Using a certificate from a keyvault in azure app service in an azure managed application deployment

[renrutsirhc]

I am creating an Azure Managed Application that will be made available in the azure marketplace for deployment into customer's tenants. Among other things, the managed resource group includes a keyvault and an app service. In the keyvault, there is an ssl certificate that I want to use for Azure AppService.

I have created a user assigned managed identity for the appservice and granted it access in the keyvault's access policy. The bit that I am stuck with is that I also need to grant 'get' permissions for certificates and secrets to the service principal for the Microsoft Azure App Service resource provider. (docs here: https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2Caccesspolicy#import-a-certificate-from-key-vault) In order to do this, I need the objectid (required property for the access policy) of the service principal which is different in every customer tenant. The known information I have is the applicationId for the Microsoft Azure App Service resource provider abfa0a7c-a6b6-4736-8310-5855508787cd which is consistent accross azure. I'm stumped as to how to proceed here. Does anyone have any inspiration?

resource keyVault 'Microsoft.KeyVault/vaults@2023-02-01' = {
  name: keyVaultName
  location: location
  properties: {
    enabledForDeployment: false
    enabledForDiskEncryption: false
    enabledForTemplateDeployment: true
    enableRbacAuthorization: false
    tenantId: tenantId
    enableSoftDelete: true
    softDeleteRetentionInDays: 90
    sku: keyVaultSku
    networkAcls: {
      defaultAction: 'Allow'
      bypass: 'AzureServices'
    }
    accessPolicies:[
       {
         objectId: keyVaultReferenceIdentity.properties.principalId
         permissions: {
           certificates: [
             'get', 'list', 'getissuers', 'listissuers', 'update', 'create', 'import'
           ]
           keys: [
             'get', 'list', 'decrypt', 'unwrapKey', 'verify', 'getrotationpolicy', 'update', 'create', 'import'
           ]
           secrets: [
             'get', 'list', 'set'
           ]
         }
         tenantId: tenantId
       }
       {
         objectId: //what can I put here for the Microsoft Azure App Service resource provider?
         permissions:{
           certificates: ['get']
           secrets:['get']
         }
         tenantId: tenantId
       }
     ]
  }
}

resource keyVaultReferenceIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
  name: keyVaultReferenceIdentityName
  location: location
}