This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 57.99999999999999%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJJ%3C/text%3E%3C/svg%3E)
We have a Resource Group that loads files into a Azure sql database. The resource group contains adf, sql database, blob storage. As its a commercial offering were keen to ensure access to the resource group is limited by the customer with the exception of consuming the data in the database. Also and importantly restricting access to the resource group would allow us to protect IP and reduce the risk of customer amendments and possibly breaking the process.
I understand that implementing the resource group into a Clients/Customer tenant means their Admin has full access to the resource group. However does the Azure managed applications approach offer a possible solution?
I understand the customer will have limited access to the resource group which we can control however can I check whether the resource group would sit in the clients tenant/subscription or would the resource group still be located in our local tenant? Hope the above makes sense and happy to clarify further.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 70%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
Hello @jasejackson-8880 and thank you for your question.
Managed Applications is not one of the areas I work in, but I wanted to let you know of another possible solution.
Azure Data Share can allow you to keep the resource group in your tenant while providing the customer access to the end data. This would protect your IP while still getting the data to the customer. Azure Data Share copies the data from your datastore ( the sql database in your tenant) to the customer's datastore (which sits in the customer's tenant).
Using Azure Data Share in your case actually gives you more options. The customer can opt to receive full snapshots of the tables from your Azure SQL Database into their Azure SQL Database, or choose to receive the same data into their Azure Storage Account (Blob or ADL gen 2).
I am also reaching out internally for more information regarding your question on Managed Applications. If I hear back, I will let you know.
Hello,
Your advice and the share capability is certainly something I will look into further; thanks.
The challenge we have however (which I should have clarified in the initial question) is the data being processed is sensitive and we do not want to store/process (data storing regulations) the data in our tenant whereas the clients already store/process.
Thanks again and I look forward to any further information you maybe able to share
Jase
Hi
Have any of your internal colleagues been able to offer any further insight? Many thanks J
I reached out , but got no response to my first email or my follow-up emial. :(
Hi
Does the Azure Lighthouse capability offer something in this area; basically allow a partner organisation to manage/maintain a resource group in my tenant with only the partner organisation having access to the resource group? This way the data resides in my tenant still.
This way the commercial IP for the partner organisation is protected and me (tenant) owner could put a cost limit on the Resource Group to protect myself from high charges.