If you were to have a managed service identity passed in by the customer, then you could utilize this during deployment to read a subscription. Managed Apps do not allow publishers to configure subscription level access, only access to the managed resource group that it deploys. All other levels of access would need to be passed in through an MSI for the publisher to use.
Providing subscription read access to a managed identity created with an azure managed application
Paul Edwards
81
Reputation points Microsoft Employee
Is it possible to add subscription read access to a managed identity for an azure managed identity at deployment time? As far as I can see it will create group deployment.
Thank,
Paul