Problem
The Bicep deployment for an Azure API Management service fails with an error stating that new managed certificate requests are temporarily suspended from August 15, 2025, to March 15, 2026. The goal is to deploy other changes to the API Management service while keeping the existing custom domain and managed certificate active.
Solution
The core issue is that the Bicep code attempts to update the hostnameConfigurations
section, which triggers a new managed certificate request, leading to the deployment failure. To work around this, you must temporarily stop sending the hostnameConfigurations
section in your Bicep template during the suspension window.
Here are the specific actions to take:
Remove or skip the hostnameConfigurations
section: The most direct solution is to conditionally remove the hostnameConfigurations
block from your Bicep template. This prevents the deployment from attempting to create or update the managed certificate, allowing other changes (like updates to APIs, products, or policies) to succeed. Your existing managed certificate will remain valid and will be automatically renewed by Azure.
Split your Infrastructure as Code (IaC): For a more robust approach, you can separate your Bicep code into two parts. One template would manage the core service-level settings (like sku
, location
, publisherEmail
, etc.), while a separate, independent template would manage the content (APIs, products, policies, etc.) of the API Management service. This allows you to deploy content updates without touching the service's configuration, including the hostnameConfigurations
.
Use a Key Vault certificate (Alternative): If you must add or change a custom domain during the suspension period, you can't use a new managed certificate. Instead, you would need to use a certificate stored in Azure Key Vault. This requires updating the hostnameConfigurations
to reference the Key Vault ID and a certificate secret, instead of using the 'Managed'
certificate source. This is a more involved change but is necessary if you need to onboard a new custom domain during this specific timeframe.