App Service Certificate won't sync with key vaults.

Christoffer Cena 20 Reputation points

Hi!

We have an App Service Certificate which is linked to secrets in a couple of key vaults. I've recently been informed that I needed to complete a domain ownership verification, this is when I discovered that the linked certificates were about to expire. Syncing via portal haven't worked, I've tried syncing all at once and one at a time. Below are the steps I've taken so far:

  1. Completed the domain ownership verification.
  2. Clicked Sync (for all), got an error message.
  3. Clicked Sync for one of the linked certificates, got a more detailed error message, indicating restricted access.
  4. Assigned Key Vault Secrets/Certificates User to the App Service service principal.
  5. Sync via portal, now the message says that the sync was successful, but still the portal says that the linked certificates are out of sync.
  6. Assigned Key Vault Secrets/Certificates Officer to the App Service SP.
  7. Same action and result as step 5.

I have no idea what to do next. Any tips?

Kind regards,

Christoffer

  1. Christoffer Cena 20 Reputation points

    I forgot step 5.5 where I rekeyed and synced afterwards.

  2. Christoffer Cena 20 Reputation points

    I added the RBAC role assignments as suggested below, and now sync worked.

  3. Josh Weigner 1 Reputation point

    I'm having the same problem, however my RBAC roles are assigned correctly, yet the updated certificate is not syncing to the KeyVault, so when I download the certificate, I am getting the old version that expires in a few days. I have rekeyed the certificate over 10 times now, it will not sync. The Sync button is also grayed out. There are no errors.

Sign in to comment

Answer accepted by question author

AI answer

The behavior matches a Key Vault access/permissions issue on the vaults that hold the App Service certificate secrets. The sync call in the portal can show β€œsuccessful” at the App Service side while the underlying Key Vault access still blocks updating or reading the certificate secrets.

Use the following checks and fixes end to end:

  1. Confirm the certificate is domain-verified and renewed
  • In the App Service Certificate resource β†’ Certificate Configuration:
    • Ensure Step 2: Verify shows the domain as verified (no Pending issuance or renewal pending due to verification).
    • If the certificate is expired or close to expiry, renew it (or recreate it) and ensure the new certificate has a later expiration date.
  1. Verify the Key Vault used by the App Service Certificate
  • In the App Service Certificate β†’ Certificate Configuration > Step 1: Store:
    • Confirm the certificate is stored in a Key Vault (green checkmark).
    • Confirm the Key Vault is in the same subscription and resource group as the certificate.
  1. Fix Key Vault access policies for App Service certificate integration For each Key Vault that should receive the synced certificate:
  • Go to Key Vaults β†’ [Your Vault] β†’ Access policies and verify that the service principals for App Service certificates exist with the required permissions:
    1. Microsoft Azure Web Service (Microsoft.Azure.WebSites)
      • Secret permissions: Get
      • Certificate permissions: Get
    2. Azure Certificate Registration (Microsoft.Azure.CertificateRegistration)
      • Secret permissions: Get, List, Delete
      • Certificate permissions (where applicable): Get, List
  • If either entry is missing or has fewer permissions:
    1. Select Add Access Policy.
    2. Either choose the Key Vault Certificate Manager template or manually:
      • Select principal Microsoft.Azure.WebSites and Microsoft.Azure.CertificateRegistration.
      • Assign the permissions listed above.
    3. Save the changes.

If using Azure RBAC instead of access policies, ensure equivalent role assignments exist at the vault scope, for example via:

az role assignment create --role "Key Vault Secrets Officer" --assignee "f3c21649-0979-4721-ac85-b0216b2cf413" --scope /subscriptions/{subscriptionid}/resourcegroups/{resource-group-name}/providers/Microsoft.KeyVault/vaults/{key-vault-name}

az role assignment create --role "Key Vault Certificate User" --assignee "abfa0a7c-a6b6-4736-8310-5855508787cd" --scope /subscriptions/{subscriptionid}/resourcegroups/{resource-group-name}/providers/Microsoft.KeyVault/vaults/{key-vault-name}

(Adjust subscription, resource group, and vault name as needed.)

  1. Ensure Key Vault network access does not block Azure services
  • If the Key Vault uses private endpoints or firewall rules, make sure it allows trusted Azure services or that the App Service certificate back-end can reach the vault. A blocked data plane can prevent the secret from being updated even if permissions are correct.
  1. Force a re-sync of the App Service certificate Once the access policies/roles and network access are correct:
  • In the App Service Certificate blade, use Rekey and Sync β†’ Sync to push the current certificate to all linked App Service apps and vault bindings.
  • Then, for each web app using the certificate:
    • Go to TLS/SSL Settings β†’ Private Key Certificates (.pfx) and confirm the certificate is present.
    • Under TLS/SSL bindings, confirm the binding uses the renewed certificate. If it still shows the old one, re-bind it to the updated certificate.
  1. As a last resort: manual export/import If the certificate is correctly renewed and domain-verified, and the Key Vault contains the correct secret but the automatic sync to the apps still fails:
  • In the Key Vault, locate the certificate secret and download the PFX.
  • In the target App Service app β†’ TLS/SSL Settings β†’ Private Key Certificates (.pfx), use Upload Certificate with the PFX (password is typically blank for Azure-downloaded PFX).
  • Re-bind the custom domains to this uploaded certificate.

This bypasses the automatic App Service certificate sync, so it is recommended only as a workaround; fixing the Key Vault access policies and network configuration is preferred so that future renewals sync automatically.

References:

AI-generated content may be incorrect. Read our transparency notes for more information.

1 additional answer

  1. Golla Venkata Pavani 6,085 Reputation points β€’ Microsoft External Staff β€’ Moderator

    Hi @Christoffer Cena

    Thank you for reaching us regarding the issue.

    Yes, You are right that after adding RBAC role assignments, sync worked.

    After completing domain ownership verification for an App Service Certificate (ASC), the linked private certificates in your App Service apps may still show as out of sync with Key Vault, even if the portal reports the Sync operation as successful. This occurs because the new certificate version is in Key Vault, but the hostname bindings in App Service have not fully updated.

    Azure automatically syncs certificate updates (renewals/rekeys) from Key Vault to App Service bindings. However, delays or permission issues can prevent immediate updates. Manual Sync forces the latest certificate to all linked App Service instances

    Recommended Action:
    The App Service certificate resource provider needs explicit access to your Key Vault. Missing or insufficient permissions are a common cause of sync failures.

    Required service principals and permissions (use Access policies model for best compatibility with ASC):

    • Microsoft.Azure.CertificateRegistration (App ID: f3c21649-0979-4721-ac85-b0216b2cf413) β†’ Key Vault Secrets Officer (or Secrets: Get, List, Set, Delete + Certificates: Get, List, Set, Delete)
    • Microsoft Azure Web Service / Microsoft.Azure.WebSites (abfa0a7c-a6b6-4736-8310-5855508787cd) β†’ Secret: Get; Certificate: Get (or Key Vault Certificate User).

    Action in portal:

    • Go to your Key Vault> Access policies (or Access control (IAM) for RBAC).
    • Add/verify the two service principals above with the required permissions.
    • Save changes. Do not remove these permissions later.

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please "accept" if the information helped you. This will help us and others in the community as well.

    0 comments No comments
    Sign in to comment
Sign in to answer

Your answer