Azure Managed Application

Azure Managed Application is not widely used, just to create it we must use ARM templates. Sometimes it is a must when you want to deploy a solution via Azure Marketplace. Managed Application is simply a set of Azure Resources that usually can not be managed/modify by the person who deploys it but by the creator. So it is a very useful way to distribute an application across your organization or via mentioned Azure Marketplace. You can start with this simple code:

az login –tenant $tenant
az account set -s $Subscribtion

az group create –name ManagedApp –location eastus

az storage account create –name mfmanagedapp –resource-group ManagedApp –location eastus –sku Standard_LRS –kind StorageV2

az storage container create –account-name mfmanagedapp –name appcontaineroracle –public-access blob

az storage blob upload –account-name mfmanagedapp –container-name appcontaineroracle –name “” –file “”

$groupid=$(az ad group show –group group_in_azure_ad –query objectId –output tsv)

$ownerid=$(az role definition list –name user_in_azure_ad –query [].name –output tsv)

az group create –name appDefinitionGroup –location westcentralus

$blob=$(az storage blob url –account-name mfmanagedapp –container-name appcontaineroracle –name –output tsv)


az managedapp definition create –name “ManagedStorageMF” –location “westcentralus” –resource-group appDefinitionGroup –lock-level ReadOnly –display-name “Managed Storage Account MF” –description “Managed Azure Storage Account MF” –authorizations “groupid:ownerid” –package-file-uri “$blob”

There is guid of group and user who will be able to manage this Managed Application.

After that you will see this app in Service catalog managed application definitions:

After that, you can deploy this managed application.

Here is an example of an application with simply Storage Account as a resource only, but you can include every resource from azure in Manage Application. If you delete deployed application the resource group that you deploy managed application will be deleted.

Please be aware that in this example the definition of Managed Application is in – that first must be uploaded to the blob storage account. Sometimes we need to know which storage account contains the definition, unfortunately, it is not visible in the portal even if you export deployment or arm definition. Fortunately, there is an API that can provide some information about this:

There is an example:


“isEnabled”: true,

“lockLevel”: “ReadOnly”,

“displayName”: “Managed Storage Account MF”,

“description”: “Managed Azure Storage Account MF”,

“artifacts”: [


“name”: “ApplicationResourceTemplate”,

“type”: “Template”,

“uri”: “”



“name”: “CreateUiDefinition”,

“type”: “Custom”,

“uri”: “ /resourceGroups/appDefinitionGroup/providers/Microsoft.Solutions/applicationDefinitions/ManagedStorageMF/applicationArtifacts/CreateUiDefinition?api-version=2017-09-01”



“name”: “MainTemplateParameters”,

“type”: “Custom”,

“uri”: “ /resourceGroups/appDefinitionGroup/providers/Microsoft.Solutions/applicationDefinitions/ManagedStorageMF/applicationArtifacts/MainTemplateParameters?api-version=2017-09-01”




“id”: “/subscriptions/ /resourceGroups/appDefinitionGroup/providers/Microsoft.Solutions/applicationDefinitions/ManagedStorageMF”,

“name”: “ManagedStorageMF”,

“type”: “Microsoft.Solutions/applicationDefinitions”,

“location”: “westcentralus”