As for security reasons we have limited our CAA records to specific Digicert accounts.

As for example:
example.com. 28800 IN CAA 0 issue "digicert.com; account=abc1___d234"

In combination with managed certificates this causes a permission issue as expected.
Would it be possible, to include Microsoft's account id within the documentation? This would allow security sensitive customers to extend their CAA records with the specific Digicert account id of Microsoft without having to open it for all Digicert accounts.

The domain verification process built into the Azure App Services already ensures the needed security level, thus allowing Microsoft's account id is the better option than allowing all Digicert accounts.

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: cc2ee874-df45-1de2-1b30-1fd75c7fd709
• Version Independent ID: ee181722-8386-9842-407f-d0549012d2e9
• Content: Add and manage TLS/SSL certificates - Azure App Service
• Content Source: articles/app-service/configure-ssl-certificate.md
• Service: app-service
• GitHub Login: @msangapu-msft
• Microsoft Alias: msangapu