Getting list of Azure subscriptions of customers who deployed your Azure Managed Application

Arsen Vladimirskiy
3 min readFeb 4, 2022

--

In this article, we look at how a publisher of Azure Managed Application can get the list of Azure subscriptions of the customers who deployed the publisher’s offer.

“Managed application center” in Azure Portal

In Azure Portal, the publisher can use the Managed application center to see all deployed applications.

Search for “Managed applications center” in Azure Portal:

Search for “Managed applications center” in Azure Portal

Select “Service Marketplace applications” from the left navigation:

Marketplace applications in Managed applications center

See the application name, managed resource group name, SKU/plan, version, and customer’s Azure Active Directory tenant name and Azure subscription name:

Managed applications list

Programmatically list customers’ Azure subscription and AAD tenant ids

To get the customers’ Azure subscription ids that installed your application, you can use the following ARM REST API call using the publisher identity which was authorized to access/manage the Azure Managed App when it was published in Partner Center:

az rest --url https://management.azure.com/subscriptions?api-version=2020-01-01 -o json

This API call will return all of the subscriptions that the publisher identity has access to — including both customers and publisher’s own Azure subscriptions. To determine which one are the customers, look at the managedByTenants array property that contains the publisher’s tenantId.

Response from ARM /subscriptions API

On Twitter @cmwillems also suggested the following quick way of getting the subscription ids using Azure CLI:

az account list --query "[?managedByTenants[?tenantId=='<<PUBLISHER_TENANT_ID>>']][id]" -o tsv --all

Programmatically list Azure Managed Applications

When using “Managed applications center” UI in the Azure Portal, it is actually invoking an Azure Resource Graph query to show the publisher all of the managed applications they can access.

First, the portal UI calls the same GET /subscriptions endpoint mentioned above, to get the list of subscriptions of the current user.

Developer Tools showing call that “Managed applications center” makes to get list of subscription ids

Next, as part of the Azure Resource Graph query, the UI passes in all of the subscription ids that are visible to the logged in user to get the list of the managed applications where publisherTenantId is the publisher’s tenant id:

Azure Resource Graph query from Managed applications center

You can execute the same command using Azure CLI extension for Azure Resource Graph:

az graph query --graph-query "resources | where type =~ 'Microsoft.Solutions/applications'|where isnotempty(plan.publisher)| where properties.publisherTenantId == 'dd74924a-88ce-421a-ac87-00fc9dbe4baf' | summarize count(), tenantIds=makeset(tenantId, 1000), any(tostring(plan.name)) , managedResourceGroupIds=makeset(properties.managedResourceGroupId, 5000) by tostring(plan.product), tostring(plan.publisher), subscriptionId" --subscriptions xxxxx1, xxxxx2 -o json

The way the Azure CLI “graph query” command works is that if the “ — subscriptions” parameter is empty, it uses all subscriptions that the currently logged in Azure CLI user can access (i.e., same ones that are visible via “az account list”).

Azure Resource Graph query response showing deployed managed application

Thank you!

Please leave feedback and questions below or on Twitter https://twitter.com/ArsenVlad

--

--

Arsen Vladimirskiy

Principal Engineer / Architect, FastTrack for Azure at Microsoft