Custom Domains and Certificates
Azure Function Apps support custom domains similarly to Azure App Service. On the Consumption and Flex Consumption plans, custom domain mapping supports CNAME records only.
Architecture
flowchart TD
CLIENT[Client] --> DNS[Public DNS]
DNS --> CNAME[CNAME or A record]
DNS --> TXT[TXT asuid verification]
CNAME --> FA[Function App]
flowchart TD
C[Client HTTPS Request] --> DOMAIN[Custom Domain]
DOMAIN --> TLS[TLS Certificate Binding]
TLS --> FA[Function App]
FA --> REDIRECT[HTTP to HTTPS Redirect]
Prerequisites
- An Azure Function App deployed and running.
- DNS zone control for your domain (for TXT and CNAME/A record creation).
- Premium or Dedicated plan recommended for broader custom domain options.
- Azure CLI authenticated with permissions for the resource group.
Note: Consumption and Flex Consumption plans support CNAME-based custom domains; root/apex domain scenarios typically require plan and DNS provider capabilities that support A/ALIAS-style mapping.
Configure Custom Domain
- Get the custom domain verification ID used for TXT validation:
az functionapp show \
--name $APP_NAME \
--resource-group $RG \
--query customDomainVerificationId \
--output tsv
| CLI element | Explanation |
| Command(s) | az functionapp show |
| Key flags | --name, --resource-group, --query, --output |
| Variables | $APP_NAME, $RG |
| Expected result | Azure CLI returns the requested resource data; verify names, IDs, status fields, or metric values match the scenario. |
-
Add DNS records at your DNS provider:
- TXT record:
asuid.<subdomain> with the verification ID from step 1 - CNAME record for subdomain mapping (or A record where supported by plan and DNS scenario)
-
Add the hostname to the Function App:
az functionapp config hostname add \
--name $APP_NAME \
--resource-group $RG \
--hostname api.contoso.com
| CLI element | Explanation |
| Command(s) | az functionapp config hostname add |
| Key flags | --name, --resource-group, --hostname |
| Variables | $APP_NAME, $RG |
| Expected result | Azure CLI applies the configuration change; confirm the returned JSON or follow-up query shows the expected value. |
Create Managed Certificate
Create and bind an App Service managed certificate to the custom domain:
az functionapp config ssl create \
--resource-group $RG \
--name $APP_NAME \
--hostname api.contoso.com
az functionapp config ssl bind \
--resource-group $RG \
--name $APP_NAME \
--certificate-thumbprint <thumbprint> \
--ssl-type SNI
| CLI element | Explanation |
| Command(s) | az functionapp config ssl create, az functionapp config ssl bind |
| Key flags | --resource-group, --name, --hostname, --certificate-thumbprint, --ssl-type |
| Variables | $RG, $APP_NAME |
| Expected result | Azure CLI returns provisioning details; confirm the resource name and successful provisioning state before continuing. |
Enforce HTTPS
az functionapp update \
--resource-group $RG \
--name $APP_NAME \
--set httpsOnly=true
| CLI element | Explanation |
| Command(s) | az functionapp update |
| Key flags | --resource-group, --name, --set |
| Variables | $RG, $APP_NAME |
| Expected result | Azure CLI applies the configuration change; confirm the returned JSON or follow-up query shows the expected value. |
Plan Limitations
| Feature | Consumption | Flex Consumption | Premium | Dedicated |
| Custom domain | CNAME only | CNAME only | Full (A + CNAME) | Full |
| Managed certificate | Yes | No | Yes | Yes |
| IP-based SSL | No | No | Yes | Yes |
Flex Consumption certificate limitations
Certificate features such as loading certificates via WEBSITE_LOAD_CERTIFICATES, managed certificates, App Service certificates, and endToEndEncryptionEnabled are not currently supported in Flex Consumption.
Verification
- Confirm hostname binding:
az functionapp config hostname list \
--webapp-name $APP_NAME \
--resource-group $RG
| CLI element | Explanation |
| Command(s) | az functionapp config hostname list |
| Key flags | --webapp-name, --resource-group |
| Variables | $APP_NAME, $RG |
| Expected result | Azure CLI applies the configuration change; confirm the returned JSON or follow-up query shows the expected value. |
- Confirm HTTPS-only is enabled:
az functionapp show \
--name $APP_NAME \
--resource-group $RG \
--query httpsOnly
| CLI element | Explanation |
| Command(s) | az functionapp show |
| Key flags | --name, --resource-group, --query |
| Variables | $APP_NAME, $RG |
| Expected result | Azure CLI returns the requested resource data; verify names, IDs, status fields, or metric values match the scenario. |
- Validate TLS in browser or with curl:
curl --head https://api.contoso.com
Troubleshooting
| Symptom | Cause | Fix |
| Domain verification fails | Missing or incorrect asuid TXT record | Recheck TXT record name and value; wait for DNS propagation |
| Hostname cannot be added | DNS record does not point to Function App | Validate CNAME/A mapping and retry |
| TLS certificate not issued | Domain not fully validated | Confirm hostname binding and DNS resolution first |
| HTTP still accessible | HTTPS-only not enabled | Run az functionapp update --set httpsOnly=true |
See Also
Sources