This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 93%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKC%3C/text%3E%3C/svg%3E)
We offer a Managed App through the Azure Marketplace. We want our customers to be able to interactively manage Windows Updates and Backups on the VM deployed when they create an instance of the Managed App.
When the customer tries to perform operations on a Managed App VM, they get errors similar to:
We can add Custom Allowed Actions to the Technical Configuration when configuring the Managed App offering, but how do we know which permission(s) to include there? There are literally thousands of defined permissions.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 31%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVP%3C/text%3E%3C/svg%3E)
Hi Ken Collins,
Welcome to Microsoft Q&A Forum, thank you for posting your query here!
Since your customer tried performing operations on a Managed App VM, usually the customers can be denied accessing the resource because of the deny assignment which has assigned default while creating the managed application.
Please refer to the below mentioned different permission scenarios available based on publisher and customer needs for a managed application.
Usually, the Customer access to the managed resource group is restricted by a deny assignment due to the "Publisher managed" permission, because it is the default permission for the managed application.
So, if you want your customer to have full management access to the managed resource group, you can choose Customer managed permission. There's no deny assignment with this permission. however, the publisher's access will be removed for the managed resource group. So as clearly mentioned over the article choose which permission can be suited for your environment.
Whereas, you can use azure policy definition also to get access for the associated resources to a managed application.
here is the built-in policy definitions for Azure Managed Applications.
https://learn.microsoft.com/en-us/azure/azure-resource-manager/managed-applications/policy-reference
To enhance this, first you need to understand the below three parameters which can be referred over the policy as shown in below 2nd snippet.
Then create a policy assignment and assign the deploy associations for a managed application policy.
After the policy is assigned successfully, the policy identifies noncompliant resources and deploy associations for those resources.
You can refer to the below article for better understanding.
This way you can have your customers to perform operations on the specified resources.
Hope this helps!
Please reply if you there are any challenges.
Please do not forget to "Accept the answer” and “upvote it” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.
Thanks
Hello Ken Collins,
If you have any further questions, please do not hesitate to reach out. I am here to assist you.
If you found the above Answer is helpful, kindly click "Upvote it".
Thank you
Hello Ken Collins,
I would like to check if the issue has been resolved or if you need any assistance. Please feel free to let us know, as we are always here to help.
Additionally, if you have a moment, please review my Answer.
Thank you.