Skip to content
PointOfContactAI

Managed Resource Group

When you deploy a Managed Application, Azure creates two resource groups:

  • Applications RG — usually named after your subscription’s default, holds the outer Managed Application resource. You see this in the Azure portal Resource Groups list.
  • Managed RG — named mrg-pointofcontactai-{guid}, holds all the actual resources (Function App, Cosmos, Key Vault, etc.). You cannot directly edit resources in this RG.

The Managed RG is “managed” by us (the publisher). We’re granted Contributor on it so we can apply in-place plan upgrades, rotate AAD app secrets, and ship customer-runtime updates without your intervention.

What this means for you

  • ✅ You can read everything in the Managed RG (logs, metrics, configurations).
  • ✅ You can delete the Managed Application from the Applications RG — that triggers a full cleanup of the Managed RG.
  • ❌ You cannot directly modify resources in the Managed RG via the portal/CLI. Any changes go through our update mechanism.

What we use the Contributor access for

  • Plan upgrades — when you change plan in the Marketplace, we PATCH the customer FA’s app settings (SEAT_QUANTITY, PLAN_DISPLAY_NAME, etc.) within seconds. Zero downtime.
  • Customer-runtime updates — when we ship a new version, we publish to your Function App via the deployment storage container.
  • AAD app secret rotation (v1.1+) — auto-rotate the Teams SSO secret before its 90-day expiry.

We do not use this access to:

  • Read your Cosmos data (we never connect to your Cosmos).
  • Read your Key Vault secrets (the AAD app secret is the only secret we created; we don’t read it back).
  • Run code as your tenant (we use our own Contributor scope only on the Managed RG).

How to verify

Anything we do gets logged in your Activity Log under the Managed RG with the principal PointOfContactAI-Orchestrator (our app id d3393ba1-85a0-496c-8c07-49d020e1fabd). If you see anything you don’t expect, open an issue.