I'm currently trying to create an application designed to run natively on Azure App Service leveraging a PostgreSQL Flexible Server, using Entra ID for authentication (with OAuth2) and relying on the Graph API to interact (through application permissions) with Teams and Sharepoint.
My final objective is to create a Managed Application that, once listed in the Commercial Marketplace, can be freely downloaded by whoever wants to install in on their Tenant.
The problem I'm trying to solve, in fact, regards exactly this last point: if I want the application to be installable in an arbitrary Tenant, I need to fully automate its deployment.
The creation of Azure resources is - obviously - straightforward: using a Bicep template I can easily deploy the App Service, Database and Virtual Network needed to link them. With the App Registration needed to use OAuth2 and the Graph API, however, there seems to be nothing I can do: the ARM template itself can't create it as it resides in Entra and have nothing to do with Azure Resources, and all the guides that teach how to work around this issue with Deployment Scripts (like this QuickStart template) assume that I have prior access to the target Tenant to create a User Assigned Managed Identity via PowerShell, but this is not the case!
So my question is: what is the best practice to deal with this situation? I can obviously create a multitenant registration in my Tenant and then bundle the secrets in the installations making them Publisher-managed and restricting the Customer access, but it doesn't feel quite secure...
Thank you in advance to anyone who will dedicate some time to share some advice.