See i.e.: How to set up CNAME to point to Azure
or the text within the azure portal:
Why is this necessary in the first place? Why does pointing the domain name through an A record not prove that I am the owner of the domain?
I mean.. how can you otherwise change a DNS record in the first place?
What abuse does this rule prevent?
Best Answer
If you have control of a DNS lookup for a computer, or are able to inject a host record, then you could spoof an A record for that machine and point it to an Azure website (there's actually nothing to stop you doing that for a VM though)
By making you create a cname record, and independently verifying it (via their internal / public DNS system), it means that you do have control over the domain, and you're not spoofing somebody else's domain.