cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

What is the best way for a marketplace offering to impersonate a customer's "app registration" ?

Jeanmik
Copper Contributor

‎Jan 24 2023 11:38 AM

‎Jan 24 2023 11:38 AM

What is the best way for a marketplace offering to impersonate a customer's "app registration" ?

Hello !

 

I'm currently exploring the Azure Marketplace and I would like to build and deploy a product that can authenticate as a customer's "App registration" to obtain the privileges of that app registration and do some actions.

 

What would be the best and most secure way for a customer installing my product from the marketplace to grant my product the authorization to impersonate the app registration to execute actions ?

 

I would like to avoid generating a credentials set and have the customer pass this in the install wizard.

Any hints ? 

 

Thanks ! 

Labels:
829 Views
1 Like
4 Replies
Reply
4 Replies
SatishBoddu

‎Jan 24 2023 07:54 PM - edited ‎Jan 24 2023 08:04 PM

‎Jan 24 2023 07:54 PM - edited ‎Jan 24 2023 08:04 PM

Re: What is the best way for a marketplace offering to impersonate a customer's "app registrati

Hello @Jeanmik ,

Welcome to Marketplace Community!

 

When a customer installs an app from Azure Marketplace, the app is deployed to their subscription and they are prompted to provide the necessary permissions for the app to run. App developer can create the Managed Identity and configure it in their app. Your product uses the Azure managed identity to authenticate and access the customer's resources.

 

As a publisher we provide managed applications which gets deployed in the customer's subscription and as a publisher have access to manage the deployed resources with that Resource Group.

SatishBoddu_0-1674617617557.png

 

Please watch this YouTube video by "David Starr"  who is a Principal Software Engineer working with partners that sell their Applications on the Azure Marketplace: Azure Managed Applications and the Azure Marketplace

 

Azure Managed Identities : What are managed identities for Azure resources? 


The resource group containing the resources which are part of the Managed Application is “lockedfor the customer. The customer has read-only access to the resources in this resource group. As a result, the customer cannot accidently delete or update the resources which are part of the Managed application. The publisher of the managed application, however, gets either the required permissions which enables him to maintain, service and upgrade the application in the customer’s tenant. These permissions are defined by the typical Azure RBAC roles. Ref.

 

Additional articles to go through:

MS Learn: Sell through the commercial marketplace

GitHub Samples: Microsoft Marketplace Resources Index

Azure Managed Application samples

I hope this helps with your initial query, please comment in the below section if you need further help in this matter!

0 Likes
Reply
Jeanmik

‎Jan 25 2023 07:57 AM

‎Jan 25 2023 07:57 AM

Re: What is the best way for a marketplace offering to impersonate a customer's "app registrati

@SatishBoddu Hello ! Thank you for your quick response ! 

 

I am unsure what you are referring too by saying "and they are prompted to provide the necessary permissions for the app to run". I don't think I have seen that form in the wizard ? 

 

How can my resources in the "managed resource group" (for example, a container) use a manage identity provided by the customer ? How does the customer pass that managed identity to my services ? 

 

I've also watched the youtube video but it doesn't cover that part.

 

Thanks ! 

0 Likes
Reply
best response confirmed by Jeanmik (Copper Contributor)
SatishBoddu

‎Jan 25 2023 08:26 AM

‎Jan 25 2023 08:26 AM

Solution

Re: What is the best way for a marketplace offering to impersonate a customer's "app registrati

Hello @Jeanmik 

 

We have to publish Applications which use the Managed Identity for Accessing Resources. And if you need any more inputs from the user, then the UI definition file is used for that purpose. Your deployment template file should contain the definition to deploy those identities as well.

Publishing

Partners publish their Managed Applications to Azure Marketplace using the Cloud Partner Portal. The main components required are

a) the template files, which describe the resources that will be provisioned, and

b) the UI definition file, which describes how the required inputs for provisioning these resources will be displayed in the portal.

 

The required files are packaged in a .zip file and uploaded through the publishing portal.

Below is the screenshot from the publishing portal, and more detailed instructions can be found here.

SatishBoddu_0-1674663502068.png

 

Please have look the below section, i hope this may help on adding the Identity to our Resource which will be deployed.

Adding Managed Identity

Creating a Managed Application with a Managed Identity requires an additional property to be set on the Azure resource. The following example shows a sample identity property:

{
"identity": {
    "type": "SystemAssigned, UserAssigned",
    "userAssignedIdentities": {
        "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/testRG/providers/Microsoft.ManagedIdentity/userassignedidentites/myuserassignedidentity": {}
    }
}

 

 

0 Likes
Reply
Jeanmik

‎Jan 30 2023 08:28 AM

‎Jan 30 2023 08:28 AM

Re: What is the best way for a marketplace offering to impersonate a customer's "app registrati

I'll do some POC the Managed Identity see if I can have this working :)
Thanks for your help !
1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by Jeanmik (Copper Contributor)
SatishBoddu

‎Jan 25 2023 08:26 AM

‎Jan 25 2023 08:26 AM

Solution

Re: What is the best way for a marketplace offering to impersonate a customer's "app registrati

Hello @Jeanmik 

 

We have to publish Applications which use the Managed Identity for Accessing Resources. And if you need any more inputs from the user, then the UI definition file is used for that purpose. Your deployment template file should contain the definition to deploy those identities as well.

Publishing

Partners publish their Managed Applications to Azure Marketplace using the Cloud Partner Portal. The main components required are

a) the template files, which describe the resources that will be provisioned, and

b) the UI definition file, which describes how the required inputs for provisioning these resources will be displayed in the portal.

 

The required files are packaged in a .zip file and uploaded through the publishing portal.

Below is the screenshot from the publishing portal, and more detailed instructions can be found here.

SatishBoddu_0-1674663502068.png

 

Please have look the below section, i hope this may help on adding the Identity to our Resource which will be deployed.

Adding Managed Identity

Creating a Managed Application with a Managed Identity requires an additional property to be set on the Azure resource. The following example shows a sample identity property:

{
"identity": {
    "type": "SystemAssigned, UserAssigned",
    "userAssignedIdentities": {
        "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/testRG/providers/Microsoft.ManagedIdentity/userassignedidentites/myuserassignedidentity": {}
    }
}

 

 

View solution in original post

0 Likes
Reply