EOL of Azure Linux 2.0 on Azure Kubernetes Service enabled by Azure Arc
July 22, 2025
Planned Change Prevents Microsoft Tenant Domain Enumeration
July 22, 2025
Overview
As part of an upcoming industry-wide change, DigiCert, the Certificate Authority (CA) for Azure App Service Managed Certificates (ASMC), is required to migrate to a new validation platform to meet multi-perspective issuance corroboration (MPIC) requirements.
While most certificates will not be impacted by this change, certain site configurations and setups may prevent certificate issuance or renewal starting July 28, 2025.
What Will the Change Look Like?
For most customers: No disruption. Certificate issuance and renewals will continue as expected for eligible site configurations.
For impacted scenarios: Certificate requests will fail (no certificate issued) starting July 28, 2025, if your site configuration is not supported. Existing certificates will remain valid until their expiration (up to six months after last renewal).
Impacted Scenarios
You will be affected by this change if any of the following apply to your site configurations:
- Your site is not publicly accessible:
- Public accessibility to your app is required. If your app is only accessible privately (e.g., requiring a client certificate for access, disabling public network access, using private endpoints or IP restrictions), you will not be able to create or renew a managed certificate.
- Other site configurations or setup methods not explicitly listed here that restrict public access, such as firewalls, authentication gateways, or any custom access policies, can also impact eligibility for managed certificate issuance or renewal.
- Action: Ensure your app is accessible from the public internet. However, if you need to limit access to your app, then you must acquire your own SSL certificate and add it to your site.
- Your site uses Azure Traffic Manager “nested” or “external” endpoints:
- Only “Azure Endpoints” on Traffic Manager will be supported for certificate creation and renewal.
- “Nested endpoints” and “External endpoints” will not be supported.
- Action: Transition to using “Azure Endpoints”. However, if you cannot, then you must obtain a different SSL certificate for your domain and add it to your site.
- Your site relies on *.trafficmanager.net domain:
- Certificates for *.trafficmanager.net domains will not be supported for creation or renewal.
- Action: Add a custom domain to your app and point the custom domain to your *.trafficmanager.net domain. After that, secure the custom domain with a new SSL certificate.
If none of the above applies, no further action is required.
How to Identify Impacted Resources?
To assist with the upcoming changes, you can use Azure Resource Graph (ARG) queries to help identify resources that may be affected under each scenario. Please note that these queries are provided as a starting point and may not capture every configuration. Review your environment for any unique setups or custom configurations.
Scenario 1: Sites Not Publicly Accessible
This ARG query retrieves a list of sites that either have the public network access property disabled or are configured to use client certificates. It then filters for sites that are using App Service Managed Certificates (ASMC) for their custom hostname SSL bindings. These certificates are the ones that could be affected by the upcoming changes. However, please note that this query does not provide complete coverage, as there may be additional configurations impacting public access to your app that are not included here. Ultimately, this query serves as a helpful guide for users, but a thorough review of your environment is recommended. You can copy this query, paste it into Azure Resource Graph Explorer, and then click “Run query” to view the results for your environment.
// ARG Query: Identify App Service sites that commonly restrict public access and use ASMC for custom hostname SSL bindings
resources
| where type == “microsoft.web/sites”
// Extract relevant properties for public access and client certificate settings
| extend
publicNetworkAccess = tolower(tostring(properties.publicNetworkAccess)),
clientCertEnabled = tolower(tostring(properties.clientCertEnabled))
// Filter for sites that either have public network access disabled
// or have client certificates enabled (both can restrict public access)
| where publicNetworkAccess == “disabled”
or clientCertEnabled != “false”
// Expand the list of SSL bindings for each site
| mv-expand hostNameSslState = properties.hostNameSslStates
| extend
hostName = tostring(hostNameSslState.name),
thumbprint = tostring(hostNameSslState.thumbprint)
// Only consider custom domains (exclude default *.azurewebsites.net) and sites with an SSL certificate bound
| where tolower(hostName) !endswith “azurewebsites.net” and isnotempty(thumbprint)
// Select key site properties for output
| project siteName = name, siteId = id, siteResourceGroup = resourceGroup, thumbprint, publicNetworkAccess, clientCertEnabled
// Join with certificates to find only those using App Service Managed Certificates (ASMC)
// ASMCs are identified by the presence of the “canonicalName” property
| join kind=inner (
resources
| where type == “microsoft.web/certificates”
| extend
certThumbprint = tostring(properties.thumbprint),
canonicalName = tostring(properties.canonicalName) // Only ASMC uses the “canonicalName” property
| where isnotempty(canonicalName)
| project certName = name, certId = id, certResourceGroup = tostring(properties.resourceGroup), certExpiration = properties.expirationDate, certThumbprint, canonicalName
) on $left.thumbprint == $right.certThumbprint
// Final output: sites with restricted public access and using ASMC for custom hostname SSL bindings
| project siteName, siteId, siteResourceGroup, publicNetworkAccess, clientCertEnabled, thumbprint, certName, certId, certResourceGroup, certExpiration, canonicalName
Scenario 2: Traffic Manager Endpoint Types
For this scenario, please manually review your Traffic Manager profile configurations to ensure only “Azure Endpoints” are in use. We recommend inspecting your Traffic Manager profiles directly in the Azure portal or using relevant APIs to confirm your setup and ensure compliance with the new requirements.
Scenario 3: Certificates Issued to *.trafficmanager.net Domains
This ARG query helps you identify App Service Managed Certificates (ASMC) that were issued to *.trafficmanager.net domains. In addition, it also checks whether any web apps are currently using those certificates for custom domain SSL bindings. You can copy this query, paste it into Azure Resource Graph Explorer, and then click “Run query” to view the results for your environment.
// ARG Query: Identify App Service Managed Certificates (ASMC) issued to *.trafficmanager.net domains
// Also checks if any web apps are currently using those certificates for custom domain SSL bindings
resources
| where type == “microsoft.web/certificates”
// Extract the certificate thumbprint and canonicalName (ASMCs have a canonicalName property)
| extend
certThumbprint = tostring(properties.thumbprint),
canonicalName = tostring(properties.canonicalName) // Only ASMC uses the “canonicalName” property
// Filter for certificates issued to *.trafficmanager.net domains
| where canonicalName endswith “trafficmanager.net”
// Select key certificate properties for output
| project certName = name, certId = id, certResourceGroup = tostring(properties.resourceGroup), certExpiration = properties.expirationDate, certThumbprint, canonicalName
// Join with web apps to see if any are using these certificates for SSL bindings
| join kind=leftouter (
resources
| where type == “microsoft.web/sites”
// Expand the list of SSL bindings for each site
| mv-expand hostNameSslState = properties.hostNameSslStates
| extend
hostName = tostring(hostNameSslState.name),
thumbprint = tostring(hostNameSslState.thumbprint)
// Only consider bindings for *.trafficmanager.net custom domains with a certificate bound
| where tolower(hostName) endswith “trafficmanager.net” and isnotempty(thumbprint)
// Select key site properties for output
| project siteName = name, siteId = id, siteResourceGroup = resourceGroup, thumbprint
) on $left.certThumbprint == $right.thumbprint
// Final output: ASMCs for *.trafficmanager.net domains and any web apps using them
| project certName, certId, certResourceGroup, certExpiration, canonicalName, siteName, siteId, siteResourceGroup
Ongoing Updates
We will continue to update this post with any new queries or important changes as they become available. Be sure to check back for the latest information.
Note on Comments
We hope this information helps you navigate the upcoming changes. To keep this post clear and focused, comments are closed.
If you have questions, need help, or want to share tips or alternative detection methods, please visit our official support channels or the Microsoft Q&A, where our team and the community can assist you.