Quickstart: Deploy a service catalog managed application

In this quickstart, you use the managed application definition that you created using one of the quickstart articles. The deployment creates two resource groups. One resource group contains the managed application and the other is a managed resource group for the deployed resources. The managed application definition deploys an App Service plan, App Service, and storage account.

Prerequisites

Create service catalog managed application

The examples use the resource groups names created in the quickstart to publish an application definition. If you used the quickstart to publish a definition with bring your own storage, use those resource group names.

Get managed application definition

To get the managed application's definition with Azure PowerShell, run the following commands.

In Visual Studio Code, open a new PowerShell terminal and sign in to your Azure subscription.

Connect-AzAccount 

The command opens your default browser and prompts you to sign in to Azure. For more information, go to Sign in with Azure PowerShell.

From Azure PowerShell, get your managed application's definition. In this example, use the resource group name appDefinitionGroup that was created when you deployed the managed application definition.

Get-AzManagedApplicationDefinition -ResourceGroupName appDefinitionGroup 

Get-AzManagedApplicationDefinition lists all the available definitions in the specified resource group, like sampleManagedApplication.

Create a variable for the managed application definition's resource ID.

$definitionid = (Get-AzManagedApplicationDefinition -ResourceGroupName appDefinitionGroup -Name sampleManagedApplication).ManagedApplicationDefinitionId 

You use the $definitionid variable's value when you deploy the managed application.

To get the managed application's definition with Azure CLI, run the following commands.

In Visual Studio Code, open a new Bash terminal session and sign in to your Azure subscription. If you have Git installed, select Git Bash.

az login 

The command opens your default browser and prompts you to sign in to Azure. For more information, go to Sign in with Azure CLI.

From Azure CLI, get your managed application's definition. In this example, use the resource group name appDefinitionGroup that was created when you deployed the managed application definition.

az managedapp definition list --resource-group appDefinitionGroup 

The command lists all the available definitions in the specified resource group, like sampleManagedApplication.

Create a variable for the managed application definition's resource ID.

definitionid=$(az managedapp definition show --resource-group appDefinitionGroup --name sampleManagedApplication --query id --output tsv) 

You use the $definitionid variable's value when you deploy the managed application.

To get the managed application's definition from the Azure portal, use the following steps.

  1. Sign in to the Azure portal.
  2. Select Create a resource. Screenshot of Azure home page with Create a resource highlighted.
  3. Search for Service Catalog Managed Application and select it from the available options.
  4. Service Catalog Managed Application is displayed. Select Create. Screenshot of search result for Service Catalog Managed Application with create button highlighted.
  5. Select Sample managed application and then select Create. The portal displays the managed application definitions that you published with the quickstart articles. Screenshot that shows managed application definitions that you can deploy.

Create resource group and parameters

Create a resource group for the managed application deployment.

New-AzResourceGroup -Name applicationGroup -Location westus 

You also need to create a name for the managed application resource group. The resource group is created when you deploy the managed application.

Run the following commands to create the managed resource group's name.

$mrgprefix = 'mrg-sampleManagedApplication-' $mrgtimestamp = Get-Date -UFormat "%Y%m%d%H%M%S" $mrgname = $mrgprefix + $mrgtimestamp $mrgname 

The $mrgprefix and $mrgtimestamp variables are concatenated and stored in the $mrgname variable. The variable's value is in the format mrg-sampleManagedApplication-20230512103059. You use the $mrgname variable's value when you deploy the managed application.

You need to provide several parameters to the deployment command for the managed application. You can use a JSON formatted string or create a JSON file. In this example, we use a JSON formatted string. The PowerShell escape character for the quote marks is the backtick ( ` ) character. The backtick is also used for line continuation so that commands can use multiple lines.

The JSON formatted string's syntax is as follows:

"< `"parameterName`": , `"parameterName`": >" 

For readability, the completed JSON string uses the backtick for line continuation. The values are stored in the $params variable and used in the deployment command. The parameters in the JSON string are required to deploy the managed resources.

$params="< `"appServicePlanName`": , ` `"appServiceNamePrefix`": , ` `"storageAccountNamePrefix`": , ` `"storageAccountType`": >" 

The parameters to create the managed resources:

Create a resource group for the managed application deployment.

az group create --name applicationGroup --location westus 

You also need to create a name and path for the managed application resource group. The resource group is created when you deploy the managed application.

Run the following commands to create the managed resource group's path.

mrgprefix='mrg-sampleManagedApplication-' mrgtimestamp=$(date +%Y%m%d%H%M%S) mrgname="$$" subid=$(az account list --query [].id --output tsv) mrgpath="/subscriptions/$subid/resourceGroups/$mrgname" 

The $mrgprefix and $mrgtimestamp variables are concatenated and stored in the $mrgname variable. The variable's value is in the format mrg-sampleManagedApplication-20230512103059. The mrgname and subid variable's are concatenated to create the mrgpath variable value that creates the managed resource group during the deployment.

You need to provide several parameters to the deployment command for the managed application. You can use a JSON formatted string or create a JSON file. In this example, we use a JSON formatted string. In Bash, the escape character for the quote marks is the backslash ( \ ) character. The backslash is also used for line continuation so that commands can use multiple lines.

The JSON formatted string's syntax is as follows:

"< \"parameterName\": , \"parameterName\": >" 

For readability, the completed JSON string uses the backslash for line continuation. The values are stored in the params variable and used in the deployment command. The parameters in the JSON string are required to deploy the managed resources.

params="< \"appServicePlanName\": , \ \"appServiceNamePrefix\": , \ \"storageAccountNamePrefix\": , \ \"storageAccountType\": >" 

The parameters to create the managed resources:

  1. Provide values for the Basics tab and select Next. Screenshot that highlights the required information on the basics tab.
  2. Provide values for the Web App settings tab and select Next. Screenshot that highlights the required information on the Web App settings tab.
  3. Enter a prefix for the storage account name and select the storage account type. Select Next. Screenshot that shows the information needed to create a storage account.

Deploy the managed application

Run the following command to deploy the managed application.

New-AzManagedApplication ` -Name "demoManagedApplication" ` -ResourceGroupName applicationGroup ` -Location westus ` -ManagedResourceGroupName $mrgname ` -ManagedApplicationDefinitionId $definitionid ` -Kind ServiceCatalog ` -Parameter $params 

The parameters used in the deployment command:

Run the following command to deploy the managed application.

az managedapp create \ --name demoManagedApplication \ --resource-group applicationGroup \ --location westus \ --managed-rg-id $mrgpath \ --managedapp-definition-id $definitionid \ --kind ServiceCatalog \ --parameters "$params" 

The parameters used in the deployment command:

Review the summary of the values you selected and verify no errors are displayed. Select Create to deploy the managed application.

Screenshot that summarizes the values you selected and shows the status of validation passed.

View results

After the service catalog managed application is deployed, you have two new resource groups. One resource group contains the managed application. The other resource group contains the managed resources that were deployed. In this example, an App Service, App Service plan, and storage account.

Managed application

After the deployment is finished, you can check your managed application's status.

Run the following command to check the managed application's status.

Get-AzManagedApplication -Name demoManagedApplication -ResourceGroupName applicationGroup 

Expand the properties to make it easier to read the Properties information.

Get-AzManagedApplication -Name demoManagedApplication -ResourceGroupName applicationGroup | Select-Object -ExpandProperty Properties 

Run the following command to check the managed application's status.

az managedapp list --resource-group applicationGroup 

The following command parses the data about the managed application to show only the application's name and provisioning state.

az managedapp list --resource-group applicationGroup --query "[]." 

Go to the resource group named applicationGroup and select Overview. The resource group contains your managed application named demoManagedApplication.

Screenshot that shows the resource group that contains the managed application.

Select the managed application's name to get more information like the link to the managed resource group.

Screenshot that shows the managed application

Managed resources

You can view the resources deployed to the managed resource group.

To display the managed resource group's resources, run the following command. You created the $mrgname variable when you created the parameters.

Get-AzResource -ResourceGroupName $mrgname 

To display all the role assignments for the managed resource group.

Get-AzRoleAssignment -ResourceGroupName $mrgname 

The managed application definition you created in the quickstart articles used a group with the Owner role assignment. You can view the group with the following command.

Get-AzRoleAssignment -ResourceGroupName $mrgname -RoleDefinitionName Owner 

You can also list the deny assignments for the managed resource group.

Get-AzDenyAssignment -ResourceGroupName $mrgname 

To display the managed resource group's resources, run the following command. You created the $mrgname variable when you created the parameters.

az resource list --resource-group $mrgname 

Run the following command to list only the name, type, and provisioning state for the managed resources.

az resource list --resource-group $mrgname --query "[]." 

Run the following command to list the role assignment for the group that was used in the managed application's definition.

az role assignment list --resource-group $mrgname 

The following command parses the data for the group's role assignment.

az role assignment list --resource-group $mrgname --role Owner --query "[]." 

To review the managed resource group's deny assignments, use the Azure portal or Azure PowerShell commands.

Go to the managed resource group with the name prefix mrg-sampleManagedApplication and select Overview to display the resources that were deployed. The resource group contains an App Service, App Service plan, and storage account.

Screenshot that shows the managed resource group that contains the resources deployed by the managed application definition.

The managed resource group and each resource created by the managed application has a role assignment. When you used a quickstart article to create the definition, you created a Microsoft Entra group. That group was used in the managed application definition. When you deployed the managed application, a role assignment for that group was added to the managed resources.

To see the role assignment from the Azure portal:

  1. Go to your mrg-sampleManagedApplication resource group.
  2. Select Access Control (IAM) >Role assignments. You can also view the resource's Deny assignments.

The role assignment gives the application's publisher access to manage the storage account. In this example, the publisher might be your IT department. The Deny assignments prevents customers from making changes to a managed resource's configuration. Managed apps are designed so that customers don't need to maintain the resources. The Deny assignments excludes the Microsoft Entra group that was assigned in Role assignments.

Clean up resources

When you're finished with the managed application, you can delete the resource groups and that removes all the resources you created. For example, in this quickstart you created the resource groups applicationGroup and a managed resource group with the prefix mrg-sampleManagedApplication.

The command prompts you to confirm that you want to remove the resource group.

Remove-AzResourceGroup -Name applicationGroup 

The command prompts for confirmation, and then returns you to command prompt while resources are being deleted.

az group delete --resource-group applicationGroup --no-wait 
  1. From Azure portal Home, in the search field, enter resource groups.
  2. Select Resource groups.
  3. Select applicationGroup and Delete resource group.
  4. To confirm the deletion, enter the resource group name and select Delete.

If you want to delete the managed application definition, delete the resource groups you created in the quickstart articles.

Next steps