0

I am looking to create an Azure managed application, and I want a service to be able to consume the notifications sent to the "Notification Endpoint" HTTPS webhook. Currently, the documentation provides the following two steps to secure the webhook endpoint and authenticate the request coming from Azure.

  1. Provide a query parameter on top of the webhook URI, like this: https://your-endpoint.com?sig=Guid. With each notification, check that the query parameter sig has the expected value Guid.
  2. Issue a GET on the managed application instance by using applicationId. Validate that the provisioningState matches the provisioningState of the notification to ensure consistency.

My questions pertain to both these steps.

First, how do I set up the expected value for Guid? Do I just set up an arbitrary new GUID that I am supposed to keep as a secret somewhere?

Second, how do I grant permission for my service to perform the GET operation on the managed application instance? Is there a way I can grant a role to a principal ID to the managed application instance itself during deployment? I know I can grant authorization to the managed resource group, but how can I grant a role to the managed application instance?

Thank you.

wahoowa
  • 358
  • 1
  • 10
  • Have you actually seen this callback work? Please see this: https://stackoverflow.com/questions/69008440/how-to-get-a-callback-when-an-azure-marketplace-managed-application-is-installed – Rodney Sep 01 '21 at 05:56

1 Answers1

0

Provide a query parameter on top of the webhook URI, like this: https://your-endpoint.com?sig=Guid. With each notification, check that the query parameter sig has the expected value Guid.

• Create a GUID using Powershell using below command :

• Register the GUID in the partner center.

• Add the GUID to the Resource Manager Template

Reference : https://learn.microsoft.com/en-us/azure/marketplace/azure-partner-customer-usage-attribution

Second, how do I grant permission for my service to perform the GET operation on the managed application instance? Is there a way I can grant a role to a principal ID to the managed application instance itself during deployment? I know I can grant authorization to the managed resource group, but how can I grant a role to the managed application instance?

If you register you managed application in the Azure AD, then no additional permissions is required. You will be performing the GET operation in the same way as POST operation.

Reference : https://learn.microsoft.com/en-us/azure/marketplace/azure-app-apis

RamaraoAdapa
  • 2,837
  • 2
  • 5
  • 11
  • Does the notification callback ONLY work if you do Step 1 in your answer above? The documentation is not clear on this - Please see my question here: https://stackoverflow.com/questions/69008440/how-to-get-a-callback-when-an-azure-marketplace-managed-application-is-installed – Rodney Sep 01 '21 at 05:56
  • Yes, it should work after you do step1. If your issue is still unresolved, please try reaching out to Q&A : https://learn.microsoft.com/answers/index.html – RamaraoAdapa Sep 01 '21 at 06:11
  • Ok, so I tried step 1, and in the MAnaged App UI it says that I should not add the GUID manually as it is added automatically with the GUID of the Plan - see error here: https://onedrive.live.com/?authkey=%21AGDoI2syG6Ivo9A&cid=407E5B90C0F944D2&id=407E5B90C0F944D2%21695324&parId=407E5B90C0F944D2%21684360&o=OneUp The MS Docs say that this GUID is automatically added to the deployment for tracking. Do I then need to pass in sig=TheGUIDassignedForMyPlan? – Rodney Sep 01 '21 at 06:37