Built for Azure agencies — 14-day free trial

App Service Managed Certificates fail silently when the custom-domain binding isn't complete.
The portal shows "pending" forever while your client's app serves the *.azurewebsites.net wildcard.

Azure agencies running App Service, Static Web Apps, and the Front Door + Application Gateway pattern deal with App Service Managed Certificates that silently fail when the domain binding isn't complete, Static Web Apps _dnsauth TXT records that agencies strip during DNS migration off Azure DNS, and Front Door + App Gateway tier mismatches where the visible front cert masks an expired App Gateway cert behind it. Merlonix monitors every Azure-attached subdomain so the silent fallback to the *.azurewebsites.net wildcard surfaces before clients see cert warnings.

Start free for 14 days How it works

No credit card for the trial. Cancel any time.

Check cadence (Agency): 5 min
SSL pre-expiry alert: 30 days
Independent DNS resolvers: 3
Vendors watched: 11

Where Azure agencies get caught out

Three failure modes specific to Azure deployments with App Service Managed Certificates, Static Web Apps _dnsauth TXT records, and multi-tier Front Door + Application Gateway TLS termination.

Azure agencies deal with App Service Managed Certificate provisioning silently failing when the custom-domain binding isn't fully ready (the portal eventually shows the cert resource created but the binding stays Disabled and the app serves the *.azurewebsites.net wildcard), Static Web Apps _dnsauth TXT records that get stripped during DNS migration off Azure DNS to Cloudflare and break the next cert renewal silently, and Front Door + Application Gateway multi-tier termination where the visible Front Door cert renews on schedule but the App Gateway cert behind it expires and breaks SDK clients hitting the gateway endpoint directly.

App Service Managed Certificates require the custom-domain binding to be fully configured (asuid TXT verified, A or CNAME pointing at the App Service, hostname binding showing SNI SSL state) BEFORE the managed cert can be issued. Agencies who try to provision the cert during the same change window the domain is being added see the cert request stuck in "Pending Issuance" — Azure Portal eventually marks it provisioned but the cert never actually issues. App Service silently falls back to the *.azurewebsites.net wildcard which browsers reject with cert-mismatch warnings

An Azure agency adds a new custom domain to a client App Service and provisions an App Service Managed Certificate in the same change window. The asuid TXT record is added but DNS propagation hasn't completed when the agency clicks "Create App Service Managed Certificate." The cert request goes to "Pending Issuance" — Azure tries the validation, fails, but doesn't surface the failure prominently. The portal eventually shows the cert resource as created but the binding state on the custom hostname remains "Disabled." The app serves the *.azurewebsites.net wildcard cert when requests come in for the custom domain; browsers throw cert-mismatch warnings. Discovery happens when a customer reports the warning

An Azure agency builds a client B2B SaaS on App Service (Premium plan) and configures app.client.com as a new custom hostname. The agency engineer adds the asuid.app.client.com TXT record to the client's DNS provider and the A record pointing at the App Service. The asuid validation passes — App Service binds the custom domain. The engineer immediately clicks "Add binding → App Service Managed Certificate" in the portal to issue a free managed cert. The cert request goes to Azure's managed-cert backend, which uses an extended validation against the bound hostname. The validation needs the DNS records to fully propagate to multiple Azure-region resolvers and for the App Service backend to confirm the hostname is fully active. If any part of that chain isn't ready (TTL not expired on the previous DNS state, App Service custom domain still in transition state), the validation fails. Azure doesn't surface the failure prominently — the cert resource shows as "Created" in some views and "Pending Issuance" in others. The custom hostname remains in "Disabled" binding state. App Service falls back to serving the *.azurewebsites.net wildcard for any request with Host: app.client.com. Browsers receive a cert valid for *.azurewebsites.net when they requested app.client.com, throw a NET::ERR_CERT_COMMON_NAME_INVALID warning. The agency engineer assumes the cert was issued (because the portal said "Create App Service Managed Certificate" succeeded) and only discovers the failure when a customer reports the warning. Re-issuing the cert from the portal works because by then DNS has propagated and the App Service backend is fully ready — but the silent failure window was hours to days.

Azure Static Web Apps managed certificates require an ongoing _dnsauth.<host> TXT record for renewal validation — different from the asuid pattern App Service uses. The TXT record stays in the DNS zone for the life of the cert. When agencies migrate DNS off Azure DNS to Cloudflare or another provider (for WAF rules, cost savings, or vendor consolidation), the _dnsauth TXT records look like setup noise that gets deleted during zone cleanup. The initial cert continues to work because Static Web Apps caches it; the next renewal ~90 days later silently fails

An Azure agency operates a client product on Static Web Apps with a custom domain at app.client.com. DNS is on Azure DNS. The client requests adding Cloudflare in front for WAF rules and DDoS protection. The agency exports the Azure DNS zone, imports records into Cloudflare, updates registrar nameservers. The export captures A, CNAME, MX, and TXT records — but the agency engineer reviewing the Cloudflare import deletes the _dnsauth.app.client.com TXT record because it looks like leftover setup noise that doesn't serve any obvious purpose. The migration completes. Two months later, Static Web Apps cert renewal validation runs, queries the _dnsauth TXT record, finds nothing, and fails silently

An Azure agency builds a client marketing site on Azure Static Web Apps at app.client.com. The Static Web Apps managed cert was provisioned during the initial setup — the cert request requires both an apex A record (or CNAME for subdomains) AND a _dnsauth.<host> TXT record to validate domain ownership. Both were added to Azure DNS at the time. The site has been running for 5 months. The client requests Cloudflare in front of the site for bot mitigation and a different caching tier. The agency exports the Azure DNS zone via PowerShell (Get-AzDnsRecordSet), formats it for Cloudflare's zone import, and uploads. The Cloudflare zone import preserves A and CNAME records but the agency engineer reviewing the imported zone deletes the _dnsauth.app.client.com TXT record because it looks like setup noise. The migration completes. The site continues to work because Static Web Apps cached the cert. 60 days later, Static Web Apps' cert renewal flow runs — it queries _dnsauth.app.client.com expecting a specific token, gets NXDOMAIN, and silently fails. The current cert is still valid for ~30 more days. Another 30 days pass before the cert expires. The site starts serving an expired cert; the next deploy triggers Static Web Apps' fallback to a platform default cert that doesn't match app.client.com. Browsers throw cert errors. The agency engineer doesn't connect the Cloudflare migration to the cert expiry for hours; re-creating the _dnsauth record at Cloudflare and re-triggering cert provisioning requires a fresh validation token, which means downtime is extended while the new token propagates.

Azure Front Door + Application Gateway is a common multi-tier pattern — Front Door provides global CDN and DDoS at the edge, App Gateway provides regional WAF rules and HTTPS-to-backend termination. BOTH terminate TLS independently and BOTH have their own certs that renew on independent schedules. Agencies renew the Front Door cert (most visible — it's the public endpoint) but forget the App Gateway cert behind it. Public web traffic continues to work because Front Door masks the issue. SDK clients hitting the gateway directly (mobile apps, internal automation, third-party integrations using the regional endpoint) fail with cert errors

An Azure agency builds a client SaaS with Front Door at app.client.com (global edge) routing to Application Gateway at gateway.client.com (regional WAF + HTTPS termination) routing to App Service behind. Both Front Door and App Gateway have their own custom-domain certs on independent renewal schedules. The agency renews the Front Door cert at month 11 (it's the most visible — it's where Azure Portal alerts appear) but forgets the App Gateway cert which is on a separate Azure-managed renewal schedule. The App Gateway cert expires; Front Door continues to terminate user TLS and re-handshake to App Gateway internally — but internal failures aren't surfaced to end users. Mobile SDK clients with the gateway.client.com endpoint baked into the app start failing with cert errors. The agency only discovers the issue when a mobile-app customer reports SDK errors

An Azure agency builds a client B2B SaaS with a multi-tier TLS termination pattern: Azure Front Door at app.client.com handles global routing and DDoS at the edge, Azure Application Gateway at gateway.client.com (in West US 2) handles regional WAF rules and TLS termination to the backend, and Azure App Service at api-eastus2.client.azurewebsites.net is the eventual backend. Front Door uses a Front Door Managed Certificate for app.client.com (managed by Azure, auto-renews ~30 days before expiry). Application Gateway uses a Key Vault-stored cert for gateway.client.com (managed by Azure but via a separate Azure-managed certificate resource attached to the App Gateway HTTPS listener). The renewal schedules drift over time because each cert was issued at a different point during initial setup. At month 11, Front Door cert renews automatically — Azure surfaces the renewal in the Front Door monitoring blade. The agency engineer confirms via the Azure Portal that the Front Door cert is valid for another year. The App Gateway cert was provisioned 8 days earlier than the Front Door cert and is closer to expiry; Azure's auto-renewal for the App Gateway cert requires the Key Vault rotation policy to be configured, which the agency set up but never tested. The Key Vault rotation policy fails at month 12 (the original setup had a stale Service Principal credential). The App Gateway cert expires. Front Door continues to terminate user TLS at app.client.com using its own cert (still valid). The re-handshake from Front Door to App Gateway happens internally; Front Door doesn't validate the App Gateway cert chain by default. Web traffic to app.client.com continues to work. But the client has a mobile app SDK that talks directly to gateway.client.com (bypassing Front Door for low-latency internal calls); the SDK starts failing with cert errors. The agency only discovers the issue when a mobile-app customer reports the SDK is broken; tracing it back through Front Door logs (which show happy traffic) takes hours.

How it works

SSL and DNS monitoring for Azure agencies across App Service Managed Certificate binding races, Static Web Apps _dnsauth TXT renewal validation, and Front Door + Application Gateway multi-tier TLS termination.

Merlonix monitors SSL expiry and DNS integrity across every Azure-attached subdomain — app.* (Front Door or Static Web Apps), api.* (App Service), gateway.* (Application Gateway) — and catches App Service Managed Certificate binding races where the cert resource exists but the hostname falls back to the *.azurewebsites.net wildcard, Static Web Apps cert renewal failures after _dnsauth TXT records are stripped during DNS migration to Cloudflare, and Front Door + Application Gateway tier mismatches where the visible front cert masks an expired App Gateway cert behind it — before SDK clients hitting the gateway endpoint directly start failing.

Add Azure application domains — apex, www., app., api., gateway. — with DNS TXT verification that catches App Service Managed Certificate binding races and Static Web Apps _dnsauth TXT stripping

Verify ownership with a DNS TXT record on the apex domain. All subdomains under that apex — app.* (Front Door or Static Web Apps), api.* (App Service), gateway.* (Application Gateway), and any per-region App Service slot endpoints — are added without additional verification. Monitoring every Azure-attached subdomain catches the App Service Managed Certificate binding race where the cert resource exists but the binding silently stays Disabled (the wildcard fallback is detected because the served cert CN/SAN won't match the configured hostname) and the Static Web Apps _dnsauth TXT stripping (an active monitoring layer that watches for the TXT record on the cert's renewal window). Under two minutes per client.

CNAME, A, and TXT record monitoring across Azure DNS, Cloudflare, and asuid/_dnsauth validation records that break silently when zones are migrated between providers

Three independent DNS resolvers check every CNAME delegation, A record, and validation TXT record on every monitoring interval. When a client moves DNS off Azure DNS to Cloudflare or another provider, the migration is logged immediately — and any missing asuid.<host> or _dnsauth.<host> TXT records that the zone-import cleanup may have removed are surfaced as drift events. The cert renewal failure two months later has a clear root cause from the audit log rather than appearing as a mysterious "Static Web Apps cert expired" event with no obvious trigger.

SSL monitoring 30 days before expiry across App Service Managed Certificates, Static Web Apps managed certs, Front Door Managed Certificates, and Application Gateway Key Vault-backed certs that renew on independent schedules

Full SSL chain validation on every Azure-attached subdomain — apex, app.*, api.*, gateway.*. Independent checks per-tier catch the Front Door + Application Gateway tier mismatch pattern where the visible Front Door cert renews on schedule but the App Gateway cert behind it silently expires because the Key Vault rotation policy has a stale Service Principal credential. App Service Managed Certificate binding state is verified by comparing the served cert's CN/SAN to the bound hostname — a wildcard fallback is detected within the first check cycle rather than waiting for a customer to report a browser warning. An expiry alert fires 30 days before any cert expires, with separate alerts per Azure-managed cert resource so the Front Door cert and the App Gateway cert behind it can't mask each other.

Vendor status for Azure (per-region status pages — East US 2, West US 2, North Europe), App Service, Static Web Apps, Front Door, Application Gateway, and Azure DNS to distinguish Azure regional incidents from per-tenant SSL configuration failures

Merlonix monitors Azure's per-region status pages, App Service, Static Web Apps, Front Door, Application Gateway, and Azure DNS alongside client SSL and DNS. When an East US 2 Azure Front Door regional incident causes cert provisioning failures across multiple client tenants simultaneously, you see the vendor event — not a cluster of individual SSL alerts that each require separate investigation to determine whether the root cause is an Azure regional outage, an App Service Managed Certificate binding race from a recent custom-domain addition, or DNS migration that stripped _dnsauth TXT records.

What the numbers mean for Azure agencies

Monitoring built for Azure agencies where one client product means a Front Door distribution at app.* (Front Door Managed Certificate), an Application Gateway at gateway.* (Key Vault-backed cert behind the App Gateway HTTPS listener), and an App Service at api.* (App Service Managed Certificate) — each with independent cert lifecycles and independent failure modes.

Azure agencies managing App Service Managed Certificate binding across multi-domain deployments, Static Web Apps _dnsauth TXT renewal validation across multi-CMS frontends, and Front Door + Application Gateway multi-tier TLS termination across multi-region backends need monitoring that covers every Azure-attached subdomain — because an App Service Managed Certificate binding race is silent (the wildcard fallback only surfaces when a customer reports a browser warning), and the Front Door + App Gateway tier mismatch only surfaces when an SDK client hitting the gateway endpoint directly starts failing.

< 10 min

Time from DNS change to alert — catches Azure DNS to Cloudflare migrations that strip _dnsauth TXT records, App Service Managed Certificate binding-state changes that flip a hostname from active to disabled (silent wildcard fallback), and Application Gateway HTTPS listener cert rotations that fail because the Key Vault rotation policy has a stale Service Principal credential

30 days

SSL expiry warning lead time — enough time to identify a Front Door + Application Gateway tier mismatch (the visible Front Door cert renewed on schedule but the App Gateway cert behind it is days from expiry), a Static Web Apps cert renewal failure caused by a missing _dnsauth TXT record, or an App Service Managed Certificate binding race that left the hostname serving the *.azurewebsites.net wildcard — and correct it before SDK clients hitting the gateway endpoint directly start failing

11 vendors

Upstream services monitored — Azure per-region status pages (East US 2, West US 2, North Europe), App Service, Static Web Apps, Front Door, Application Gateway, and Azure DNS included to distinguish Azure regional incidents from per-tenant SSL configuration failures

200 assets

Maximum monitored domains on the Agency plan — covers Azure app.* (Front Door or Static Web Apps), api.* (App Service), gateway.* (Application Gateway), plus per-slot App Service staging endpoints across a full Azure client portfolio

Pricing

Flat monthly fee. Every Azure region, every Front Door endpoint, every Application Gateway HTTPS listener included.

No per-region charges. No per-listener fees. Pick the tier that fits your Azure client and per-tier cert count and monitor every App Service, Static Web Apps, Front Door, and Application Gateway SSL surface without billing surprises.

See full feature comparison →

Starter

For individual Azure developers managing a small client portfolio with single-region App Service deployments and Static Web Apps custom domains.

$29/ month

10 monitored assets
1 seat
15-min check cadence
SSL + DNS + vendor monitoring
Email + Slack alerts

Start with Starter

Most chosen

Team

For Azure agencies managing multi-tier App Service + Application Gateway deployments with separate App Service Managed Certs, Static Web Apps managed certs, and App Gateway HTTPS listener certs.

$79/ month

50 monitored assets
5 seats
10-min check cadence
SSL + DNS + vendor monitoring
Email + Slack alerts

Start with Team

Agency

For agencies with a full Azure client roster including multi-region App Service slots, multi-distribution Front Door endpoints, and per-tenant Application Gateway HTTPS listeners.

$199/ month

200 monitored assets
15 seats
5-min check cadence
SSL + DNS + vendor monitoring
Email + Slack alerts

Start with Agency

Know when an App Service Managed Certificate has silently fallen back to the *.azurewebsites.net wildcard before a customer reports the browser warning.

Add your first Azure client domain in under two minutes. App Service, Static Web Apps, Front Door, and Application Gateway SSL across every region for that client are monitored from the same dashboard. 14-day trial, no card required.

Start free for 14 days Read the agency SSL checklist →

App Service Managed Certificates fail silently when the custom-domain binding isn't complete.The portal shows "pending" forever while your client's app serves the *.azurewebsites.net wildcard.