When an Azure managed application is rolled out to a tenant, it will use two resource groups. The first resource group is considered as application resource group, the second as managed resource group.

• The application resource group contains the instance of our managed application. The consumer (or internal user) has full access to that resource group for managing the application life cycle. As the user has no access to the resources itself, access to the application resource group is given to gather outputs from the deployment (such as public IP addresses or DNS names) to use the deployed resources (like a VM).
• The managed resource group contains the resources that are required by the Azure managed application itself. Only the specified admins, which are defined when a managed application definition is created, do have write access to this resource group:

While creating the service catalog managed application definition you can either choose to give the user which enrolls your application read-only permission or no permission to the managed resource group. Read-only permission enables the user to view the resources in the managed resource group. We will cover this in detail later in this chapter.