How to Fix Azure Front Door Wildcard Domain Revalidation Failure: Step-by-Step Guide
All wildcard-mapped sites are down. Nothing changed in the configuration. The Azure DNS zone looks correct. Yet the domain state shows Pending Revalidation or Rejected. Here is exactly what is happening, why it is happening, and the step-by-step procedure to bring everything back up.
Domain Validation States — What Each One Means
Before starting the fix, confirm which state your wildcard domain is showing in the Azure Front Door portal. The state determines which recovery path to take.
| State | What It Means | What To Do |
|---|---|---|
| Approved | Domain ownership verified. Certificate active. All is well. | Nothing — this is the target state you are working toward. |
| Pending | Domain was just added; AFD is waiting for the initial TXT record to appear in DNS. | Add the _dnsauth TXT record with the value shown in the portal. |
| Pending Revalidation | Certificate approaching expiry (within 45 days). Auto-rotation attempted and failed. Existing TXT token expired or not accepted. This is the state most people in this incident are seeing. | Click Regenerate to get a new token. Update DNS TXT record with the new value. Click Revalidate. Wait ~30 minutes. |
| Rejected | DigiCert has rejected the certificate reissuance request. Validation failed after the retry window. Certificate may have already expired. | Regenerate token. Update DNS. Click Revalidate. If still rejected after 30 minutes, delete and re-add the domain in AFD, then follow the full validation flow from scratch. |
| Internal Error | A platform-side issue on Microsoft's infrastructure prevented validation from completing. | Click Revalidate. If no improvement in 1 hour, open a P1 support ticket with Microsoft — this requires backend investigation. |
The Fix: Regenerate Token → Update DNS → Revalidate
This is the fastest path to getting your wildcard sites back up. Work through these steps in order. The entire procedure takes under 30 minutes once the new TXT record is in DNS.
Open your Front Door profile and locate the wildcard domain
Sign in to the Azure portal. Navigate to Front Door and CDN Profiles. Open your Front Door Standard or Premium profile. In the left navigation, select Domains. Locate your wildcard domain (e.g. *.example.com). The Validation state column will show Pending revalidation or Rejected. Click on the domain row to open the domain details pane.
Regenerate the validation token — this is the critical step
In the domain details pane, click the Validation state link (it will say "Pending revalidation" or show a warning icon). A panel opens titled Validate custom domain ownership. You will see the current expected TXT record information. Look for the Regenerate button and click it. This generates a brand-new validation token on Microsoft's side and syncs it with DigiCert's validation platform. The old token — even if it is still in your DNS — is now invalidated. You must update your DNS with this new value.
If you do not see a Regenerate button, look for a Revalidate button instead. In some portal versions the Revalidate button both regenerates and triggers validation simultaneously. If neither button is visible, proceed to the CLI/PowerShell method in the alternative steps below.
Copy the new TXT record name and value — exactly as shown
After regenerating, the portal displays the TXT record details. Copy both values precisely:
Record name: _dnsauth (for a wildcard domain *.example.com, the full record name is _dnsauth.example.com)
Record value: A long alphanumeric string — for example 0000000000000000000000000000000000000000000000000000000000000000. This is unique and time-sensitive. Do not use the old value from your DNS. Do not approximate or retype — copy it exactly from the portal.
The token expires after 7 days. If you do not update DNS and complete revalidation within 7 days of clicking Regenerate, you will need to regenerate again.
Update the _dnsauth TXT record in your Azure DNS Zone with the new value
Navigate to DNS Zones in the Azure portal. Open your domain's DNS zone (e.g. example.com). Find the existing TXT record named _dnsauth. Click it to open the record. Delete the old value entirely and replace it with the new token value you copied in Step 3. Click Save.
If you are using a non-Azure DNS provider, log into your DNS provider's management interface and update the _dnsauth.yourdomain.com TXT record value there instead. The record type is TXT, the TTL should be 3600 (1 hour) or less, and the value is the new token string.
Verify the new TXT record is publicly resolving before triggering revalidation
Before clicking Revalidate, confirm the updated TXT record is resolving from public DNS — not just from your local network. Use one of these methods:
# Replace example.com with your actual domain. 8.8.8.8 = Google DNS (public resolver)
# macOS / Linux — dig dig +short TXT _dnsauth.example.com @8.8.8.8
# Azure Cloud Shell — resolve-dnsname Resolve-DnsName -Name _dnsauth.example.com -Type TXT -Server 8.8.8.8
# Expected output: the new token value from the Azure portal # If the old value appears, DNS has not yet propagated — wait 5-10 minutes and retry # If empty, the record update has not saved correctly — go back and check Step 4
Trigger revalidation in the portal once DNS is confirmed propagated
Return to your Front Door profile → Domains → click the wildcard domain. In the domain details pane, click Revalidate (or click the Validation state link and then Revalidate). This tells Azure Front Door to immediately attempt domain ownership validation using the new TXT record. Azure passes the check to DigiCert, which queries _dnsauth.example.com from multiple geographic vantage points (MPIC), finds the new token value, and approves the validation.
The validation state should change from Pending revalidation to Approved within 10–30 minutes. After approval, Azure Front Door initiates certificate issuance. Certificate propagation to all edge locations takes a further 5–30 minutes. Your wildcard sites will come back online as the certificate propagates.
Verify domain is Approved and certificate is active
Navigate back to Domains in your Front Door profile. Confirm the wildcard domain shows Approved in the Validation state column and Provisioned in the Certificate state column. Test one of your affected wildcard sites by opening it in a browser and checking the padlock icon — the certificate should show as valid and issued to *.example.com. If you see "Certificate error" or "Not secure", wait a further 10–15 minutes for edge propagation and test again from a different browser or device (to avoid local certificate cache).
Triggering Revalidation via CLI or PowerShell
If the Revalidate button is not visible in the portal, or you need to automate this across multiple domains, use the Azure CLI or PowerShell to trigger domain validation via an empty PATCH request to the domain API.
RESOURCE_GROUP="your-resource-group"
PROFILE_NAME="your-frontdoor-profile-name"
DOMAIN_NAME="example.com" # For wildcard *.example.com use: example.com
# Trigger revalidation — empty PATCH request to the custom domain resource az rest \
--method PATCH \
--url "https://management.azure.com/subscriptions/${SUBSCRIPTION}/resourceGroups/${RESOURCE_GROUP}/providers/Microsoft.Cdn/profiles/${PROFILE_NAME}/customDomains/${DOMAIN_NAME}?api-version=2023-05-01" \
--body "{}" \
--headers "Content-Type=application/json"
# Check domain validation state after triggering az afd custom-domain show \
--resource-group $RESOURCE_GROUP \
--profile-name $PROFILE_NAME \
--custom-domain-name $DOMAIN_NAME \
--query "{ValidationState:domainValidationState, CertState:tlsSettings.certificateType}" \
--output table
$zoneName = "example.com"
$newTokenValue = "paste-the-new-token-from-azure-portal-here"
# Remove the old TXT record set Remove-AzDnsRecordSet -RecordType TXT -Name "_dnsauth" -ZoneName $zoneName -ResourceGroupName $resourceGroup
# Create a new TXT record set with the new token value $records = @()
$records += New-AzDnsRecordConfig -Value $newTokenValue
New-AzDnsRecordSet -RecordType TXT -Name "_dnsauth" -ZoneName $zoneName `
-ResourceGroupName $resourceGroup -Ttl 3600 -DnsRecords $records
# Verify the record was set correctly Resolve-DnsName -Name "_dnsauth.$zoneName" -Type TXT -Server 8.8.8.8
Escalation Steps — If Revalidation Does Not Clear Within 1 Hour
In most cases, Regenerate → Update DNS → Revalidate resolves the issue within 30 minutes. If the domain is still in Pending Revalidation or Rejected state after 1 hour, and you have confirmed the DNS TXT record is resolving with the correct new value, escalate through these steps in order.
Option A: Delete and Re-Add the Wildcard Domain
This is a disruptive but effective reset. Removing and re-adding the domain generates a completely fresh validation state and a new token. The domain will be unassociated from its routes temporarily during the process — if your sites are already down, the downtime impact is the same.
Note all current route associations before deleting
Before removing the domain, go to Front Door Manager → Endpoints and record which routes are associated with *.example.com. You will need to re-associate them after re-adding the domain. Take a screenshot or note down: endpoint name, route name, origin group, and path patterns.
Disassociate the domain from all routes, then delete it
In the Domains list, click the wildcard domain. If it shows any associated routes, click Disassociate for each one. Once all routes are disassociated, click Delete to remove the domain from the Front Door profile. Confirm the deletion when prompted.
Re-add the wildcard domain and get the fresh token
Click Add in the Domains pane. Enter your wildcard domain (e.g. *.example.com). Select Azure managed certificate. After saving, a new validation token is generated. Copy this fresh token, update your DNS TXT record (_dnsauth.example.com) with this new value, and wait for DNS propagation. Once the TXT record is resolving with the new value, the domain validation should automatically proceed to Approved within a few minutes.
Re-associate routes and verify HTTPS
Once the domain shows Approved, re-associate it with the routes you noted in Step 1. Select the domain → click Associate endpoint and routes → select the appropriate endpoint and route(s). After association, allow 5–15 minutes for the certificate to propagate and test your wildcard sites.
How to Prevent This Recurring — and the Permanent Fix for Wildcard Domains
Once you have resolved the immediate outage, you need to address the underlying situation. Azure Front Door managed certificates are not available for wildcard domains — this is by design, and the auto-revalidation issue is a consequence of using managed certificate renewal patterns that were designed for non-wildcard domains. Wildcard domains require either TXT-record-based validation (which you have just done) or switching to BYOC.
Option 1 — Keep AFD Managed Certificate with Alerts (Minimum Action)
The managed certificate will need TXT record revalidation again in the future — approximately every 45–90 days as certificates are renewed. Set up an Azure Monitor alert on your Front Door profile to notify you the moment any domain enters Pending Revalidation state, giving you days to act before certificates expire. Use the Azure Activity Log alert for the specific operation that changes domain validation state.
--name "AFD-Domain-Revalidation-Alert" \
--resource-group "your-resource-group" \
--scope "/subscriptions/your-subscription-id/resourceGroups/your-rg/providers/Microsoft.Cdn/profiles/your-afd-profile" \
--condition "category=Administrative and operationName=Microsoft.Cdn/profiles/customDomains/write" \
--action-group "/subscriptions/your-subscription-id/resourceGroups/your-rg/providers/microsoft.insights/actionGroups/your-action-group" \
--description "Alert when AFD custom domain validation state changes — check portal for Pending Revalidation"
Option 2 — Switch to BYOC (Recommended for Wildcard Domains)
The cleanest long-term solution for wildcard domains on Azure Front Door is Bring Your Own Certificate (BYOC). You manage the certificate lifecycle through your own CA or Let's Encrypt, upload it to Azure Key Vault, and Azure Front Door uses it directly. You control the renewal cadence, the CA, and the validation method. Certificate rotation in BYOC does not require domain revalidation through DigiCert's platform at all.
For wildcard certificates using Let's Encrypt (free), the certificate can be issued via DNS-01 challenge (adding a TXT record to your DNS zone) using any ACME client. The certificate has a 90-day lifetime with automated renewal. Upload the renewed certificate to Azure Key Vault and Azure Front Door will automatically detect and use the new version without any portal intervention.
Option 3 — Add a CAA Record to Speed Up Future Renewals
Azure Front Door certificates are issued by DigiCert. Some domain owners have strict CAA (Certification Authority Authorization) policies that do not explicitly allow DigiCert. If your DNS zone has a CAA record that does not list DigiCert, the certificate issuance will be blocked regardless of TXT record validation. Add the following CAA record to your DNS zone to pre-authorise DigiCert:
--resource-group "your-dns-resource-group" \
--zone-name "example.com" \
--record-set-name "@" \
--flags 0 \
--tag "issue" \
--value "digicert.com"
# Verify the CAA record was created az network dns record-set caa list --resource-group "your-dns-resource-group" --zone-name "example.com"
Key Takeaways
Related FAVRITE Articles
- Designing a Secure File Storage Architecture in Azure
- How to Configure Conditional Access for Approved Client Apps in Microsoft Entra ID
- Azure Monitor Alert Rules That Look Correct and Are Not
- Top 50 Azure Cloud Administrator Interview Questions and Answers