How to enable JA4 feature for Azure FrontDoor WAF?

Question

How to enable JA4 feature for Azure FrontDoor WAF?

Pui Wong 0

Bicep template mentioned JA4 matchVariable is available.
https://learn.microsoft.com/en-us/azure/templates/microsoft.network/frontdoorwebapplicationfirewallpolicies?pivots=deployment-language-bicep#matchcondition

However, it returns "Operator 'ClientFingerprint' is currently not supported. Please enable JA4 feature flag." when deploy such Bicep template to AFD

Any help?

Pui Wong 0 Reputation points

2026-04-16T09:15:58.29+00:00

Hi Venkatesan S,

Thanks for your prompt reply.

May I know is there any support contact email that could help us enable this feature in our subscription?
Support plan is unavailable for current subscription.

Best regards,

Pui Wong
Alex Burlachenko 21,805 Reputation points MVP Volunteer Moderator

2026-04-16T14:19:31.0533333+00:00
Pui Wong hi,

firstly quick answer u cant fix it in code, only remove it or get feature flag enabled.

And it is looks like schema vs runtime mismatch, field exists in ARM/Bicep but service backend for Front Door WAF does not accept it yet, JA4 (ClientFingerprint) is behind feature flag on service side so deployment fails even though template validates, there is no public way to enable it via CLI/portal/ARM today, what u can do technically is first confirm provider features just in case az feature list -n Microsoft.Network --query "[?contains(name,'JA4')]" and az provider show -n Microsoft.Network --query registrationState but u will see nothing useful bc flag is internal, next try deploy same policy via REST/ARM and u will get same rejection which confirms its server-side gating not template issue, workaround options are: remove match condition using ClientFingerprint from Bicep and deploy rest of WAF policy, or replace logic with currently supported signals like RemoteAddr, RequestHeaders, TLS version/cipher where possible, if u really need JA4 then only path is support ticket asking for feature flag enablement for ClientFingerprint/JA4 on Front Door WAF, include subscription id + region + failing deployment error so request can be routed to networking/WAF team, also track API version in template bc sometimes preview api versions expose fields earlier than GA but backend still blocks them.

rgds,

Alex

&

pls if it helps accept my answer and mark it as an answer

1 answer

Your answer

Pui Wong 0 Reputation points

2026-04-16T09:15:58.29+00:00

Hi Venkatesan S,

Thanks for your prompt reply.

May I know is there any support contact email that could help us enable this feature in our subscription?
Support plan is unavailable for current subscription.

Best regards,

Pui Wong
Alex Burlachenko 21,805 Reputation points MVP Volunteer Moderator

2026-04-16T14:19:31.0533333+00:00

Pui Wong hi,

firstly quick answer u cant fix it in code, only remove it or get feature flag enabled.

And it is looks like schema vs runtime mismatch, field exists in ARM/Bicep but service backend for Front Door WAF does not accept it yet, JA4 (ClientFingerprint) is behind feature flag on service side so deployment fails even though template validates, there is no public way to enable it via CLI/portal/ARM today, what u can do technically is first confirm provider features just in case az feature list -n Microsoft.Network --query "[?contains(name,'JA4')]" and az provider show -n Microsoft.Network --query registrationState but u will see nothing useful bc flag is internal, next try deploy same policy via REST/ARM and u will get same rejection which confirms its server-side gating not template issue, workaround options are: remove match condition using ClientFingerprint from Bicep and deploy rest of WAF policy, or replace logic with currently supported signals like RemoteAddr, RequestHeaders, TLS version/cipher where possible, if u really need JA4 then only path is support ticket asking for feature flag enablement for ClientFingerprint/JA4 on Front Door WAF, include subscription id + region + failing deployment error so request can be routed to networking/WAF team, also track API version in template bc sometimes preview api versions expose fields earlier than GA but backend still blocks them.

rgds,

Alex

&

pls if it helps accept my answer and mark it as an answer

Answer 1

Hi Pui Wong

Thanks for reaching out in Microsoft Q&A forum

Right now, using JA4 as the matchVariable with the ClientFingerprint operator in Azure Front Door WAF is only available after Microsoft enables a behind-the-scenes feature flag for your subscription and region. This flag isn’t exposed in the portal, CLI, Bicep, or ARM templates, so there’s no setting you can toggle yourself to turn it on.

Because of that, the deployment fails with the message: “Please enable JA4 feature flag.”

At this time, the only supported way to get this capability is for Microsoft to enable the JA4/ClientFingerprint feature on their side for your subscription. That requires opening an Azure Support request and asking them to enable the feature flag for Azure Front Door WAF. Once they enable it, your existing Bicep/ARM template using:

matchVariable: 'JA4'
operator: 'ClientFingerprint'

will deploy successfully without any changes.

Update:

Yes, that’s exactly right: to use JA4 with the ClientFingerprint operator in Azure Front Door WAF, you need Microsoft to enable the JA4 feature flag for your subscription/region, and that requires a support request.

A proper Azure support plan (e.g., Developer, Standard, Professional Direct, or Premier) is needed to open a technical support request for this kind of feature enablement. Once Microsoft enables the flag on their side, your existing Bicep/ARM template with:

matchVariable: 'JA4'
operator: 'ClientFingerprint'

will deploy without any changes.
Link :How to create an Azure support request - Azure portal | Microsoft Learn

Kindly let us know if the above helps or you need further assistance on this issue.

Please do not forget to and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Pui Wong 0 Reputation points

2026-04-17T01:30:24.8+00:00

OK, so the answer is to raise support request which require a proper support plan for this feature. Thanks Venkatesan and Alex.
Venkatesan S 8,490 Reputation points Microsoft External Staff Moderator

2026-04-17T04:43:48.6633333+00:00

Update the answer and shared link how to create support request.

Please do not forget to and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Share via

How to enable JA4 feature for Azure FrontDoor WAF?

1 answer

Your answer