Azure is built on IIS, so the IIS limitation to only extract the leaf cert severely hinders the possibility to programmatically extract the root certificate and the following certs associated with that root certificate. There is an option to manually add these via the portal, however, this will cause an issue when something is changed on the client side that would require a reupload of the certificate. Would like to request a way or alternative way of passing this certificate chain that will allow for all certs to be passed and not just the root certificate. This chain is passed in via the x-arr-headers using client auth from the documentation:
https://docs.microsoft.com/en-us/azure/app-service/app-service-web-configure-tls-mutual-auth#access-client-certificate