[Azure] Setting custom domain with indirect verification via ARM

I ran across this problem trying to link a custom domain to an Azure storage account. Custom domains can be used to use your own domain instead of having <storageaccountname>.blob.core.windows.net as the default domain. For using a custom domain, the domain needs to be validated to ensure that you really own the domain you’re planning to use. There’s two ways of validating: 

1. Azure checks for the existence of a CNAME record on the specific domain that points to the domain name of the storage account (as mentioned above).
2. Azure checks for the existence of a CNAME record on asverify.<specificdomain> that points to the domain name of the storage account, but also prefixed with asverify.

Using the asverify subdomain is called “indirect validation”. This is used when you don’t point traffic directly to the storage account, but for instance require to have an appliance in between that then forwards traffic. In the Azure portal, this is reflected in the following checkbox:

Ok, so all fine and well. But what if you need to use the “indirect CNAME validation” don’t want to use the portal, but deploy stuff via ARM templates instead? You setup a CNAME record that points “asverify.mystorageaccount.specificdomain.com” to “mystorageaccount.blob.core.windows.net”. And then you deploy your ARM template. I tried that but kept running into the following error:

This basically says: you don’t have a CNAME mapping for mystorageaccount.specificdomain.com, which is true as we prefixed it with asverify and the actual CNAME is pointing to my routing appliance. It turns out the fix for this is very simple, but hard to find. I found it by inspecting the API call that the portal makes when you set the indirect validation checkbox. Change your ARM template to the following:

The “useSubDomainName” flag will trigger the use of the indirect CNAME validation, as described here.