Microsoft seem to keep changing the way you can create Azure API tokens for DNS management. I use it for lets encrypt certs and those expire, so this is the current way I use.

Using the Azure Cloud Shell.

The process is slightly different if you have more than one subscription ID, you will need to run “az account list” and then “az account set –subscription “Subscription B”” to select the correct one.

First you will need to list your DNS Zones.

az network dns zone list

this will return something like this:

[
  {
    "etag": "00000002-0000-0000-f641-73c64955d301",
    "id": "/subscriptions/12345678-9abc-def0-1234-567890abcdef/resourceGroups/exampledns_rg/providers/Microsoft.Network/dnszones/example.com",
    "location": "global",
    "maxNumberOfRecordSets": 5000,
    "name": "example.com",
    "nameServers": [
      "ns1-02.azure-dns.com.",
      "ns2-02.azure-dns.net.",
      "ns3-02.azure-dns.org.",
      "ns4-02.azure-dns.info."
    ],
    "numberOfRecordSets": 11,
    "resourceGroup": "exampledns_rg",
    "tags": {},
    "type": "Microsoft.Network/dnszones"
  }
]

Now create a service principal

az ad sp create-for-rbac --name  "AcmeDnsValidator" --role "DNS Zone Contributor" --scopes \
    /subscriptions/12345678-9abc-def0-1234-567890abcdef/resourceGroups/exampledns_rg/providers/Microsoft.Network/dnszones/example.com

This will then display all the information you need to propergate the LE Azure DNS challenge in proxmox.