Azure Application Offer - Removing publisher's access rights for managed application offer
I have a scenario for a public sector customer where they would not want the publisher to manage the resources under to the managed application offer. Is it possible to not include the access rights?
The need to create under Managed Applications offer is the use of custom metering which is not available under Solution Template.
Maybe publish it again with different permissions as Private offering?
You can also give the customers the option to remove delegations after solution was published:
You can remove access to a delegation after a customer accepts an offer only if you included an Authorization with the Role Definition set to Managed Services Registration Assignment Delete Role when you published the offer. You can also reach out to the customer and ask them to remove your access.
Somehow I did read Managed Services - maybe because I worked in parallel on a similar topic, but managed services, not apps.
For Managed Apps I think the right app roach would be to use JIT: https://docs.microsoft.com/en-us/azure/azure-resource-manager/managed-applications/approve-just-in-time-access
This scenario is unique as the partner would want to use our custom metering to facilitate the billing of API/metric call from the solution through Microsoft. However, the engagement model of this customer is that this solution would be entirely managed by the customer themselves without the partner after deploying in the customer's azure tenant.
This sounds like Managed App is not the right model at all - in this case maybe just deliver the solution/template directly to the customer. Managed App by definition means that the Partner is managing it.