You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Creation of Azure-managed certificates for custom domains in API Management will be temporarily turned off from August 15, 2025 to March 15, 2026. Existing managed certificates will be autorenewed and remain unaffected.
17
+
Creation of Azure-managed certificates for custom domains in API Management will be temporarily turned off from August 15, 2025 to March 15, 2026. Existing managed certificates will be autorenewed as long as your API Management service allows inbound traffic from DigiCert IP addresses on port 80 and DNS is properly configured.
18
18
19
19
In the classic service tiers, Azure API Management offers [free, managed TLS certificates for custom domains](../configure-custom-domain.md#domain-certificate-options) (preview), allowing customers to secure their endpoints without purchasing and managing their own certificates. Because of an industry-wide deprecation of CNAME-based Domain Control Validation (DCV), our Certificate Authority (CA), DigiCert, is moving to a new open-source software (OSS) domain control validation (DCV) platform that provides transparency and accountability increasing the trustworthiness of domain validation. As part of this transition, DigiCert will deprecate support for the legacy CNAME Delegation DCV workflow. This migration requires us to temporarily suspend the creation of managed certificates for custom domains.
20
20
21
21
Note that this does not impact the standard CNAME DCV workflow (where DigiCert validates a random value in the CNAME record) which is still supported in the OSS validation system. This change affects several Azure services that currently rely on the soon-to-be deprecated CNAME for automated certificate issuance and renewal.
22
22
23
23
## Is my service affected by this?
24
24
25
-
You're affected if you plan to create new managed certificates for custom domains in Azure API Management between August 15, 2025 and March 15, 2026. Existing managed certificates will be autorenewed before August 15, 2025 and will continue to function normally. There's no impact to existing managed certificates or custom domains already using them.
25
+
You're affected if you plan to create new managed certificates for custom domains in Azure API Management between August 15, 2025 and March 15, 2026.
26
+
27
+
As part of this change, starting January 2026, for Azure API Management to be able to renew (rotate) your existing managed certificate, inbound access is required on port 80 to allow [specific DigiCert IP addresses](https://knowledge.digicert.com/alerts/ip-address-domain-validation?utm_medium=organic&utm_source=docs-digicert&referrer=https://docs.digicert.com/en/certcentral/manage-certificates/domain-control-validation-methods/automatic-domain-control-validation-check.html).
26
28
27
29
## What is the deadline for the change?
28
30
29
31
The suspension of managed certificates for custom domains will be enforced from August 15, 2025 to March 15, 2026. The capability to create managed certificates will resume after the migration to the new validation platform is complete.
30
32
31
33
## What do I need to do?
32
34
33
-
No action is required if you already have managed certificates for your custom domains. If you need to add new managed certificates, plan to do so before August 15, 2025 or after March 15, 2026. During the suspension period, you can still configure custom domains with certificates you manage from other sources.
35
+
If you need to add new managed certificates, plan to do so before August 15, 2025 or after March 15, 2026. During the suspension period, you can still configure custom domains with certificates you manage from other sources.
36
+
37
+
If you already have managed certificates for your custom domains, do the following to ensure continued access:
38
+
39
+
- Ensure that your API Management service allows [inbound traffic from DigiCert IP addresses on port 80](#allow-access-to-digicert-ip-addresses). This access is now required for the certificate autorenewal process.
@@ -185,18 +185,19 @@ Choose the steps according to the [domain certificate](#domain-certificate-optio
185
185
186
186
## DNS configuration
187
187
188
-
* Configure a CNAME record for your custom domain.
189
-
* When using API Management's free, managed certificate, also configure a TXT record to establish your ownership of the domain.
188
+
Configure your DNS provider to map your custom domain name to the default domain name of your API Management instance.
190
189
191
-
> [!NOTE]
192
-
> The free certificate is issued by DigiCert. For some domains, you must explicitly allow DigiCert as a certificate issuer by creating a [CAA domain record](https://wikipedia.org/wiki/DNS_Certification_Authority_Authorization) with the value: `0 issue digicert.com`.
Configure a CNAME record that points from your custom domain name (for example, `api.contoso.com`) to your API Management service hostname (for example, `<apim-service-name>.azure-api.net`). A CNAME record is more stable than an A-record in case the IP address changes. For more information, see [IP addresses of Azure API Management](api-management-howto-ip-addresses.md#changes-to-ip-addresses) and the [API Management FAQ](./api-management-faq.yml#how-can-i-secure-the-connection-between-the-api-management-gateway-and-my-backend-services-).
194
+
# [Key Vault](#tab/key-vault)
197
195
198
-
> [!NOTE]
199
-
> Some domain registrars only allow you to map subdomains when using a CNAME record, such as `www.contoso.com`, and not root names, such as `contoso.com`. For more information on CNAME records, see the documentation provided by your registrar or [IETF Domain Names - Implementation and Specification](https://tools.ietf.org/html/rfc1035).
> When you use the free, managed certificate and configure a CNAME record with your DNS provider, make sure that it resolves to the default API Management service hostname (`<apim-service-name>.azure-api.net`). Currently, API Management doesn't automatically renew the certificate if the CNAME record doesn't resolve to the default API Management hostname. For example, if you're using the free, managed certificate and you use Cloudflare as your DNS provider, make sure that DNS proxy isn't enabled on the CNAME record.
@@ -212,6 +213,8 @@ When you use the portal to configure the free, managed certificate for your cust
212
213
213
214
You can also get a domain ownership identifier by calling the [Get Domain Ownership Identifier](/rest/api/apimanagement/current-ga/api-management-service/get-domain-ownership-identifier) REST API.
Copy file name to clipboardExpand all lines: articles/storage-discovery/frequently-asked-questions.md
+14-20Lines changed: 14 additions & 20 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -15,7 +15,7 @@ In this article, learn about frequently asked questions and answers for the Azur
15
15
<summary> Can I use Storage Discovery in EUAP regions?</summary>
16
16
Creating a Storage Discovery workspace in EUAP regions isn’t supported. However, if your workspace is created in a supported (non-EUAP) region, it will still show insights for storage accounts located in EUAP regions. To ensure full functionality and support, create your Storage Discovery workspace in a supported region outside EUAP.
17
17
</details>
18
-
18
+
<br>
19
19
<details>
20
20
<summary> I can't find a subscription in the workspace root picker (resource tree) to add it to the workspace root.</summary>
21
21
@@ -25,13 +25,14 @@ Creating a Storage Discovery workspace in EUAP regions isn’t supported. Howeve
25
25
- Select the "All Subscription" drop-down to verify if the subscription is listed and selected. If the subscription isn't selected here, it doesn't show up on the 'Add workspace root' dialog.
26
26
27
27
</details>
28
-
28
+
<br>
29
29
<details>
30
30
<summary>I created the workspace but can't see any data yet.</summary>
31
31
32
32
Insights aggregation often completes within a few hours but can also take more than a day.
33
33
34
34
</details>
35
+
<br>
35
36
36
37
<details>
37
38
<summary>It's more than 24 hours since the workspace was created and I still can't see data on the reports.</summary>
@@ -42,42 +43,35 @@ Insights aggregation often completes within a few hours but can also take more t
42
43
- If still no data is shown on the reports after 24 hours of creation, contact [Azure Support](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview).
43
44
44
45
</details>
45
-
46
+
<br>
46
47
<details>
47
48
<summary>I see data on Capacity and Configuration report but not on other reports.</summary>
48
49
49
50
Activity, Security, and Consumption reports show insights only for Standard pricing plan and not for Free plan. Verify your workspace's pricing plan and upgrade if needed.
50
51
51
52
</details>
52
-
53
-
<details>
54
-
<summary> I can't see insights for FNS accounts in the archive tier.</summary>
55
-
56
-
Insights such as capacity and activity for FNS storage accounts with the [default access tier](../storage/blobs/access-tiers-overview.md#default-account-access-tier-setting) set to [archive](../storage/blobs/access-tiers-overview.md#archive-access-tier) are currently not included in the Storage Discovery reports. An update is in progress to begin incorporating these insights. Once completed, insights for these storage accounts automatically appear in the reports and also are reflected in the monthly [Storage Discovery bill](pricing.md).
57
-
58
-
</details>
59
-
53
+
<br>
60
54
<details>
61
55
<summary>Unable to add more than 10 scopes in a workspace.</summary>
62
56
63
57
Discovery workspace has a default limit of 10 scopes per workspace. Support team may be contacted with a request to increase this limit if needed. Provide the tenantID, SubscriptionID where you would want this limit to be increased.
64
58
65
59
</details>
66
-
60
+
<br>
67
61
<details>
68
62
<summary>Unable to include more than 100 resources (Subscription or resource groups) as part of Discovery workspace root.</summary>
69
63
70
64
Discovery workspace has a default limit of 100 workspace roots per workspace. Support team may be contacted with a request to increase this limit if needed. Provide the tenantID, SubscriptionID where you would want this limit to be increased.
71
65
72
66
</details>
73
-
67
+
<br>
74
68
<details>
75
69
<summary>Unable to add more than five tags per scope in workspace.</summary>
76
70
77
71
Discovery workspace has a default limit of five ARM tags per scopes in each workspace. Support team may be contacted with a request to increase this limit if needed. Provide the tenantID, SubscriptionID where you would want this limit to be increased.
78
72
79
73
</details>
80
-
74
+
<br>
81
75
<details>
82
76
<summary>What are the resource limits of the Storage Discovery service?</summary>
83
77
@@ -90,22 +84,22 @@ If you need any of these limits increased, open a [support request](https://port
90
84
To create Storage Discovery resources with higher limits, use alternative clients such as Azure CLI, PowerShell, SDK, or ARM templates. The Azure portal will continue to enforce default limits.
91
85
92
86
</details>
93
-
87
+
<br>
94
88
<details>
95
89
<summary>Changes to resources (like creation of new storage accounts or change in storage account configuration) aren't showing up on the Discovery reports.</summary>
96
90
97
91
Insights aggregation often completes within a few hours but can also take more than a day.
98
92
99
93
</details>
100
-
94
+
<br>
101
95
<details>
102
96
<summary>Switching the pricing plan for a workspace</summary>
103
97
104
98
> [!WARNING]
105
99
> If a workspace is downgraded from a paid pricing plan to the `Free` plan, historic insights for only the past 15 days are retained and all previously aggregated insights are permanently deleted. Historic data can't be recovered, even if you switch the workspace back to a paid plan.
106
100
107
101
</details>
108
-
102
+
<br>
109
103
<details>
110
104
<summary>I'm unable to create a new resource.</summary>
111
105
@@ -115,7 +109,7 @@ There are two common reasons why the creation of a workspace resource can fail.
115
109
- Discovery only allows a maximum of 10 workspaces per region per subscription. To identify if this limit affects you, review the error message with which your workspace creation failed. `You've reached the maximum number of allowed resources {maxResourcesPerRegion} for this subscription in the {workspace.Location} region. Current count of resources added: {currentCount}` If you need more workspaces, you can open a [support request](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview) and provide the tenant ID and the subscription ID for which you need this deployment limit increased. Our team reviews your request and may contact you with any remaining questions.
116
110
117
111
</details>
118
-
112
+
<br>
119
113
<details>
120
114
<summary>Discovery reports aren't showing few storage accounts that are part of the workspace.</summary>
121
115
@@ -124,8 +118,8 @@ There are two common reasons why the creation of a workspace resource can fail.
124
118
- Ensure the storage account has blobs in it. Empty storage accounts don't show up on the discovery reports.
125
119
126
120
</details>
127
-
121
+
<br>
128
122
<details>
129
123
<summary>Trend charts on Capacity and Consumption report show sharp dips</summary>
130
124
Trend graphs in the Capacity and Consumption reports may occasionally display temporary dips. Common causes are actual changes in your resources and noise from the insights aggregation engine. When viewed over longer time periods or averaged throughout a day, these ripples typically don't distort the overall insight you're gaining from any given graph.
![learn-build-service-prod[bot]](https://avatars.githubusercontent.com/in/237442?v=4&size=40){kind=avatar}
0 commit comments