Azure App Service outage after deployment and failed backup restore – certificate not loading due to thumbprint mismatch

Question

Azure App Service outage after deployment and failed backup restore – certificate not loading due to thumbprint mismatch

Coen Claus 1

We recently experienced an outage in an Azure App Service–based authentication service after a deployment. I’m trying to understand what went wrong and how to prevent similar issues in the future.

Scenario

A deployment was performed to a production App Service environment.
Shortly after deployment, the application started returning HTTP 500/503 errors and authentication stopped working.
Existing sessions continued to work for some time, but new sign-ins and token renewals failed.

Troubleshooting steps taken

Multiple attempts were made to restore the App Service from a backup (including site configuration).
The restore process did not resolve the issue.
Application settings and environment variables were reviewed.
Eventually, it was discovered that a certificate could not be loaded due to a mismatch in the value of an environment variable (WEBSITE_LOAD_CERTIFICATES).
The mismatch was a single-character difference in the certificate thumbprint.
After correcting the value manually, the service recovered.

Observations

The issue was difficult to detect because the thumbprint values are long hexadecimal strings.
Visual inspection alone did not help identify the mismatch early.
Backup restore did not appear to revert the misconfigured environment variable.
The misconfiguration originated from infrastructure-as-code parameter values.

Questions

Backup & Restore behavior

Should Azure App Service backup/restore include environment variables like WEBSITE_LOAD_CERTIFICATES?
- Under what circumstances would these settings not be restored?
Certificate handling
- Is using certificate thumbprints in app settings considered a best practice, or are there more robust alternatives (e.g., Key Vault integration)?

Any guidance or best practices would be appreciated.

Golla Venkata Pavani 6,085 Reputation points Microsoft External Staff Moderator

2026-06-10T20:15:54.0466667+00:00
Hii @Coen Claus

Thanks for sharing the details of this incident, sorry to hear about the outage. A single-character difference in a long thumbprint string is one of those subtle issues that can be really hard to spot, especially when it surfaces only after a deployment.

Azure App Service backups do capture your app settings (including WEBSITE_LOAD_CERTIFICATES), but only if you explicitly choose to restore the site configuration. In the portal, look for the "Restore site configuration" option under Advanced settings during restore. If it's not selected (or if using --restore-content-only in the CLI), the configuration won't be rolled back.

Post-restore IaC runs can also override settings, which may explain why the fix wasn't immediate. For the most reliable recovery, export your app's ARM template as a configuration snapshot in addition to backups.

This loads all certificates you've added to the App Service and avoids manual thumbprint management entirely.

For production auth services, we recommend moving to Azure Key Vault integration:

Store and manage your certificates in Key Vault.

Import/reference them in App Service (the platform syncs changes daily, including renewals).

This eliminates thumbprint drift issues and gives you better rotation, auditing, and security.

Reference:
https://learn.microsoft.com/en-us/azure/app-service/manage-backup?tabs=portal
https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate-in-code?tabs=windows
https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2Crbac%2Cazure-cli

Kindly let us know if the above comment helps or you need further assistance on this issue.

Please "upvote" if the information helped you. This will help us and others in the community as well.
Golla Venkata Pavani 6,085 Reputation points Microsoft External Staff Moderator

2026-06-11T19:31:27.7166667+00:00

Hii @Coen Claus

I'm just reaching out to see if your issue has been resolved or if you've had a chance to review my previous comment?
Coen Claus 1 Reputation point

2026-06-15T12:35:57.2066667+00:00

@Golla Venkata Pavani Thank you for you elaborate answer. We restored the webapp through the Azure Portal, during the resore we also selected the check box 'Restore Site Configuration'

We got the notifcation it might take up to 30 minutes for the webapp to restore, but still after half an hour the configuration was not restored, previous experiences learned us it's almost restored instantly
Golla Venkata Pavani 6,085 Reputation points Microsoft External Staff Moderator

2026-06-17T21:34:29.31+00:00
Hi @Coen Claus

Thank you for the additional details, I appreciate you confirming that you selected the **"**Restore site configuration" checkbox in the Azure Portal.

By selecting this option should restore your app settings (including WEBSITE_LOAD_CERTIFICATES), along with other configuration items. The portal warning about up to 30 minutes is standard, as the platform stops the app, applies the restore, and restarts instances. While many restores complete faster, the full propagation can take longer depending on app size, number of instances, and backend processing.

Possible reasons the setting didn't appear immediately

The restore completed, but a subsequent IaC deployment, CI/CD pipeline, or slot operation overwrote the app settings.

Platform synchronization or app restart took the full duration (or slightly longer in this case).

The specific backup snapshot may not have contained the expected pre-mismatch value.

Immediate verification & fix:

After any restore, run this command right away to check the current value:

az webapp config appsettings list --name <your-app-name> --resource-group <rg-name> --query "[?name=='WEBSITE_LOAD_CERTIFICATES'].value"

If it’s still incorrect, manually update it (or set it to * for simplicity) and restart the app.

Strong recommendation:

Switch to WEBSITE_LOAD_CERTIFICATES=* to load all certificates added to the App Service. This eliminates thumbprint typos entirely. Even better, integrate with Azure Key Vault for automatic certificate syncing and renewal handling.

Reference:
https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate-in-code?tabs=windows
https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2Crbac%2Cazure-cli

Kindly let us know if the above comment helps or you need further assistance on this issue.

Please "upvote" if the information helped you. This will help us and others in the community as well.
Golla Venkata Pavani 6,085 Reputation points Microsoft External Staff Moderator

2026-06-18T20:59:13.6666667+00:00

Hi @Coen Claus

I'm just reaching out to see if your issue has been resolved or if you've had a chance to review my previous comment?
Coen Claus 1 Reputation point

2026-06-19T10:34:21.4166667+00:00

I was not aware of WEBSITE_LOAD_CERTIFICATES=* that might prove useful in the future, probably from our side we were doing too much at once when restoring the webapp.

1 answer

Your answer

Golla Venkata Pavani 6,085 Reputation points Microsoft External Staff Moderator

2026-06-10T20:15:54.0466667+00:00

Hii @Coen Claus

Thanks for sharing the details of this incident, sorry to hear about the outage. A single-character difference in a long thumbprint string is one of those subtle issues that can be really hard to spot, especially when it surfaces only after a deployment.

Azure App Service backups do capture your app settings (including WEBSITE_LOAD_CERTIFICATES), but only if you explicitly choose to restore the site configuration. In the portal, look for the "Restore site configuration" option under Advanced settings during restore. If it's not selected (or if using --restore-content-only in the CLI), the configuration won't be rolled back.

Post-restore IaC runs can also override settings, which may explain why the fix wasn't immediate. For the most reliable recovery, export your app's ARM template as a configuration snapshot in addition to backups.

This loads all certificates you've added to the App Service and avoids manual thumbprint management entirely.

For production auth services, we recommend moving to Azure Key Vault integration:

Store and manage your certificates in Key Vault.

Import/reference them in App Service (the platform syncs changes daily, including renewals).

This eliminates thumbprint drift issues and gives you better rotation, auditing, and security.

Reference:
https://learn.microsoft.com/en-us/azure/app-service/manage-backup?tabs=portal
https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate-in-code?tabs=windows
https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2Crbac%2Cazure-cli

Kindly let us know if the above comment helps or you need further assistance on this issue.

Please "upvote" if the information helped you. This will help us and others in the community as well.
Golla Venkata Pavani 6,085 Reputation points Microsoft External Staff Moderator

2026-06-11T19:31:27.7166667+00:00

Hii @Coen Claus

I'm just reaching out to see if your issue has been resolved or if you've had a chance to review my previous comment?
Coen Claus 1 Reputation point

2026-06-15T12:35:57.2066667+00:00

@Golla Venkata Pavani Thank you for you elaborate answer. We restored the webapp through the Azure Portal, during the resore we also selected the check box 'Restore Site Configuration'

We got the notifcation it might take up to 30 minutes for the webapp to restore, but still after half an hour the configuration was not restored, previous experiences learned us it's almost restored instantly
Golla Venkata Pavani 6,085 Reputation points Microsoft External Staff Moderator

2026-06-18T20:59:13.6666667+00:00

Hi @Coen Claus

I'm just reaching out to see if your issue has been resolved or if you've had a chance to review my previous comment?
Coen Claus 1 Reputation point

2026-06-19T10:34:21.4166667+00:00

I was not aware of WEBSITE_LOAD_CERTIFICATES=* that might prove useful in the future, probably from our side we were doing too much at once when restoring the webapp.

Answer 1

Hello Coen Claus,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that your Azure App Service outage after deployment and failed backup restore – certificate not loading due to thumbprint mismatch.

Your outage was caused by a bad IaC-supplied WEBSITE_LOAD_CERTIFICATES thumbprint. The manual correction fixed production, but the durable fix is to correct the IaC source, stop manually typing thumbprints, add a pipeline gate that verifies the configured thumbprint against the actual App Service certificate, deploy first to a staging slot, run a certificate/authentication smoke test, and only then swap to production. Do not depend on App Service backup restore as the primary rollback for this class of issue, and make sure you use slots and deterministic IaC rollback, and use restore only through a tested slot-based recovery runbook.

Use the below for more reading and steps:

I hope this is helpful! Do not hesitate to let me know if you have any other questions, steps or clarifications.

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

Coen Claus 1 Reputation point

2026-06-17T09:09:11.1866667+00:00

While we understand that our current setup isn't perfect, this does not anwser our question of why the backup does not work.

Backups are a disaster recovery measure, other then slots which can be affected by a IaC deployment. That are not my words, but those of Microsoft: Implementing Disaster Recovery for Azure App Service Web Applications | Microsoft Community Hub

Our question that needs to be awnsered: why did our disaster recovery, that has been tested and proven to work in the past, not recover us from disaster, in other words, why did it not work.

Share via

Azure App Service outage after deployment and failed backup restore – certificate not loading due to thumbprint mismatch

Scenario

Troubleshooting steps taken

Observations

Questions

1 answer

Your answer