Publish an Azure managed application definition

This quickstart provides an introduction to working with managed applications. You add a managed application definition to an internal catalog for users in your organization. To simplify the introduction, we have already built the files for your managed application. Those files are available through GitHub. You learn how to build those files in the Create service catalog application tutorial.

When you're finished, you have a resource group named appDefinitionGroup that has the managed application definition.

Use Azure Cloud Shell

Azure hosts Azure Cloud Shell, an interactive shell environment that you can use through your browser. You can use either Bash or PowerShell with Cloud Shell to work with Azure services. You can use the Cloud Shell preinstalled commands to run the code in this article without having to install anything on your local environment.

To start Azure Cloud Shell:

Option Example/Link
Select Try It in the upper-right corner of a code block. Selecting Try It doesn't automatically copy the code to Cloud Shell. Example of Try It for Azure Cloud Shell
Go to https://shell.azure.com, or select the Launch Cloud Shell button to open Cloud Shell in your browser. Launch Cloud Shell in a new window
Select the Cloud Shell button on the top-right menu bar in the Azure portal. Cloud Shell button in the Azure portal

To run the code in this article in Azure Cloud Shell:

  1. Start Cloud Shell.

  2. Select the Copy button on a code block to copy the code.

  3. Paste the code into the Cloud Shell session by selecting Ctrl+Shift+V on Windows and Linux or by selecting Cmd+Shift+V on macOS.

  4. Select Enter to run the code.

Create a resource group for definition

Your managed application definition exists in a resource group. The resource group is a logical collection into which Azure resources are deployed and managed.

To create a resource group, use the following command:

az group create --name appDefinitionGroup --location westcentralus

Create the managed application definition

When defining the managed application, you select a user, group, or application that manages the resources for the consumer. This identity has permissions on the managed resource group according to the role that is assigned. Typically, you create an Azure Active Directory group to manage the resources. However, for this article, use your own identity.

To get the object ID of your identity, provide your user principal name in the following command:

userid=$(az ad user show --id example@contoso.org --query objectId --output tsv)

Next, you need the role definition ID of the RBAC built-in role you want to grant access to the user. The following command shows how to get the role definition ID for the Owner role:

roleid=$(az role definition list --name Owner --query [].name --output tsv)

Now, create the managed application definition resource. The managed application contains only a storage account.

az managedapp definition create \
  --name "ManagedStorage" \
  --location "westcentralus" \
  --resource-group appDefinitionGroup \
  --lock-level ReadOnly \
  --display-name "Managed Storage Account" \
  --description "Managed Azure Storage Account" \
  --authorizations "$userid:$roleid" \
  --package-file-uri "https://github.com/Azure/azure-managedapp-samples/raw/master/Managed%20Application%20Sample%20Packages/201-managed-storage-account/managedstorage.zip"

When the command completes, you have a managed application definition in your resource group.

Some of the parameters used in the preceding example are:

  • resource-group: The name of the resource group where the managed application definition is created.
  • lock-level: The type of lock placed on the managed resource group. It prevents the customer from performing undesirable operations on this resource group. Currently, ReadOnly is the only supported lock level. When ReadOnly is specified, the customer can only read the resources present in the managed resource group. The publisher identities that are granted access to the managed resource group are exempt from the lock.
  • authorizations: Describes the principal ID and the role definition ID that are used to grant permission to the managed resource group. It's specified in the format of <principalId>:<roleDefinitionId>. If more than one value is needed, specify them in the form <principalId1>:<roleDefinitionId1> <principalId2>:<roleDefinitionId2>. The values are separated by a space.
  • package-file-uri: The location of a .zip package that contains the required files. The package must have the mainTemplate.json and createUiDefinition.json files. mainTemplate.json defines the Azure resources that are created as part of the managed application. The template is no different than a regular Resource Manager template. createUiDefinition.json generates the user interface for users who create the managed application through the portal.

Next steps

You've published the managed application definition. Now, learn how to deploy an instance of that definition.