Azure DNS documentation originally written by: Tony Johncock @Tony1044
*Note: If you have not yet selected a DNS API provider to host your domain with be aware that Azure DNS is currently amongst the most complex to configure for API access. You should also note that Azure Client Secrets can expire, causing your renewals to fail until you replace the key.*
- In Azure Active Directory, create a user who will then be assigned permissions to update your DNS zone, this can be an App registration.
- You will also need to add a Client Secret for use by this user (User > Certificates and Secrets).
- In your DNS Zone, use the Access Control (IAM) option to Add a Role Assignment (DNS Zone Contributor).
Follow the instructions here: https://docs.microsoft.com/en-us/powershell/azure/get-started-azureps
This will launch a web dialog to log into your Azure tenant. Ensure you connect with an account with the relevant administrative credentials in the portal.
Pop your password and MFA requirements in as required when prompted.
Once connected, create the Application and Service Principal Run the following script:
Once this has successfully run, you need to retrieve the ApplicationID:
It returns something like the following:
Make a note of the ApplicationID
This will have created a service principal and an underlying Azure application.
- Login to portal.azure.com from a web browser
- Click on your DNS Zone
- Click on Access Control (IAM)
- Click on (+) Add
- Role: DNS Zone Contributor
- Assign access to: Azure AD user, group or application
- Select: Type in LetsEncrypt
- Click Save
From the Azure portal, click Azure Active Directory:
- Click App Registrations
- Click LetsEncrypt
- Click Certificates & secrets
- Click Client secrets
- Click New client secret
- Type a key description, choose when it will expire (or never – your choice) and click save.
IMPORTANT: The secret is only shown at this point. Copy it as once it’s hidden there is NO way to retrieve it
There are any number of ways to get the tenant ID, but since we’re already in PowerShell:
You now have all the information you require to configure Azure settings in the app.
You can add this is a new Stored Credential under Settings or while you are editing a Managed Certificate, under Authorization > DNS.
When using the credential as part of DNS validation in the app you will be prompted for the "Zone Id", for Azure DNS this is the DNS zone name, usually in the form of "yourdomain.com"