Getting list of Azure subscriptions of customers who deployed your Azure Managed Application
In this article, we look at how a publisher of Azure Managed Application can get the list of Azure subscriptions of the customers who deployed the publisher’s offer.
“Managed application center” in Azure Portal
In Azure Portal, the publisher can use the Managed application center to see all deployed applications.
Search for “Managed applications center” in Azure Portal:
Select “Service Marketplace applications” from the left navigation:
See the application name, managed resource group name, SKU/plan, version, and customer’s Azure Active Directory tenant name and Azure subscription name:
Programmatically list customers’ Azure subscription and AAD tenant ids
To get the customers’ Azure subscription ids that installed your application, you can use the following ARM REST API call using the publisher identity which was authorized to access/manage the Azure Managed App when it was published in Partner Center:
az rest --url https://management.azure.com/subscriptions?api-version=2020-01-01 -o json
This API call will return all of the subscriptions that the publisher identity has access to — including both customers and publisher’s own Azure subscriptions. To determine which one are the customers, look at the managedByTenants array property that contains the publisher’s tenantId.
On Twitter @cmwillems also suggested the following quick way of getting the subscription ids using Azure CLI:
az account list --query "[?managedByTenants[?tenantId=='<<PUBLISHER_TENANT_ID>>']][id]" -o tsv --all
Programmatically list Azure Managed Applications
When using “Managed applications center” UI in the Azure Portal, it is actually invoking an Azure Resource Graph query to show the publisher all of the managed applications they can access.
First, the portal UI calls the same GET /subscriptions endpoint mentioned above, to get the list of subscriptions of the current user.
Next, as part of the Azure Resource Graph query, the UI passes in all of the subscription ids that are visible to the logged in user to get the list of the managed applications where publisherTenantId is the publisher’s tenant id:
You can execute the same command using Azure CLI extension for Azure Resource Graph:
az graph query --graph-query "resources | where type =~ 'Microsoft.Solutions/applications'|where isnotempty(plan.publisher)| where properties.publisherTenantId == 'dd74924a-88ce-421a-ac87-00fc9dbe4baf' | summarize count(), tenantIds=makeset(tenantId, 1000), any(tostring(plan.name)) , managedResourceGroupIds=makeset(properties.managedResourceGroupId, 5000) by tostring(plan.product), tostring(plan.publisher), subscriptionId" --subscriptions xxxxx1, xxxxx2 -o json
The way the Azure CLI “graph query” command works is that if the “ — subscriptions” parameter is empty, it uses all subscriptions that the currently logged in Azure CLI user can access (i.e., same ones that are visible via “az account list”).
Thank you!
Please leave feedback and questions below or on Twitter https://twitter.com/ArsenVlad