I am looking to create an Azure managed application, and I want a service to be able to consume the notifications sent to the "Notification Endpoint" HTTPS webhook. Currently, the documentation provides the following two steps to secure the webhook endpoint and authenticate the request coming from Azure.
- Provide a query parameter on top of the webhook URI, like this: https://your-endpoint.com?sig=Guid. With each notification, check that the query parameter
sighas the expected valueGuid.- Issue a GET on the managed application instance by using applicationId. Validate that the provisioningState matches the provisioningState of the notification to ensure consistency.
My questions pertain to both these steps.
First, how do I set up the expected value for Guid? Do I just set up an arbitrary new GUID that I am supposed to keep as a secret somewhere?
Second, how do I grant permission for my service to perform the GET operation on the managed application instance? Is there a way I can grant a role to a principal ID to the managed application instance itself during deployment? I know I can grant authorization to the managed resource group, but how can I grant a role to the managed application instance?
Thank you.
Provide a query parameter on top of the webhook URI, like this: https://your-endpoint.com?sig=Guid. With each notification, check that the query parameter sig has the expected value Guid.
• Create a GUID using Powershell using below command :
• Register the GUID in the partner center.
• Add the GUID to the Resource Manager Template
Reference : https://learn.microsoft.com/en-us/azure/marketplace/azure-partner-customer-usage-attribution
Second, how do I grant permission for my service to perform the GET operation on the managed application instance? Is there a way I can grant a role to a principal ID to the managed application instance itself during deployment? I know I can grant authorization to the managed resource group, but how can I grant a role to the managed application instance?
If you register you managed application in the Azure AD, then no additional permissions is required. You will be performing the GET operation in the same way as POST operation.
Reference : https://learn.microsoft.com/en-us/azure/marketplace/azure-app-apis