Create and manage Private Azure Marketplace (preview) in the Azure portal

Private Azure Marketplace (preview) lets administrators govern which third-party solutions their users can use. It does this by allowing you to deploy only offers that you approve and that comply with your enterprise's policies. With Private Azure Marketplace, your users can search the online store for compliant offers to purchase and deploy.

As a Marketplace admin (assigned role), you will start with a disabled and empty Private Store where you can add your approved offers and plans. This article explains how to create, manage, and enable Private Azure Marketplace for your users.

Notes:

  • Private Azure Marketplace is at a tenant level, so all users under the tenant will see the same curated list.
  • All Microsoft solutions are automatically added to Private Azure Marketplace.

Assign the Marketplace admin role

The tenant Global administrator must assign the Marketplace admin role to the Private Azure Marketplace admin who will manage the private store.

Important

Access to Private Azure Marketplace management is only available to IT admins with the Marketplace admin role assigned.

Prerequisites

You must meet these prerequisites before you can assign the Marketplace Admin role to a user on the tenant scope:

  • You have access to a Global administrator user.
  • The tenant has at least one Subscription (can be any type).
  • The Global administrator user is assigned the Contributor role or higher for the subscription chosen in step 2.
  • The Global administrator user has elevated access set to Yes (see elevate-access-global-admin).

Assign the Marketplace admin role with PowerShell

Use the following PowerShell script to assign the Marketplace Admin role; it requires the following parameters:

  • TenantId: The ID of the tenant in scope (Marketplace admin role is assignable on the tenant scope).
  • SubscriptionId: A subscription of which the global admin has Contributor role or higher assigned.
  • GlobalAdminUsername: The username of the global admin.
  • UsernameToAssignRoleFor: The user name to which the Marketplace admin role will be assigned.

Note

For guest users invited to the tenant, it may take up to 48 hours until their account is available for assigning the Marketplace admin role. For more information, see Properties of an Azure Active Directory B2B collaboration user.

function Assign-MarketplaceAdminRole {
[CmdletBinding()]
param(
[Parameter(Mandatory)]
[string]$TenantId,

[Parameter(Mandatory)]
[string]$SubscriptionId,

[Parameter(Mandatory)]
[string]$GlobalAdminUsername,

[Parameter(Mandatory)]
[string]$UsernameToAssignRoleFor
)

$MarketplaceAdminRoleDefinitionName = "Marketplace Admin"

Write-Output "TenantId = $TenantId"
Write-Output "SubscriptionId = $SubscriptionId"
Write-Output "GlobalAdminUsername = $GlobalAdminUsername"
Write-Output "UsernameToAssignRoleFor = $UsernameToAssignRoleFor"

Write-Output "$($GlobalAdminUsername) is about to assign '$($MarketplaceAdminRoleDefinitionName)' role for $($UsernameToAssignRoleFor)"

$profile = Connect-AzAccount -Tenant $TenantId -SubscriptionId $SubscriptionId

if($profile -eq $null)
{
Write-Error -Message "Failed to connect to tenant and/or subscription" -ErrorAction Stop
}
elseif($profile.Context.Account.Id -ne $GlobalAdminUsername)
{
Write-Error "Connected with $($profile.Context.Account.Id) instead of with the global admin that was specified in the script parameters, which is $($GlobalAdminUsername)"
}
else
{
Write-Output "$($GlobalAdminUsername) was connected successfully to Tenant=$($profile.Context.Tenant), Subscription=$($profile.Context.Subscription), AccountId=$($profile.Context.Account.Id), Environment=$($profile.Context.Environment)"
}

$MarketPlaceAdminRole = Get-AzRoleDefinition $MarketplaceAdminRoleDefinitionName

if($MarketPlaceAdminRole -eq $null)
{
Write-Error -Message "'$($MarketplaceAdminRoleDefinitionName)' role is not available" -ErrorAction Stop
}
else
{
Write-Output -Message "'$($MarketplaceAdminRoleDefinitionName)' role is available"
}

Write-Output -Message "About to assign '$($MarketplaceAdminRoleDefinitionName)' role for $($UsernameToAssignRoleFor)..."

$elevatedAccessOnRoot = Get-AzRoleAssignment | where {$_.RoleDefinitionName -eq "User Access Administrator" -and $_.Scope -eq "/" -and $_.SignInName.Trim().ToLower() -eq $GlobalAdminUsername.Trim().ToLower() } | ft -Property SignInName

if($elevatedAccessOnRoot.Count -eq 0)
{
Write-Error -Message "$($GlobalAdminUsername) doesn't have permissions to assign '$($MarketplaceAdminRoleDefinitionName)'. Please verify it has elevated access 'On' in portal, https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin" -ErrorAction Stop
}
else
{
Write-Output "$GlobalAdminUsername has elevated access on root"
}

New-AzRoleAssignment -SignInName $UsernameToAssignRoleFor -RoleDefinitionName $MarketplaceAdminRoleDefinitionName -Scope "/providers/Microsoft.Marketplace"

}

Assign-MarketplaceAdminRole

For more information about the cmdlets contained in the Az.Portal PowerShell module, see Microsoft Azure PowerShell: Portal Dashboard cmdlets.

Create Private Azure Marketplace

  1. Sign in to the Azure portal.

  2. Select All services and then Marketplace.

    Azure portal main window.

  3. Select Private Marketplace from the options on the left.

    Selecting Private Marketplace on the Azure portal main window.

  4. Select Get Started to create Private Azure Marketplace (you only have to do this once).

    Selecting Get Started on the Azure portal main window.

    If Private Azure Marketplace already exists for this tenant, Manage Marketplace will be selected by default.

  5. Once completed you will have an empty and disabled Private Azure Marketplace.

    The empty Private Azure Marketplace screen.

An item is a combination of an offer and a plan. You can search for and add item in the Manage Marketplace page.

  1. Select Add items.

  2. Browse the Gallery or use the search field to find the item you want.

    Browsing the gallery or using the search field.

  3. As default, when adding a new offer, all current plans will be added to the allowed list. To modify the plan selection before adding the selected items, select the drop-down menu in the offer’s tile and update the required plans.

    Update required plans.

  4. Select Done at the bottom-left after you've made your selections.

Note

Add Items to the Marketplace will be available for non-Microsoft offers only. Microsoft offers are allowed by default.

Edit item plans

You can edit an item's plans in the Manage Marketplace page.

  1. In the Plans column, review the available plans from the dropdown menu for that item.

  2. Select or clear the checkboxes to choose which plans to make available to your users.

    Selecting or clearing the check box for the required item.

Note

Each offer needs at least one plan selected in order for the update to occur. To remove all plans related to an offer, delete the entire offer (see next section).

Delete offers

In the Manage Marketplace page, select the check box next to the offer name (see screen above) and select Delete items.

Enable/disable Private Azure Marketplace

In the Manage Marketplace page you will see one of these banners, which show the current state of Private Azure Marketplace:

Disable state banner

Enable state banner

You can enable or disable Private Azure Marketplace as needed.

  1. If disabled, select Enable Private Marketplace to enable.
  2. If enabled, select Disable Private Marketplace to disable.

Browsing Private Azure Marketplace

When Private Azure Marketplace is enabled, users will see which plans the Marketplace admin has allowed.

  • A green Allowed notice indicates a Partner (non-Microsoft) offer that is allowed.
  • A blue Allowed notice indicates a Microsoft offer that is allowed.

Users can filter between offers that are and are not allowed:

Filtering option.

Buy or deploy in Private Azure Marketplace

While the product details page experience is similar to the public Azure Marketplace, there are three Private Azure Marketplace specific scenarios.

  • When a user selects an allowed plan, the Create button is enabled:

    Offer banner noting a plan can be created.

  • When a user selects a non-allowed plan, a banner notes that the plan is not allowed and the Create button is disabled.

    Offer banner noting a plan cannot be created.

  • If a product plan selection does not appear in the product details page but the admin approved one or more plans, a banner notes which plans are allowed and the Create button is enabled:

    Offer banner noting the a plan can be created and showing available plans.

Contact support

For Azure Marketplace support, visit Microsoft Q&A.