staticSites/config@2024-04-01 preflight returns InternalServerError on deployment with @Microsoft.KeyVault SecretUri reference

[chrisdale1234]

Summary

Starting 2026-05-25, ARM deployments that include a Microsoft.Web/staticSites/config@2024-04-01 resource with a Key Vault reference in the properties payload began failing preflight with a server-side InternalServerError: Object reference not set to an instance of an object. The same template was green on @2024-04-01 for ~3 weeks prior with no client-side changes. Pinning that single resource to @2023-12-01 while keeping every sibling SWA resource on @2024-04-01 resolves the failure cleanly.

This looks like an upstream RP regression in the 2024-04-01 staticSites/config schema's preflight validation, specifically when an app setting value uses the @Microsoft.KeyVault(SecretUri=...) reference syntax.

Tracking IDs

• 19c09a6e-047b-4666-9457-80662df2d3b6
• 12710b89-9d91-4072-a32b-9ce3a16c12b4

Both from the same template, ~9 minutes apart on 2026-05-25 (eastus, identical NullRef each time).

Error

Microsoft.Web/staticSites (2024-04-01) preflight validation error:
InternalServerError: Object reference not set to an instance of an object.

No specific Bicep property is named in the failure. The pre-deployment what-if step succeeds (what-if uses a different validation path than create-time preflight).

Timeline

• 2026-05-02 → 2026-05-17: deployments with this resource on @2024-04-01 succeed.
• 2026-05-18 onward: a separate transient (The content for this response was already consumed — azure-cli internal) starts appearing intermittently.
• 2026-05-25: every deployment fails with the NullRef above, consistently. Two runs ~9 minutes apart produced different tracking IDs, ruling out a single transient.
• 2026-05-25 (workaround applied): downgrading the single child resource's API version to @2023-12-01 (keeping every other SWA resource on @2024-04-01) restores green deployments end-to-end.

Minimal repro shape

Bicep:

resource staticWebApp 'Microsoft.Web/staticSites@2024-04-01' = {
  // ... standard SWA properties
}

resource swaAppSettings 'Microsoft.Web/staticSites/config@2024-04-01' = {
  parent: staticWebApp
  name: 'appsettings'
  properties: {
    SOME_PLAIN_VALUE: 'foo'
    KV_REFERENCED_SECRET: '@Microsoft.KeyVault(SecretUri=https://my-kv.vault.azure.net/secrets/my-secret/)'
  }
}

Run az deployment group create ... → preflight NullRef.

Change only staticSites/config@2024-04-01 → @2023-12-01, leave everything else identical → deployment succeeds, app settings (including KV reference) apply correctly.

Workaround

Pin Microsoft.Web/staticSites/config to @2023-12-01 while keeping sibling SWA resources (staticSites, customDomains, linkedBackends) on @2024-04-01. Reference: arboreyecare/genie PR #1127, tracking issue arboreyecare/genie#1121.

Ask

• Acknowledge / triage to the staticSites RP team.
• Confirm whether this is a known regression in the 2024-04-01 schema's preflight validation path.
• Once fixed, please note in this issue so consumers can re-pin to @2024-04-01.

Happy to provide additional repro artifacts or full deployment correlation IDs on request.