diff --git a/internal/services/containerapps/container_app_custom_domain_resource.go b/internal/services/containerapps/container_app_custom_domain_resource.go
index 24ddd2ded105..8e10c31e07d4 100644
--- a/internal/services/containerapps/container_app_custom_domain_resource.go
+++ b/internal/services/containerapps/container_app_custom_domain_resource.go
@@ -6,14 +6,17 @@ package containerapps
 import (
 	"context"
 	"fmt"
+	"net/http"
 	"strings"
 	"time"
 
 	"github.com/hashicorp/go-azure-helpers/lang/pointer"
+	"github.com/hashicorp/go-azure-helpers/lang/response"
 	"github.com/hashicorp/go-azure-sdk/resource-manager/containerapps/2023-05-01/containerapps"
 	"github.com/hashicorp/go-azure-sdk/resource-manager/containerapps/2023-05-01/managedenvironments"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/locks"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/sdk"
+	"github.com/hashicorp/terraform-provider-azurerm/internal/services/containerapps/helpers"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/services/containerapps/parse"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/services/containerapps/validate"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/tf/pluginsdk"
@@ -124,6 +127,15 @@ func (a ContainerAppCustomDomainResource) Create() sdk.ResourceFunc {
 				return fmt.Errorf("specified Container App (%s) has no Ingress configuration for Custom Domains", containerAppId)
 			}
 
+			// Delta-updates need the secrets back from the list API, or we'll end up removing them or erroring out.
+			secretsResp, err := client.ListSecrets(ctx, *containerAppId)
+			if err != nil || secretsResp.Model == nil {
+				if !response.WasStatusCode(secretsResp.HttpResponse, http.StatusNoContent) {
+					return fmt.Errorf("retrieving secrets for update for %s: %+v", *containerAppId, err)
+				}
+			}
+			config.Secrets = helpers.UnpackContainerSecretsCollection(secretsResp.Model)
+
 			ingress := *config.Ingress
 
 			customDomains := make([]containerapps.CustomDomain, 0)