The application lifecycle has distinct decisions
Register and publish
A publisher identifies the application, its responsible party, release identity, requested integration surface, and declared data needs.
License or subscribe
A commercial relationship determines whether a tenant may install or use the software. It is an entitlement, not a data grant.
Install and consent
A tenant administrator evaluates requested access, creates or approves the tenant-specific application identity, and grants only the required authority.
Operate and revoke
Workload actions remain attributable, policy-bound, auditable, and independently revocable from the software license.
The separate publisher, license, tenant installation, workload identity, consent, and data-grant lifecycle is designed; the governed mutation and release path is not generally available.
Internal and external apps use the same trust boundary
Customer-built
A business can build internal software without giving the publisher or platform operator standing access to its data.
Partner-built
A partner can distribute software across multiple customers while every installation receives its own tenant context and grants.
Publicly licensed
A broadly available app still receives access only after the installing tenant’s policy and consent decisions.
The separate publisher, license, tenant installation, workload identity, consent, and data-grant lifecycle is designed; the governed mutation and release path is not generally available.
Applications consume governed interfaces
Customer control of the data plane does not mean every app receives raw database or query-language access.
Typed contracts
Applications integrate through versioned SDK, RPC, or API contracts that preserve authorization and validation boundaries.
Workload identity
Automation acts as an identified workload, optionally on behalf of a person, rather than borrowing a reusable human credential.
Resource-specific enforcement
The service holding the data verifies tenant, audience, action, and local policy before performing the operation.
The separate publisher, license, tenant installation, workload identity, consent, and data-grant lifecycle is designed; the governed mutation and release path is not generally available.
Local audience, tenant, revision, revocation, and resource-policy enforcement is a required design contract; conformance must be proven for each relying service.