Mastering Azure Managed Applications

Hands on workshop

Julio Colon

Senior Software Engineer

David Starr

Principal Software Engineer

Microsoft Code of Conduct

Microsoft’s mission is to empower every person and every organization on the planet to achieve more. This includes all

Microsoft events and gatherings, including on digital platforms, where we seek to create a respectful, friendly, fun and

inclusive experience for all participants.

We expect all digital event participants to uphold the principles of this Code of Conduct, which covers the main digital

event and all related activities. We do not tolerate disruptive or disrespectful behavior, messages, images, or

interactions by any party participant, in any form, at any aspect of the program including business and social activities,

regardless of location.

Microsoft will not tolerate harassment or discrimination based on age, ancestry, color, gender identity or expression,

national origin, physical or mental disability, religion, sexual orientation, or any other characteristic protected by

applicable local laws, regulations, and ordinances.

We encourage everyone to assist in creating a welcoming and safe environment. Please report any concerns, harassing

behavior, suspicious, or disruptive activity to Business Conduct Hotline (1-877-320-MSFT or buscond@microsoft.com).

Microsoft reserves the right to refuse admittance to or remove any person from Microsoft Build at any time at its sole

discretion.

Topics

• Azure Managed

Applications

• Artifacts

• Partner Center

• Integrating VM

Offers

• Metered Billing

• Custom UX

• Managing

Customer

Deployments

• Advanced

Deployment

Scenarios

• Test your

knowledge

• Managed

Idenitites

• And more…

Engagement

Put questions into chat at any

time

Speakers will monitor chat as

we go

Links on slides will be posted

to chat

Please hold verbal questions

until breaks or labs

Azure Applications

Azure Applications

• A type of offer in the

Azure Marketplace

• Deployed via ARM templates into

the customer subscription

• Custom installation UX for customer

Types of Azure Applications

Azure Solution Application

• Deploys into customer tenant

• Customer owns and maintains it

• The publisher has no maintenance

to do on the application

• Not transactable in the Azure

Managed Application

Azure Managed Application

• Deploys to customer subscription

• Publisher owns and maintains it

• The publisher controls the rights

the customer has to the solution

services

• Transactable in the Azure Managed

Application

Service Catalog Deployment

Service catalog

Managed App

definition

Package file in

Storage account

Azure Managed

Application

Azure Managed Applications

What is a Managed Application?

A type of Azure Application

Maintenance of deployed resources is the publisher’s responsibility

Resources are deployed to a resource group managed by the publisher

2 Types – Internal and external

Internal vs. External

Internal

Used for enterprise deployments

Deployed via the Service Catalog

External

Used for public offers

Deployed via the Azure

Marketplace

Why use a Managed Application?

• Protect IP

• Control environment updates

• Manage customer permissions

on resources created in their

subscription

• Enable different deployments

based on different plans

Managed Application components

• Managed Resource Group (MRG)

• Application Resource Group

• Security Group (SG)

• Service Principal (SP)

Purchasing a Managed App

https://azuremarketplace.microsoft.com/ https://portal.azure.com/

Purchasing a Managed App

Buyers View

17

Demo

Purchasing an Azure Managed

Application

1. Create Offer

2. Create Plan

3. Select Technical

Configuration

4. Open Package

Details

5. Add Package.zip

6. Review & Publish

Publish

Publishers’ View

20

Demo

Creating an Azure Managed

Application offer in Partner

Center

Azure Marketplace

Managed Application overview

Managed Application Resource Group

Managed Application

Managed Resource Group

Contributor

Customer

*/read

Offer

Platinum Plan

Gold Plan

Silver Plan

Customer’s Subscription

Provisions

Tenancy and isolation

10 Minute Break

23

Help us make this valuable for you!

Start of class survey

https://forms.office.com/r/FT1wVjS38H

Azure Managed Application artifacts

Managed Application deployment package

application.zip package file

mainTemplate.json

ARM file creates

Azure resources

viewDefinition.json Customizes the

Managed

Application UX

createUiDefinition.jsonCustomizes

installation

screens for users

Feeds

output to

ARM file

27

ARM Templates

Infrastructure as code

Deploy Azure resources from

declarative JSON files

May be checked into

version control

{

"$schema": "https://schema.management.azure.com/schemas/2019-04-01/...#",

"contentVersion": "1.0.0.0",

"parameters": { … },

"variables": { … },

"resources": [ … ],

“outputs": [ … ],

}

mainTemplate.json – The ARM Template

29

CreateUIDefinition.json

Defines the installation

experience for the customer

Creates an install “wizard” for

the customer for installing

the Managed Application

createUIDefinition.json

31https://portal.azure.com/#blade/Microsoft_Azure_CreateUIDef/SandboxBlade

32

Demo

Creating the application

package

Hands On Lab 1

aka.ms/AMAWorkshopLabs

When you finish the

lab, please raise your

hand in Teams.

Using Partner Center to publish your offer

The Partner Center portal

Publish offers on the

Azure Marketplace and AppSource

Works with many different

offer types

View Marketplace Subscriptions

Bill and get paid

Partner Center Summary Reports

Summary reports

Orders

Customers

Usage

Marketplace insights

Views across countries

Billing Options

Microsoft Commercial Marketplace billing types

Virtual

Machine

Azure Apps

(Multi-VM)

Container

Image

Consulting

& Managed

Services

SaaS

App

Office

365

Dynamics

365

PowerApps

List (Contact)

List (Trial)

Free

BYOL

Transact

AppSourceAzure Marketplace Both

PaaS

Monetization

Virtual Machine Azure Apps

(Multi-VM)

SaaS

App

Billing Cycle Monthly * Monthly * Monthly or Annual *

Pricing ModelConsumption per core/per

hour

Managed Apps: optional flat

rate

Both: Leverage VM pricing

Flat-rate

Per-user

Consumption-based

(metered event)

Trial Options 1-month or 3-months Leverages VM pricing 1-month

Changing Plan Pricing

A plan’s price is immutable

To “upgrade” one must purchase a different plan

A plan may deploy its resources incrementally

What are Azure Marketplace Meters?

• Consumable

• Meter ID

• Unit of Measure

• Quantity

• Report

• 1 per hour

• 1 per day (batch)

$1/hour 2 units

$2

m_p

ark

ing

100W incl + $1/W extra 100 units

$100

m_c

harg

er

2 hours

200W

AMA offer Pricing Options: Metered

Pricing Option Description Example Plans for an Offer

VariableConsumption based on variable

usage.• Plan A - Number of Transactions $0.12/transaction

Fix + Variable Consumption based on a fix

amount, plus variable usage.

• Plan B - Basic $25/Month (2000 transactions

included) + $0.10/transaction

Multi-Dimension

Consumption based on

multiple dimensions. Up to 10

dimensions allowed.

• Plan C – Basic (Picture Send/Picture Received/

Bandwidth(Mb))

• D1 – Picture Send $0.10/unit

• D2 – Picture Received $0.12/unit

• D3 – Per Megabit Send $0.25/unit

Multi-Dimension

Fix + Variable

Combination of a fixed price

and multi-dimension based

consumption

• Plan D – Basic $10/Month (1000 Pictures Send,

1000 Received and 100 Megabits)

+ Picture Send/Picture Received/ Bandwidth(Mb)

• D1 – Picture Send $0.10/unit

• D2 – Picture Received $0.12/unit

• D3 – Per Megabit Send $0.25/unit

Metered: Basic

Metered: Multi-Dimension Fix + Variable

Azure App

ARM Template(mainTemplate.json)

VM Offer(s)

Azure Portal UI Definition(createUiDefinition.json)

Azure Services

Metering

Meter

Service

Marketplace

Billing API

(Once

Certified)

Azure Portal View

Definition(viewDefinition.json)

* Optional

Meter

Service

Getting Publisher Support

Publisher Guide

Offer Types Marketing Assets Lead Management Legal Documents Publishing TaT Support Information Technical Assets Technical Requirements

Virtual

Machines

Offer Images/Icons

Offer Description

Offer Category/SEO

Offer Documentation

(Videos and Docs.)

Define how do you

want to manage the

offer leads:

Table Storage

Dynamics CRM

Online

HTTPS endpoint

Marketo

Salesforce

Privacy Policy

Terms of Use

24 Hours

Engineering Contacts

Customer Support

Support URLs

Virtual Hard Disk (VHD) Virtual Machine VHD

Azure Apps

(Solution

Template)

7 Days

ARM Template

UI Definition File

Resources (libraries,

scripts, runtimes, etc…)

ARM Template

UI Definition File

Azure Apps

(Managed

Apps)

ARM Template

UI Definition File

Security Principal to

Manage the Offer

Azure Apps

(HDInsight)

ARM Template

UI Definition File

SaaS Apps 12 HoursFree/Trial: None

Transact: Billing API

Integration with Azure

Active Directory

Containers 48 Hours Container

Container Image

Azure Container Registry

(ACR) Credentials

IoT Edge

Modules48 Hours Container

Container Image

Azure Container Registry

(ACR) Credentials

Azure Marketplace Offers and Assets

TaT – Turn Around Time

Getting Publisher Support

http://aka.ms/MarketplacePublisherSupport

Hands On Lab 2

aka.ms/AMAWorkshopLabs

When you finish the

lab, please raise your

hand in Teams.

Integrated VM Offers

Azure Managed Application

ARM Template(mainTemplate.json)

VM Offer(s)

UI Definition(createUiDefinition.json)

Azure Services

VM Offer (hidden)

VM Template (.vhd)

Base VM(Azure or Customer .vhd)

App Code(binaries)

Integrated VM Model

Meter

Service

Marketplace

Billing API

(Once

Certified)

View Definition(viewDefinition.json)

* Optional

Creating the VM Technical Assets

Building the VM Image

Build the VM Image that will be used as a

base for the Offer. You can use an MS Stock

image or build your own custom image

Open Ports

Define the Open Ports you want to have in

the Offer

(Optional) Data Disk Images

For each VM, you can attach up to fifteen (15)

Data disks

55

Referencing a VM Offer

30 Minute Lunch Break

56

Start back up at 01:05 PST

Deployment Workflow

Azure Marketplace

Data Sharing Pilot Architecture

Share 1

Share 2

Share 3

Data Set

Data Set

Data Set

Data Set

Data Set

Offer 1

Offer 2

Plan 1

Plan 2

Plan 1

Publisher Subscription

Consumer Subscription

Webhook

Azure Function

Raw Data Resource Group

Provider Managed Resource Group

Data Share Resource Group

Data Share

service

Provider Managed Resource Group

Share

Snapshot

Data Share

service

Share

Subscription

Consumer

Managed

Resource

Group

Provider Managed Resource Group

Share

Snapshot

Data Share

service

Share

Subscription

Consumer

Managed

Resource

Group

Security

WebhookCustomer

provisions AMA

AMA and managed

resources deploy

Webhook is called

with status

Webhook is called

with status

Webhook

returns 200

Webhook

returns 200

Deployment Status Notifications (Webhook)

• Called by the Azure Managed Application deployment process

• Communicates application status to an endpoint

• Stops when it reads a 200 response from the endpoint

POST https://{your_endpoint_URI}/resource?{optional_parameter}={optional_parameter_value}&sig=Guid HTTP/1.1

{ "eventType": "PUT", "applicationId": "/subscriptions/<subId>/resourceGroups/<rgName>/providers/Microsoft.Solutions/applications/<applicationName>","eventTime": "2019-08-14T19:20:08.1707163Z", "provisioningState": "Succeeded", "billingDetails": {

"resourceUsageId":"<resourceUsageId>"}, "plan": {

"publisher": "publisherId", "product": "offer", "name": "skuName", "version": "1.0.1"

}}

https://docs.microsoft.com/en-us/azure/azure-resource-manager/managed-applications/publish-notifications

Deployment Status Notifications (Webhook)

POST https://{your_endpoint_URI}/resource?{optional_parameter}={optional_parameter_value} HTTP/1.1

{ "eventType": "PUT", "applicationId": "/subscriptions/<subId>/resourceGroups/<rgName>/providers/Microsoft.Solutions/applications/<applicationName>","eventTime": "2019-08-14T19:20:08.1707163Z", "provisioningState": "Failed", "billingDetails": {

"resourceUsageId":"<resourceUsageId>"}, "plan": {

"publisher": "publisherId", "product": "offer", "name": "skuName", "version": "1.0.1"

}, "error": {

"code": "ErrorCode", "message": "error message", "details": [ {

"code": "DetailedErrorCode", "message": "error message"

} ]}

}

Webhook

Events in the Azure Managed Application lifecycle

EventType ProvisioningState Trigger for notification

PUT Accepted Managed resource group has been created and projected

successfully after application PUT (before the deployment

inside the managed resource group is kicked off).

PUT Succeeded Full provisioning of the managed application succeeded after a

PUT.

PUT Failed Failure of PUT of application instance provisioning at any

point.

PATCH Succeeded After a successful PATCH on the managed application

instance to update tags, JIT access policy, or managed

identity.

DELETE Deleting As soon as the user initiates a DELETE of a managed app

instance.

DELETE Deleted After the full and successful deletion of the managed

application.

DELETE Failed After any error during the deprovisioning process that blocks

the deletion.

Upgrading plans

Upgrade my plan

I purchased the “Silver” plan previously

I want to upgrade to the “Gold” plan

Complete or incremental deployments

Deploys all resources defined in

ARM

If selected resource group exists,

destroys it and re-installs

Replaces all resources

If selected resource group

exists, deploys only new

resources

Will not overwrite existing

resources

Deploys to the same RG as the

original solution

IncrementalComplete

Managing CustomerDeployments

Allowing Just In Time (JIT) Access

• Currently in preview

• Give consumers greater control over access to managed

resources

• Publisher sends a request for access to troubleshoot or update

the managed resources

• JIT is configured per plan

Azure LighthouseManage your customer Managed Applications

Metered Billing

Metered: Multi-Dimension Fix + Variable

Metering Usage

POST https://marketplaceapi.microsoft.com/api/usageEvent?api-version={{ApiVersion}}Content-Type: application/jsonAuthorization: Bearer {{access_token}}

{"resourceId": "Identifier of the resource against which usage is emitted","quantity": 5.0,"dimension": "Dimension identifier","effectiveStartTime": "Time in UTC when the usage event occurred","planId": "Plan associated with the purchased offer"

}

200 Response

{"usageEventId": "Unique identifier associated with the usage event","status": "Accepted","messageTime": "Time this message was created in UTC","resourceId": "Identifier of the resource against which usage is emitted","quantity": 5.0,"dimension": "Dimension identifier","effectiveStartTime": "Time in UTC when the usage event occurred","planId": "Plan associated with the purchased offer"

}

Metering Batch Usage

POST https://marketplaceapi.microsoft.com/api/batchUsageEvent?api-version={{ApiVersion}}Content-Type: application/jsonAuthorization: Bearer {{access_token}}

200 Response

{"count": 2,"result": [{"usageEventId": "Unique identifier associated with the usage event","status": "Accepted|Expired|Duplicate|Error|ResourceNotFound|ResourceNotAuthorized|InvalidDimension|BadArgument","messageTime": "Time this message was created in UTC","resourceId": "Identifier of the resource against which usage is emitted","quantity": 5.0,"dimension": "Dimension identifier","effectiveStartTime": "Time in UTC when the usage event occurred","planId": "Plan associated with the purchased offer","error": "Error object (optional)"

},

…]

}

Emitting a meter using the REST APIs

https://github.com/microsoft/commercial-marketplace-managed-application-metering-samples

# Get Resource URI$managementTokenUrl = "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F" $Token = Invoke-RestMethod -Headers @{"Metadata" = "true"} -Uri $managementTokenUrl

# Get Subscription ID$metadataUrl = "http://169.254.169.254/metadata/instance?api-version=2019-06-01"$metadata = Invoke-RestMethod -Headers @{'Metadata'='true'} -Uri $metadataUrl

# Get AMA Details$Headers = @{}$Headers.Add("Authorization","$($Token.token_type) "+ " " + "$($Token.access_token)")$managementUrl = "https://management.azure.com/subscriptions/" + $metadata.compute.subscriptionId + "/resourceGroups/" + $metadata.compute.resourceGroupName + "?api-version=2019-10-01"$resourceGroupInfo = Invoke-RestMethod -Headers $Headers -Uri $managementUrl$managedappId = $resourceGroupInfo.managedBy

# Get Marketplace Token$marketplaceTokenUrl = "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=20e940b3-4c77-4b0b-9a53-9e16a1b010a7" $marketplaceToken = Invoke-RestMethod -Headers @{"Metadata" = "true"} -Uri $marketplaceTokenUrl

# Get Usage from the last 5 minutes$lastHourMinusFiveMinutes = (Get-Date).AddMinutes(-65).ToString("yyyy-MM-ddTHH:mm:ssZ")$body = @{ 'resourceUri' = $managedappId; 'quantity' = 15; 'dimension' = 'dim1'; 'effectiveStartTime' = $lastHourMinusFiveMinutes; 'planId' = 'userassigned'} | ConvertTo-Json

# Post Meter$Headers = @{} $Headers.Add("Authorization","$($marketplaceToken.token_type) "+ " " + "$($marketplaceToken.access_token)")$response = Invoke-RestMethod 'https://marketplaceapi.microsoft.com/api/usageEvent?api-version=2018-08-31' -Method 'POST' -ContentType "application/json" -Headers $Headers -Body $body -Verbose

$managementTokenUrl = "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F" $Token = Invoke-RestMethod -Headers @{"Metadata" = "true"} -Uri $managementTokenUrl

Calling Metering Operations in C#

Response<BatchUsageEventOkResponse> PostBatchUsageEvent( ... );

Task<Response<BatchUsageEventOkResponse>> PostBatchUsageEventAsync( ... );

Response<UsageEventOkResponse> PostUsageEvent( ... );

Task<Response<UsageEventOkResponse>> PostUsageEventAsync( ... );

Customizing the Managed ApplicationUI and Behavior

77

viewDefinition.json

Customize the Managed

Application itself

Add functionality to the

Azure Managed Application

CustomizedManaged Application

{

"$schema": "https://raw.githubusercontent.com/Azure/azure-resource-

manager-schemas/master/schemas/viewdefinition/0.0.1-

preview/ViewDefinition.json",

"views": [

{ "kind": "Overview” ... },

{ "kind": "Metrics” ... },

{ "kind": "CustomResources”...}

]

}

viewDefinition.json

80

Demo

Customizing Managed App

functionality with

viewDefinition.json

Hands On Lab 3

aka.ms/AMAWorkshopLabs

When you finish the

lab, please raise your

hand in Teams.

Advanced Deployment Scenarios

Storage Provider

Compute Device

Compute Device

Compute DeviceUtil/Billing Service

Metrics

Repo

2. Report Usage

3. Send Marketplace Meters (hourly)

Control Plane

Data Plane

1. Data Transfer

DD

D

DD

D

DD

D

DD

D

Managed Application

IoT

IoT Device

IoT Device

IoT Device

Util/Billing Service

Authorization

Service

Metrics

Repo

3. Send Marketplace Meters (hourly)

Managed Application

Delegated Manage Identities{

"type": "Microsoft.Authorization/roleAssignments","apiVersion": "2014-10-01-preview","name": "[guid(resourceGroup().id)]","dependsOn": [

"[concat('Microsoft.ManagedIdentity/userAssignedIdentities/', variables('vm_name'))]"],"properties": {"roleDefinitionId": "[variables(parameters('roleType'))]","delegatedManagedIdentityResourceId": "[resourceId('Microsoft.ManagedIdentity/userAssignedI

dentities', variables('vm_name'))]","principalId": "[reference(concat('Microsoft.ManagedIdentity/userAssignedIdentities/',varia

bles('msi_name'))).principalId]","scope": "[variables('scope')]"

}}

Containers

Util/Billing Service

Authorization

Service

Metrics

Repo

Private Container

Registry

1. Register the Customer Private Container Registry

2. Pull CIS Container Images

Container

Container

Container

3. Run the Images

Container

Metered Usage:

Per hour / Per Day

6. Send Marketplace Meters (hourly)

Virtual Machine

Container Runtime

Container

Container

Private Container

Registry

Managed Application

Custom Resources and Resource Providers

The feature is in preview

Only available in select regions

Works via Service Catalog today

Possible in AMAs today, but requires Swagger integration with Azure APIs

https://docs.microsoft.com/en-us/azure/azure-resource-manager/managed-applications/tutorial-create-managed-app-with-custom-provider?tabs=azurecli-interactive

Azure Resource Providers

PowerShell | Azure CLI | Azure Portal

Azure Resource Manager (ARM)

Azure Resource Providers

REST

SUBSCRIPTION

RESOURCE

GROUP

/Microsoft.Storage/storageAccounts/{accountName}?api-version=2018-02-01

Custom Azure Resource Providers

PowerShell | Azure CLI | Azure Portal

Azure Resource Manager (ARM)

Custom Resource

Providers

REST

SUBSCRIPTION

MANAGED

RESOURCE

GROUP

CUSTOM

RESOURCE

/Microsoft.CustomProviders/resourceProviders/{resourceProviderName}?api-version=2018-09-01-preview

Service Catalog Deployment

Service catalog

Managed App

definition

Package file in

Storage account

Azure Managed

Application

92

Demo

Custom Resource Providers

Help us improve the workshop!

End of class surveyhttps://forms.office.com/r/zNKRp40ULA

Hands On Lab 4

aka.ms/AMAWorkshopLabs

When you finish the

lab, please raise your

hand in Teams.

Managed Identities

Managed Identities – Why?

• Security

• Eliminate managing credentials

• Credentials are not accessible

• Advantages

• AAD required

• No cost

Managed Identities

• System Assigned Identity

• User Assigned Identity

https://docs.microsoft.com/en-us/azure/azure-resource-manager/managed-applications/publish-managed-identity

• Application Settings

• Managed Application

Settings

Managed Identities – CustomUIDefinition.json{

"name": "appIdentity",

"type": "Microsoft.ManagedIdentity.IdentitySelector",

"label": "Managed Identity Configuration",

"toolTip": {

"systemAssignedIdentity": "Grant the managed application access to additional existing resources.",

"userAssignedIdentity": "Grant the managed application access to additional existing resources.“

},

"defaultValue": {

"systemAssignedIdentity": "Off"

},

"options": {

"hideSystemAssignedIdentity": false,

"hideUserAssignedIdentity": false,

"readOnlySystemAssignedIdentity": false

},

"visible": true

}

Resources & Closing

Solution Templates Resources and DocumentationTopic Description Links

Azure Templates Quick Starts Bootstrap samples https://github.com/Azure/azure-quickstart-templates

Best Practices ARM Template Guidehttps://github.com/Azure/azure-quickstart-templates/blob/master/1-CONTRIBUTION-GUIDE/best-

practices.md

Template Validation Tool Pre-certification tool https://github.com/Azure/azure-quickstart-templates/tree/master/test/template-validation-tests

Template Deployment Scripts

Resource Groups

Deployment Scripts

Samples

https://github.com/Azure/azure-quickstart-templates/blob/master/Deploy-AzureResourceGroup.ps1

https://github.com/Azure/azure-quickstart-templates/blob/master/az-group-deploy.sh

UI Testing SideLoad Scripts:Testing UI without

publishing

https://github.com/Azure/azure-quickstart-templates/blob/master/SideLoad-CreateUIDefinition.ps1

https://github.com/Azure/azure-quickstart-templates/blob/master/sideload-createuidef.sh

Template Reference Docs Reference Guide https://docs.microsoft.com/en-us/azure/templates/

CreateUIDefinition Docs Azure Portal https://docs.microsoft.com/en-us/azure/managed-applications/create-uidefinition-functions

Template Language Expressions ARM Functions Guide https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-template-functions

Azure PowerShell Azure PowerShell Module https://docs.microsoft.com/en-us/powershell/azure/install-azurerm-ps?view=azurermps-5.7.0

Azure CLI Azure Command Line https://docs.microsoft.com/en-us/cli/azure/?view=azure-cli-latest

Visual Studio Code Extension ARM Template Formatter https://marketplace.visualstudio.com/items?itemName=msazurermtools.azurerm-vscode-tools

Marketplace Sample Code and Examples

https://aka.ms/marketplacesamples