![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 57.00000000000001%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMH%3C/text%3E%3C/svg%3E)
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 52%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVS%3C/text%3E%3C/svg%3E)
Thanks for reaching out in Microsoft Q&A forum,
I have added a ssl profile in Azure Portal and then choose the "verifyClientAuthMode: 'Passthrough'" But when i look into the arm template its not set at all. Is this a bug or am i doing something wrong?
The verifyClientAuthMode: Passthrough property only exists in API version 2025-03-01. The Azure Portal still uses older API versions and validation logic that don’t recognize this property. When you select it in the UI, the Portal accepts your input but silently strips it during save because its backend schema doesn’t include the field yet.
Why ARM templates work: When you deploy via ARM with apiVersion: 2025-03-01, you’re talking directly to the newer control plane that understands passthrough mode. The Portal can’t do this yet.
Even after successful ARM deployment, if you open the gateway in the Portal and click “Save,” the Portal will re-validate using its old schema and wipe out your passthrough config.
Official docs: Deploy mTLS passthrough with ARM template
When i deploy anything to our AKS using AGIC it gets overwritten with static client auth. ****
AGIC runs a reconciliation loop every 30–60 seconds. It reads your Kubernetes Ingress resources, builds a “desired state,” then compares it to the actual gateway config. Anything on the gateway that isn’t in Kubernetes gets deleted as “drift.”
Since AGIC has no way to express verifyClientAuthMode: Passthrough in Kubernetes (no annotation, no CRD field), your SSL profile never appears in AGIC’s desired state. So AGIC treats it as rogue config and removes it.
Why shared mode helps: With appgw.shared: true, AGIC switches from “delete everything I don’t own” to “only manage what I create.” Your manually deployed SSL profile survives because AGIC no longer claims full ownership.
Official docs:
Kindly let us know if the above helps or you need further assistance on this issue.
Please “Accept Answer” wherever the information provided helps you, this can be beneficial to other community members.
and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.