App Registration for Managed Application

Question

App Registration for Managed Application

Riccardo Sacchetto 0

Good morning.

I'm currently trying to create an application designed to run natively on Azure App Service leveraging a PostgreSQL Flexible Server, using Entra ID for authentication (with OAuth2) and relying on the Graph API to interact (through application permissions) with Teams and Sharepoint.

My final objective is to create a Managed Application that, once listed in the Commercial Marketplace, can be freely downloaded by whoever wants to install in on their Tenant.

The problem I'm trying to solve, in fact, regards exactly this last point: if I want the application to be installable in an arbitrary Tenant, I need to fully automate its deployment.

The creation of Azure resources is - obviously - straightforward: using a Bicep template I can easily deploy the App Service, Database and Virtual Network needed to link them. With the App Registration needed to use OAuth2 and the Graph API, however, there seems to be nothing I can do: the ARM template itself can't create it as it resides in Entra and have nothing to do with Azure Resources, and all the guides that teach how to work around this issue with Deployment Scripts (like this QuickStart template) assume that I have prior access to the target Tenant to create a User Assigned Managed Identity via PowerShell, but this is not the case!

So my question is: what is the best practice to deal with this situation? I can obviously create a multitenant registration in my Tenant and then bundle the secrets in the installations making them Publisher-managed and restricting the Customer access, but it doesn't feel quite secure...

Thank you in advance to anyone who will dedicate some time to share some advice.

Answer 1

Hello @Riccardo Sacchetto !

Welcome to Microsoft QnA!

I understand your issue to be able to provide your APP the ability to be installed from Multiple Tenants

There is a specific link that points to Azure Managed Applications and all the steps required to do that :

https://learn.microsoft.com/en-us/azure/azure-resource-manager/managed-applications/publish-service-catalog-app?tabs=azure-powershell

AND:

https://learn.microsoft.com/en-us/azure/azure-resource-manager/managed-applications/deploy-marketplace-app-quickstart

AND HERE:

https://learn.microsoft.com/en-us/partner-center/marketplace/azure-app-offer-setup?toc=%2Fazure%2Fazure-resource-manager%2Fmanaged-applications%2Ftoc.json

I believe you will find everything you need there !

You most probably need to make the App able for Multi-Tenancy when registered , but this is just a small detail

I hope this helps !

Kindly mark the Answer as Accepted and upvote or post your feedback to provide additional help !

Regards !

Riccardo Sacchetto 0 Reputation points

2023-09-17T08:48:54.3866667+00:00

Good morning, @Konstantinos Passadis

Thank you very much for your reply.

Unfortunately, those articles don't seem to include any detail useful to solve my problem, as they only explain how to create a Managed Application but not how to make sure that it can use OAuth2 to authenticate Entra users and access Graph API to interact with other Microsoft services.

What I'm tying to do, in fact, is to either automate the creation of an App Registration (the process that you can do through this blade of the Portal) in the Tenant where the Managed App is being installed and then provide its ID and Secret to the App Service that is deployed with the Bicep template included in the Managed App Definition or to find a way to deploy for every client a common secret associated with a multitenant App Registration in my Tenant.

App Registration for Managed Application

1 answer

Activity