It is impossible to add and validate a domain with a certificate using "afdverify" on FrontDoor without Azure Support and DigiCert support reps getting involved. I have an ongoing support email chain between Azure, DigitCert, and myself that spans several days because of the manual steps required for each domain.
Here's an example of what currently occurs:
If you want to use myapp.example.com you need to create a CNAME of afdverify.myapp.example.com pointing to your FrontDoor resource (ex. fd-myapp.azurefd.net).
If you want to create an HTTPS certificate for that domain you will always get stuck at this step:
The documentation at the link above says they will automatically email "admin@your-domain-name.com" but this is not the case. Azure Support has discovered that DigitCert will not automatically send an email if the request is for a FQDN (myapp.example.com) and not a root domain.
This was DigitCerts response:
As per the documentation, since the CNAME record is with the afdverify subdomain, domain validation cannot be completed with the CNAME record, and has to be done via the other methods. And due to the account settings, when the order is submitted, the FQDN name "myapp.example.com" was submitted as the validation scope instead of the root domain "example.com", and the domain validation email was not sent automatically.
You will have to have Azure Support look up the "Order ID" and also bring in a DigiCert Support Rep to manually send the email to the correct address. But, this approval will only be for "myapp.example.com" and not for all future subdomains unless you additionally request a root domain validation email be sent.
You might be tempted to by-pass this by trying to add the root domain to FrontDoor from the start to avoid involving support. This would probably work from DigiCert's side but unfortunately Azure FrontDoor does not allow you to enable HTTPS Certificates for root domains.
This seems like a very broken process for a key feature. Is this really the only way to accomplish this?
Edit - I've also created a Feedback Idea here for the team.
https://feedback.azure.com/d365community/idea/ce508655-4346-ec11-a819-0022484bf651