How to deploy a managed application with an identity having permissions within the managed resource group?

Question

When deploying a marketplace managed app offer into a customer subscription, you can create an identity in the managed resource group associated with the managed application. However, in order for that identity to have any permissions, it must be assigned a role.

When the publisher and customer are in the same tenant, the roleAssignment can be created as expected and the identity has permissions within the managed resource group.

However, when the customer is in a different tenant (and active directory), then I get the following error:

Principal not found in tenant '[PUBLISHER TENANT ID]'. If you are attempting to PUT this role assignment in tenant '[CUSTOMER TENANT ID]' then the delegatedManagedIdentityResourceId property must be specified

Looking into the mentioned delegatedManagedIdentityResourceId, it gets pretty hairy pretty quickly and I'm not sure that's the path I want to go down or if it would even get me where I need to be, which is to have an identity in the managed resource group which has permissions to do read/write operations within the managed resource group.

Thank you.

Answer 1

For managed applications published in the marketplace, as you are aware the publisher and the customer are present in different tenants.

Now, when the application is deployed by the customer, the intent is that the publisher is the one who will manage the resources within the managed resource group. Because of this any role assignment that happens as part of the template will happen in the PUBLISHER's tenant. So this means that when looking for principals to assign to the role definition, the deployment will only look for principals in the PUBLISHER tenant.

In the cases like yours, where the managed identity is created as part of the template itself, the identity is created in the customers tenant, but if you try to create the role assignment it would fail since it will not find the identity itself in the publishers tenant. To get around this you need to specify the "delegatedManagedIdentityResourceId" property. The value for this should be the resourceId of the resource for which the managed identity is created.

• For System assigned identity this will be the resource id of the resource having the identity (Eg The resource id of the Function App \ Logic App)
• For User assigned , it will the resource id of the identity itself.

Answer 2

So I had some luck with the following:

1. Create a Managed Identity Scoped to resourceGroup().id as Owner - this Identity seems to only be scoped to the Customer's Tenant (I was unable to perform anything with the Identity that required any kind of subscription/resource access... interestingly enough when logged in as a Publisher I can see this identity was granted Owner however logged in as a customer revealed nothing?

3. Create a second Managed Identity - and put the (1) Managed Identity as the delegatedManagedIdentityResourceId this seemed to generate a Managed Identity that is now scoped to the Customer so this second identity seems to be able to have roles assigned to it.

I'm still not fully sure why I needed to do this... but now when I assign my consumer Managed Identity to a VM in my managed solution, this vm is able to access all the resources in the managed resource group. Whereas assigning the VM the first managed identity caused me problems.

ARM

        {
            "type": "Microsoft.ManagedIdentity/userAssignedIdentities",
            "apiVersion": "2018-11-30",
            "name": "publisherMI",
            "location": "[parameters('location')]"
        },
        {
            "type": "Microsoft.Authorization/roleAssignments",
            "apiVersion": "2021-04-01-preview",
            "name": "[guid('bootstrapRoleAssignmentId')]",
            "dependsOn": [
                "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'publisherMI')]"
            ],
            "properties": {
                "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]",
                "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'publisherMI'), '2018-11-30').principalId]",
                "scope": "[resourceGroup().id]",
                "principalType": "ServicePrincipal"
            }
        },
        {
            "type": "Microsoft.ManagedIdentity/userAssignedIdentities",
            "apiVersion": "2018-11-30",
            "name": "consumerMI",
            "location": "[parameters('location')]"
        },
        {
            "type": "Microsoft.Authorization/roleAssignments",
            "apiVersion": "2021-04-01-preview",
            "name": "[guid('consumerMiRoleAssignmentId')]",
            "dependsOn": [
                "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'consumerMI')]",
                "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'publisherMI')]"
            ],
            "properties": {
                "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]",
                "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'consumerMI'), '2018-11-30').principalId]",
                "scope": "[resourceGroup().id]",
                "principalType": "ServicePrincipal",
                "delegatedManagedIdentityResourceId" : "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'publisherMI')]"
            }
        },

Answer 3

Managed Identity resource can access resource only in its own tenant. At present Managed Identity does not support cross tenant scenarios. Please refer to known issues in official Microsoft documentation.

Answer 4

I ran into exact same issue. My case is also on publishing managed application via marketplace offer. There are actually 2 related issues on this.

1. Assigning a role to the managed resource group will fail during deployment.

Note that this is a user in customer's tenant deploying this managed application from marketplace. However, this roleAssignments block is trying to locate the principal from publisher's tenant. But the system generated identity is created in customer's tenant since managed application is deployed onto customer's tenant after all.

2.

The managed identity created from mainTemplate.json (either a User Managed Identity or System Managed Identity) is not able to access any resource from within the mainTemplate.json. This is due to the deny statement created by marketplace. So even if a role assignment is targeting a resource within the template, the deployment will show success but the actual assignment will not be created.

So the workaround is to create an application in the publisher's AD and add it to a dedicated group, as discussed here

Then create a client secret for this application. This will give this client id full permission to all resources (being in the admin group after all). Then any application code running in the managed resource group will have to authenticate with the AD with the credentials. A key vault should be created to store the credentials to prevent customer from being able to read it.

At the end of the day, this approach is needed if your application code needs to execute azure management API to read information.