure properties are required to enable secure automation with Azure DNS:
| Field | Purpose |
|---|---|
| Subscription ID | Identifies the Azure subscription hosting your DNS zones. |
| Resource Group | Identifies the resource group that contains those DNS zones. |
| Client ID | The application (service principal) ID registered in Azure AD. |
| Client Secret | Secret string that, with the Client ID, authenticates requests. |
| Tenant ID | Identifies your Azure Active Directory instance. |
Required permissions¶
To allow TLS Protect Cloud to create and manage TXT records automatically, you must:
- Create a service principal (Azure AD application).
- Assign it the DNS Zone Contributor role at either the resource-group or DNS-zone scope.
This role lets TLS Protect Cloud:
- Read DNS zones and records
- Create TXT records for validation
- Update or delete those records when validation completes
Tip
Need help creating a service principal? See Microsoft's guide:
https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal
You may need assistance from your Azure administrator to create the principal and assign roles.