App Registration for Managed Application

Riccardo Sacchetto 0 Reputation points
2023-09-16T18:23:21.56+00:00

Good morning.

I'm currently trying to create an application designed to run natively on Azure App Service leveraging a PostgreSQL Flexible Server, using Entra ID for authentication (with OAuth2) and relying on the Graph API to interact (through application permissions) with Teams and Sharepoint.

My final objective is to create a Managed Application that, once listed in the Commercial Marketplace, can be freely downloaded by whoever wants to install in on their Tenant.

The problem I'm trying to solve, in fact, regards exactly this last point: if I want the application to be installable in an arbitrary Tenant, I need to fully automate its deployment.

The creation of Azure resources is - obviously - straightforward: using a Bicep template I can easily deploy the App Service, Database and Virtual Network needed to link them. With the App Registration needed to use OAuth2 and the Graph API, however, there seems to be nothing I can do: the ARM template itself can't create it as it resides in Entra and have nothing to do with Azure Resources, and all the guides that teach how to work around this issue with Deployment Scripts (like this QuickStart template) assume that I have prior access to the target Tenant to create a User Assigned Managed Identity via PowerShell, but this is not the case!

So my question is: what is the best practice to deal with this situation? I can obviously create a multitenant registration in my Tenant and then bundle the secrets in the installations making them Publisher-managed and restricting the Customer access, but it doesn't feel quite secure...

Thank you in advance to anyone who will dedicate some time to share some advice.

Azure Managed Applications
Azure Managed Applications
An Azure service that enables managed service providers, independent software vendors, and enterprise IT teams to deliver turnkey solutions through the Azure Marketplace or service catalog.
142 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,793 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Konstantinos Passadis 19,166 Reputation points MVP
    2023-09-16T22:26:37.8966667+00:00

    Hello @Riccardo Sacchetto !

    Welcome to Microsoft QnA!

    I understand your issue to be able to provide your APP the ability to be installed from Multiple Tenants

    There is a specific link that points to Azure Managed Applications and all the steps required to do that :

    https://learn.microsoft.com/en-us/azure/azure-resource-manager/managed-applications/publish-service-catalog-app?tabs=azure-powershell

    AND:

    https://learn.microsoft.com/en-us/azure/azure-resource-manager/managed-applications/deploy-marketplace-app-quickstart

    AND HERE:

    https://learn.microsoft.com/en-us/partner-center/marketplace/azure-app-offer-setup?toc=%2Fazure%2Fazure-resource-manager%2Fmanaged-applications%2Ftoc.json

    I believe you will find everything you need there !

    You most probably need to make the App able for Multi-Tenancy when registered , but this is just a small detail


    I hope this helps !

    Kindly mark the Answer as Accepted and upvote or post your feedback to provide additional help !

    Regards !


  2. Marilee Turscak-MSFT 36,851 Reputation points Microsoft Employee
    2023-09-28T23:21:02.1166667+00:00

    Hi @Riccardo Sacchetto ,

    I understand that you are trying to automate the creation of an app registration and then provide its ID and Secret to the app service so that it can use OAuth2 to authenticate Entra users and access Graph API.

    The best practice for programmatic app registrations would be to create the app registration via Graph API:

    POST https://graph.microsoft.com/beta/applications
    

    https://learn.microsoft.com/en-us/graph/api/application-post-applications?view=graph-rest-beta&tabs=http

    You can generate the application credentials (including client secret) using Graph.

    var graphClient = new GraphServiceClient( authProvider );
    
    var passwordCredential = new PasswordCredential
    {
        DisplayName = "Password name"
    };
    
    await graphClient.Applications["{application-id}"]
        .AddPassword(passwordCredential)
        .Request()
        .PostAsync();
    

    https://learn.microsoft.com/en-us/graph/api/application-addpassword?view=graph-rest-1.0&tabs=csharp#request

    Multi-tenant vs single tenant is based on the signInAudience value. The signinAudience needs to be updated to "signInAudience": "AzureADandPersonalMicrosoftAccount" for multi-tenant apps.

    PATCH https://graph.microsoft.com/v1.0/applications/{id} 
    Content-type: application/json

    {

    "signInAudience": "AzureADMyOrg"

    }

    That said, I don't believe Graph supports changing the default 100% as there are some manual validation involved by switching the account types. This is documented here Validation differences by supported account types - Microsoft Entra | Microsoft Learn screenshot for manual change on the UX:

    User's image

    https://learn.microsoft.com/en-us/graph/api/application-update?view=graph-rest-1.0&tabs=http

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.