Azure Front Door Standard and Premium SKUs now allows you to use your own certificate when validating the custom domain.
Azure Front Door will automatically approve the custom domain if the Certificate Name (CN) or Subject Alternative Name (SAN) of the certificate matches the custom domain.
It will improve and simplify the domain validation process, especially when using Infrastructure as Code (IaC) (such as DevOps) to deploy Front Door.
Your custom certificate must be saved in an Azure KeyVault hosted in the same subscription than Azure Front Door.
The certificate must not use elliptic curve (EC) cryptography algorithms, must have a complete certificate chain with leaf and intermediate certificates and the delivering root authority is part of the Microsoft Trusted CA list (https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFT)
You also need to ensure Azure Front Door is registered as Azure AD app and has access to list the certificates
For public cloud use New-AzADServicePrincipal -ApplicationId ‘205478c0-bd83-4e1b-a9d6-db63a3e1e1c8’
For government cloud use New-AzADServicePrincipal -ApplicationId ‘d4631ece-daab-479b-be77-ccb713491fc0’