When connecting to Azure SQL Managed Instance via a private DNS zone, the TLS certificate presented by Microsoft only contains the service FQDN (for example, *.database.windows.net). It does not include the private DNS zone we have created (e.g., sqlmi-prod.contoso.local)?

Why doesn’t Microsoft include private/custom hostnames in the TLS certificate for Managed Instance?

Is it correct that the certificates are service-managed and controlled by Microsoft, so customers cannot upload or bind their own certificates?

What is the officially recommended approach if we want to connect using a private/internal DNS alias — should we always use the Managed Instance FQDN, or rely on client-side options such as HostNameInCertificate / TrustServerCertificate?

When connecting to Azure SQL Managed Instance via a private DNS zone, the TLS certificate presented by Microsoft only contains the service FQDN (for example, *.database.windows.net). It does not include the private DNS zone we have created (e.g., sqlmi-prod.contoso.local)?

Why doesn’t Microsoft include private/custom hostnames in the TLS certificate for Managed Instance?

Is it correct that the certificates are service-managed and controlled by Microsoft, so customers cannot upload or bind their own certificates?

What is the officially recommended approach if we want to connect using a private/internal DNS alias — should we always use the Managed Instance FQDN, or rely on client-side options such as HostNameInCertificate / TrustServerCertificate?