Introduction
Configuring a custom domain and binding an SSL certificate in Azure App Service should be a straightforward task. However, I recently encountered a permission-related issue when attempting to deploy and bind an SSL certificate stored in Azure Key Vault to an Azure Web App that already had VNet integration and was handling production traffic.
Even though the certificate was valid and imported correctly in Key Vault, the SSL binding failed due to an access limitation that wasn’t clearly mentioned in the error message. After researching and reviewing multiple documents, I identified the missing role assignment that fixed the issue.
In this article, I’ll walk through:
What the problem looked like
Why it happened
The Azure Role-Based Access Control (RBAC) permission is required
The CLI command that resolved my issue
Scenario
I had:
An Azure Web App hosting a production application
A custom domain is mapped and validated
A certificate stored in Azure Key Vault
The certificate imported using Key Vault reference (not manual upload)
When I attempted to bind the SSL certificate to the custom domain, the App Service failed to access the certificate from Key Vault.
The Issue
Even though my identity had access to Key Vault and the certificate existed, the App Service platform lacked the necessary permission to read and deploy certificates.
The actual certificate deployment (SSL binding) was failing because the App Service resource provider identity lacked the necessary RBAC access to interact with the certificate inside the Key Vault.
The Missing RBAC Role
The Azure Web App uses a built-in first-party identity to handle certificate operations.
This identity is represented by the following service principal:
abfa0a7c-a6b6-4736-8310-5855508787cd
This GUID is the internal App Services resource provider, and it must be granted access to Key Vault with the following role:
Key Vault Certificate User
Without this role, the App Service can detect the Key Vault certificate but cannot deploy or bind it to the custom domain.
Assign the Required Role
To resolve the issue, I executed the below Azure CLI command:
az role assignment create \
--role "Key Vault Certificate User" \
--assignee "abfa0a7c-a6b6-4736-8310-5855508787cd" \
--scope "/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.KeyVault/vaults/{key-vault-name}"
{subscription-id} - Your Azure subscription ID
{resource-group-name}- Resource group containing the Key Vault
{key-vault-name} - The name of your Key Vault
When importing certificates from Key Vault to App Service, Azure doesn’t copy the certificate. It references.
Once you execute the above command, go to key vault access control, now you can find the key vault certificate user role assigned to Service principal Microsoft Azure App Service (abfa0a7c-a6b6-4736-8310-5855508787cd)
![Permission]()
App Service requires this role because:
The certificate remains in Key Vault
App Service reads it on demand
It also needs permission for certificate renewals (if enabled)
Without the Key Vault Certificate User role, the service can’t complete the handshake required to bind the SSL certificate.
Summary
This experience highlighted a simple yet crucial piece of configuration that isn’t always obvious when setting up SSL for custom domains in Azure App Service.
If you're integrating Key Vault + App Service + Custom Domain SSL, make sure the App Service resource provider identity has the Key Vault Certificate User role. It prevents unnecessary troubleshooting time and ensures smooth certificate operations.
If you face the same issue, applying the command above should help you get unblocked instantly.