HomeAzure App ServiceCustom Domains & SSL
Last updated: May 2026
Azure App ServiceIntermediateAZ-104⏱ 11 min read

Custom Domains & SSL in App Service

By default, every App Service app gets a free hostname like myapp.azurewebsites.net. For production, you'll want your own domain (contoso.com) with HTTPS. Azure App Service makes this straightforward — map your domain with a DNS record, and get a free managed SSL certificate with one click. This page covers the complete setup.

What you'll learn Mapping a custom domain — CNAME vs A record · Domain verification (TXT record) · Free App Service managed certificates · Bringing your own certificate (BYOC) · SNI SSL vs IP-based SSL · Enforcing HTTPS · Wildcard certificates · Managed certificate limitations
Table of Contents
  1. Mapping a Custom Domain
  2. CNAME vs A Record
  3. Domain Verification
  4. Free App Service Managed Certificates
  5. Bring Your Own Certificate
  6. SNI SSL vs IP-Based SSL
  7. Enforcing HTTPS
  8. Minimum TLS Version
  9. Practice Questions

Mapping a Custom Domain

High-level process:

  1. In Azure Portal → App Service → Custom domains → Add custom domain
  2. Enter your domain name (e.g., www.contoso.com)
  3. Azure tells you which DNS records to create
  4. Create those records in your DNS provider
  5. Azure verifies the records and maps the domain
  6. Add an SSL certificate for the domain
ℹ️
Minimum Tier for Custom Domains Custom domain mapping requires Basic tier or above. Free and Shared tiers do NOT support custom domains (Free has no domain support at all; Shared supports it with limitations).

CNAME vs A Record

CNAME RecordA Record
MapsHostname → another hostnameHostname → IP address
Usagewww.contoso.com → myapp.azurewebsites.net@ (root domain) → App Service IP
Zone apex?❌ Not allowed at zone apex (contoso.com)✅ Required for zone apex
IP changes?Follows automaticallyMust update if IP changes
Recommended forwww subdomain and all subdomainsRoot domain only
⚠️
Avoid A Records When Possible App Service IP addresses can change (e.g., when scaling or migrating). CNAME records automatically follow the hostname — A records need manual updating. Use CNAME for www and subdomains. Only use A records when you must point the root domain (and keep the IP backed up).

Domain Verification

To prove you own the domain, Azure requires you to create a TXT verification record in addition to the CNAME/A record:

  • Record type: TXT
  • Name: asuid.www (for www.contoso.com)
  • Value: App Service's unique Domain Verification ID (shown in the portal)

Free App Service Managed Certificates

App Service provides free SSL certificates for custom domains — provisioned and renewed automatically by Microsoft. No cost, no manual renewal.

Getting a Free Certificate

  1. App Service → TLS/SSL settings → Private Key Certificates → Create App Service Managed Certificate
  2. Select the custom domain
  3. Certificate is provisioned automatically (takes a few minutes)
  4. Bind the certificate to the domain

Managed Certificate Limitations

  • Only for custom subdomains (www.contoso.com) — NOT root domains (contoso.com)
  • Cannot be exported
  • Not available on Free or Shared tiers
  • Does not support wildcard certificates (*.contoso.com)
💡
Root Domain + Managed Cert Workaround Managed certs don't work for root domains. Options: (1) Use Azure Front Door or CDN in front — these support root domain HTTPS. (2) Buy a certificate from a CA. (3) Use App Service Domain (Azure-managed domain) which includes a wildcard cert.

Bring Your Own Certificate

Upload your own SSL certificate (PFX format) when you need:

  • Wildcard certificate (*.contoso.com) for all subdomains
  • Root domain certificate
  • Extended Validation (EV) certificate
  • Certificate from a specific CA for compliance
Azure CLIUpload and bind a custom certificate
# Upload PFX certificate
az webapp config ssl upload \
  --certificate-file mycert.pfx \
  --certificate-password "CertPassword123!" \
  --name mywebapp-2026 \
  --resource-group myRG

# Bind to custom domain
az webapp config ssl bind \
  --certificate-thumbprint  \
  --ssl-type SNI \
  --name mywebapp-2026 \
  --resource-group myRG

SNI SSL vs IP-Based SSL

SNI SSLIP-Based SSL
HowUses TLS Server Name Indication — no dedicated IPAssigns a dedicated inbound IP
CostIncluded in plan costAdditional charge per binding
Multiple certs✅ Multiple certificates on same IPOne certificate per IP
Recommended?✅ Yes — for almost all use casesOnly if you need a dedicated IP

Enforcing HTTPS

Enable "HTTPS Only" to redirect all HTTP traffic to HTTPS automatically. This should always be enabled for production apps.

Azure CLIEnforce HTTPS
# Force HTTPS redirect
az webapp update \
  --name mywebapp-2026 \
  --resource-group myRG \
  --https-only true

Minimum TLS Version

Configure the minimum TLS version to reject older, less secure connections. TLS 1.2 is the recommended minimum — TLS 1.0 and 1.1 are deprecated.

Azure CLISet minimum TLS version to 1.2
# Set minimum TLS to 1.2
az webapp config set \
  --name mywebapp-2026 \
  --resource-group myRG \
  --min-tls-version 1.2
💡
AZ-104 Exam Tip Know that Free managed certificates don't work for root domains or wildcards. Know that CNAME cannot be used at the zone apex. Know that SNI SSL is recommended over IP-based SSL. Know that HTTPS Only redirects HTTP to HTTPS. Know minimum TLS 1.2 is best practice.
📝 Practice Questions
Click an option to check your answer.
Q1. What DNS record type should you use to map www.contoso.com to an Azure App Service app?
A — CNAME record pointing to myapp.azurewebsites.net
B — A record pointing to the App Service IP address
C — MX record
D — NS record
Q2. Can the App Service free managed certificate be used for a root domain (contoso.com)?
A — Yes — managed certificates support both root domains and subdomains
B — No — managed certificates only support subdomains, not root domains
C — Only on Premium tier and above
D — Yes, but only on the Free tier
Q3. What is the advantage of SNI SSL over IP-based SSL in App Service?
A — SNI SSL assigns a dedicated IP address to the app
B — SNI SSL doesn\'t need a dedicated IP and is included in plan cost; IP-based SSL requires dedicated IP at extra cost
C — SNI SSL provides stronger encryption than IP-based SSL
D — SNI SSL is required for free managed certificates
Q4. What setting should you enable to automatically redirect all HTTP requests to HTTPS?
A — HTTPS Only (in App Service TLS/SSL settings)
B — Always On
C — Custom domain settings
D — Deployment slot configuration
Q5. What minimum App Service Plan tier is required to add a custom domain?
A — Free (F1)
B — Basic (B1)
C — Standard (S1)
D — Premium (P1v3)
Related Topics
Azure App ServiceApp Service Plans Azure App ServiceApp Service Networking Azure App ServiceDeployment Slots
← PreviousDeployment Slots
Comments
Disclaimer: RedKite Cloud is an independent educational resource and is not affiliated with Microsoft Corporation.