Azure DNS requirements for domain validation¶
When using Azure DNS with a certificate authority (CA) that supports the DNS-01 challenge method—such as Let's Encrypt or a custom ACMEv2 CA—Certificate Manager - SaaS automates domain control validation by creating and deleting TXT records through the Azure API.
Required Azure properties¶
These Azure properties are required to enable secure automation with Azure DNS:
| Field | Purpose |
|---|---|
| Subscription ID | Identifies the Azure subscription hosting your DNS zones. |
| Resource Group | Identifies the resource group that contains those DNS zones. |
| Client ID | The application (service principal) ID registered in Azure AD. |
| Client Secret | Secret string that, with the Client ID, authenticates requests. |
| Tenant ID | Identifies your Azure Active Directory instance. |
Required permissions¶
To allow Certificate Manager - SaaS to create and manage TXT records automatically, you must:
- Create a service principal (Azure AD application).
- Assign it the DNS Zone Contributor role at either the resource-group or DNS-zone scope.
This role lets Certificate Manager - SaaS:
- Read DNS zones and records
- Create TXT records for validation
- Update or delete those records when validation completes
Tip
Need help creating a service principal? See Microsoft's guide:
https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal
You may need assistance from your Azure administrator to create the principal and assign roles.