Share via

How can I update image or do other maintanance in customer tenant's deployed from Marketplace?

Sebastian Kozub 0 Reputation points
2024-10-29T09:13:41.05+00:00

I am working on the application that will be deployed by customer to his subscription by using Azure Marketplace offer. It is deployed with ARM template. I have attached identity to the template. My question is how can I get into the customer subscritpion from my C# code application to manage this group for example to change image of some container app or tweak some settings inside the managed resource group.
Of course application is deplyed as a publisher managed app.

Azure Managed Applications
Azure Managed Applications
An Azure service that enables managed service providers, independent software vendors, and enterprise IT teams to deliver turnkey solutions through the Azure Marketplace or service catalog.
167 questions
Azure Container Apps
Azure Container Apps
An Azure service that provides a general-purpose, serverless container platform.
633 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,732 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Amira Bedhiafi 31,416 Reputation points Moderator
    2025-05-06T12:20:21.3966667+00:00

    Hello Sebastian !

    Thank you for posting on Microsoft Learn.

    When you're publishing via Azure Marketplace using a Managed Application, and it's deployed to a customer’s subscription, you do not get default access to the customer's resources unless you specifically configure it that way during offer setup and ARM template deployment.

    When creating your offer, make sure:

    • The application is set up as a Managed Application (not just a normal ARM template offer).
    • It deploys into a Managed Resource Group that you (the publisher) have access to, and the customer does not.

    When you publish the application:

    • Assign a UAMI or Service Principal to have contributor (or more limited) rights in the Managed Resource Group.

    In your C# backend or automation, authenticate using this identity.

    If your C# application running outside can authenticate with Azure and access the Managed Resource Group using an identity with RBAC permissions.

    var credential = new DefaultAzureCredential(); 
var armClient = new ArmClient(credential);
var subscription = armClient.GetSubscriptionResource(new ResourceIdentifier($"/subscriptions/{subscriptionId}"));
var managedResourceGroup = subscription.GetResourceGroup(managedResourceGroupName);

var containerApps = managedResourceGroup.GetContainerApps();
await foreach (var app in containerApps)
{
    Console.WriteLine($"Found container app: {app.Data.Name}");

    app.Data.Template.Containers[0].Image = "your-new-image:tag";
    await app.UpdateAsync(app.Data);
}
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.