When an Azure managed application is rolled out to a tenant, it will use two resource groups. The first resource group is considered as application resource group, the second as managed resource group.
- The application resource group contains the instance of our managed application. The consumer (or internal user) has full access to that resource group for managing the application life cycle. As the user has no access to the resources itself, access to the application resource group is given to gather outputs from the deployment (such as public IP addresses or DNS names) to use the deployed resources (like a VM).
- The managed resource group contains the resources that are required by the Azure managed application itself. Only the specified admins, which are defined when a managed application definition is created, do have write access to this resource group:
Source: https://docs.microsoft.com/en-us/azure/managed-applications/overview...