Forum Discussion
What is the best way for a marketplace offering to impersonate a customer's "app registration" ?
Hello !
I'm currently exploring the Azure Marketplace and I would like to build and deploy a product that can authenticate as a customer's "App registration" to obtain the privileges of that app registration and do some actions.
What would be the best and most secure way for a customer installing my product from the marketplace to grant my product the authorization to impersonate the app registration to execute actions ?
I would like to avoid generating a credentials set and have the customer pass this in the install wizard.
Any hints ?
Thanks !
Hello Jeanmik
We have to publish Applications which use the Managed Identity for Accessing Resources. And if you need any more inputs from the user, then the UI definition file is used for that purpose. Your deployment template file should contain the definition to deploy those identities as well.
Publishing
Partners publish their Managed Applications to Azure Marketplace using the Cloud Partner Portal. The main components required are
a) the template files, which describe the resources that will be provisioned, and
b) the UI definition file, which describes how the required inputs for provisioning these resources will be displayed in the portal.
The required files are packaged in a .zip file and uploaded through the publishing portal.
Below is the screenshot from the publishing portal, and more detailed instructions can be found here.
Please have look the below section, i hope this may help on adding the Identity to our Resource which will be deployed.
Adding Managed Identity
Creating a Managed Application with a Managed Identity requires an additional property to be set on the Azure resource. The following example shows a sample identity property:
{ "identity": { "type": "SystemAssigned, UserAssigned", "userAssignedIdentities": { "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/testRG/providers/Microsoft.ManagedIdentity/userassignedidentites/myuserassignedidentity": {} } }
- SatishBoddu
Microsoft
Hello Jeanmik ,
Welcome to Marketplace Community!
When a customer installs an app from Azure Marketplace, the app is deployed to their subscription and they are prompted to provide the necessary permissions for the app to run. App developer can create the Managed Identity and configure it in their app. Your product uses the Azure managed identity to authenticate and access the customer's resources.
As a publisher we provide managed applications which gets deployed in the customer's subscription and as a publisher have access to manage the deployed resources with that Resource Group.
Please watch this YouTube video by "David Starr" who is a Principal Software Engineer working with partners that sell their Applications on the Azure Marketplace: Azure Managed Applications and the Azure Marketplace
Azure Managed Identities : What are managed identities for Azure resources?
The resource group containing the resources which are part of the Managed Application is “locked” for the customer. The customer has read-only access to the resources in this resource group. As a result, the customer cannot accidently delete or update the resources which are part of the Managed application. The publisher of the managed application, however, gets either the required permissions which enables him to maintain, service and upgrade the application in the customer’s tenant. These permissions are defined by the typical Azure RBAC roles. Ref.Additional articles to go through:
MS Learn: Sell through the commercial marketplace
GitHub Samples: Microsoft Marketplace Resources Index
Azure Managed Application samples
I hope this helps with your initial query, please comment in the below section if you need further help in this matter!SatishBoddu Hello ! Thank you for your quick response !
I am unsure what you are referring too by saying "and they are prompted to provide the necessary permissions for the app to run". I don't think I have seen that form in the wizard ?
How can my resources in the "managed resource group" (for example, a container) use a manage identity provided by the customer ? How does the customer pass that managed identity to my services ?
I've also watched the youtube video but it doesn't cover that part.
Thanks !
- SatishBoddu
Hello Jeanmik
We have to publish Applications which use the Managed Identity for Accessing Resources. And if you need any more inputs from the user, then the UI definition file is used for that purpose. Your deployment template file should contain the definition to deploy those identities as well.
Publishing
Partners publish their Managed Applications to Azure Marketplace using the Cloud Partner Portal. The main components required are
a) the template files, which describe the resources that will be provisioned, and
b) the UI definition file, which describes how the required inputs for provisioning these resources will be displayed in the portal.
The required files are packaged in a .zip file and uploaded through the publishing portal.
Below is the screenshot from the publishing portal, and more detailed instructions can be found here.
Please have look the below section, i hope this may help on adding the Identity to our Resource which will be deployed.
Adding Managed Identity
Creating a Managed Application with a Managed Identity requires an additional property to be set on the Azure resource. The following example shows a sample identity property:
{ "identity": { "type": "SystemAssigned, UserAssigned", "userAssignedIdentities": { "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/testRG/providers/Microsoft.ManagedIdentity/userassignedidentites/myuserassignedidentity": {} } }
