Create and manage Private Azure Marketplace in the Azure portal

Private Azure Marketplace lets administrators govern which third-party solutions their users can use. It does this by allowing the user to deploy only offers that are approved by the administrator and comply with your enterprise's policies. With Private Azure Marketplace, users can search the online store for compliant offers to purchase and deploy.

As a Marketplace admin (assigned role), you will start with a disabled and empty Private Store where you can add your approved offers and plans. This article explains how to assign the needed role, create a private store, manage items, approve user requests, and enable Private Azure Marketplace for your users.

Note

  • Private Azure Marketplace is at a tenant level, so all users under the tenant will see the same curated list.
  • All Microsoft solutions (including Endorsed Linux Distributions) are automatically added to Private Azure Marketplace.

Assign the Marketplace admin role

The tenant Global administrator must assign the Marketplace admin role to the Private Azure Marketplace admin who will manage the private store.

Important

Access to Private Azure Marketplace management is only available to IT admins with the Marketplace admin role assigned.

Prerequisites

These prerequisites are required before you can assign the Marketplace Admin role to a user on the tenant scope:

  • You have access to a Global administrator user.
  • The tenant has at least one subscription (can be any type).
  • The Global administrator user is assigned the Contributor role or higher for the chosen subscription.

Assign the Marketplace admin role with access control (IAM)

  1. Sign in to the Azure portal.

  2. Select All services and then Marketplace.

  3. Select Private Marketplace from the menu on the left.

    Shows the private marketplace menu option on the left side of the Marketplace.

  4. Select Access control (IAM) to assign the Marketplace admin role.

    Shows the I A M access control screen.

  5. Select + Add > Add role assignment.

  6. Under Role, choose Marketplace Admin.

    Shows the Role assignment menu.

  7. Select the desired user from the dropdown list, then select Done.

Assign the Marketplace admin role with PowerShell

Use the following PowerShell script to assign the Marketplace Admin role; it requires the following parameters:

  • TenantId: The ID of the tenant in scope (Marketplace admin role is assignable on the tenant scope).
  • SubscriptionId: A subscription of which the global admin has Contributor role or higher assigned.
  • GlobalAdminUsername: The username of the global admin.
  • UsernameToAssignRoleFor: The user name to which the Marketplace admin role will be assigned.

Note

For guest users invited to the tenant, it may take up to 48 hours until their account is available for assigning the Marketplace Admin role. For more information, see Properties of an Azure Active Directory B2B collaboration user.

function Assign-MarketplaceAdminRole { 
[CmdletBinding()] 
param( 
[Parameter(Mandatory)] 
[string]$TenantId, 
 
[Parameter(Mandatory)] 
[string]$SubscriptionId, 

 

[Parameter(Mandatory)] 
[string]$GlobalAdminUsername, 

 

[Parameter(Mandatory)] 
[string]$UsernameToAssignRoleFor 
) 

$MarketplaceAdminRoleDefinitionName = "Marketplace Admin" 

 

Write-Output "TenantId = $TenantId" 
Write-Output "SubscriptionId = $SubscriptionId" 
Write-Output "GlobalAdminUsername = $GlobalAdminUsername" 
Write-Output "UsernameToAssignRoleFor = $UsernameToAssignRoleFor" 

 

Write-Output "$($GlobalAdminUsername) is about to assign '$($MarketplaceAdminRoleDefinitionName)' role for $($UsernameToAssignRoleFor)" 

 

$profile = Connect-AzAccount -Tenant $TenantId -SubscriptionId $SubscriptionId

 

 
if($profile -eq $null) 
{ 
Write-Error -Message "Failed to connect to tenant and/or subscription" -ErrorAction Stop 
} 
elseif($profile.Context.Account.Id -ne $GlobalAdminUsername) 
{ 
Write-Error "Connected with $($profile.Context.Account.Id) instead of with the global admin that was specified in the script parameters, which is $($GlobalAdminUsername)" 
} 
else 
{ 
Write-Output "$($GlobalAdminUsername) was connected successfully to Tenant=$($profile.Context.Tenant), Subscription=$($profile.Context.Subscription), AccountId=$($profile.Context.Account.Id), Environment=$($profile.Context.Environment)" 
} 

 

$MarketPlaceAdminRole = Get-AzRoleDefinition $MarketplaceAdminRoleDefinitionName -Scope "/providers/Microsoft.Marketplace"

 

if($MarketPlaceAdminRole -eq $null) 
{ 
Write-Error -Message "'$($MarketplaceAdminRoleDefinitionName)' role is not available" -ErrorAction Stop 
} 
else 
{ 
Write-Output -Message "'$($MarketplaceAdminRoleDefinitionName)' role is available" 
} 

 

Write-Output -Message "About to assign '$($MarketplaceAdminRoleDefinitionName)' role for $($UsernameToAssignRoleFor)..." 

New-AzRoleAssignment -SignInName $UsernameToAssignRoleFor -RoleDefinitionName $MarketplaceAdminRoleDefinitionName -Scope "/providers/Microsoft.Marketplace" 

} 

Assign-MarketplaceAdminRole 

For more information about the cmdlets contained in the Az.Portal PowerShell module, see Microsoft Azure PowerShell: Portal Dashboard cmdlets.

Create Private Azure Marketplace

  1. Sign in to the Azure portal.

  2. Select All services and then Marketplace.

    Shows the Azure portal main window.

  3. Select Private Marketplace from the menu on the left.

  4. Select Get Started to create Private Azure Marketplace (you only have to do this once).

    Shows how to select the 'Get Started on the Azure portal' main window.

    If Private Azure Marketplace already exists for this tenant, Manage Marketplace will be selected by default.

  5. Once completed you will have an empty and disabled Private Azure Marketplace.

    Shows the empty Private Azure Marketplace screen.

An item is a combination of an offer and a plan. You can search for and add items on the Manage Marketplace page.

  1. Select Add items.

  2. Browse the Gallery or use the search field to find the item you want.

    Shows how to browse the gallery or use the search field.

  3. As default, when adding a new offer, all current plans will be added to the approved list. To modify the plan selection before adding the selected items, select the drop-down menu in the offer’s tile and update the required plans.

    Shows how to update required plans.

  4. Select Done at the bottom-left after you've made your selections.

Note

Add Items to the Marketplace will be available for non-Microsoft offers only. Microsoft solutions (including Endorsed Linux Distributions) will be tagged as “Approved by default” and cannot be managed in Private Marketplace.

Edit item's plans

You can edit an item's plans on the Manage Marketplace page.

  1. In the Plans column, review the available plans from the dropdown menu for that item.

  2. Select or clear the checkboxes to choose which plans to make available to your users.

    Shows how to select or clear the check box for the required item.

Note

Each offer needs at least one plan selected for the update to occur. To remove all plans related to an offer, delete the entire offer (see next section).

Delete offers

In the Manage Marketplace page, select the check box next to the offer name (see screen above) and select Delete items.

Enable/disable Private Azure Marketplace

In the Manage Marketplace page you will see one of these banners, which show the current state of Private Azure Marketplace:

Shows the 'Disable state' banner.

Shows the 'Enable state' banner.

You can enable or disable Private Azure Marketplace as needed.

  • If disabled, select Enable Private Marketplace to enable.
  • If enabled, select Disable Private Marketplace to disable.

Private Azure Marketplace notification center

Notification Center consists of three types of notifications and allows the Marketplace admin to take actions based on the notification:

  • Approval requests from users for items that are not in the approved list (see Request to add offers or plans below).
  • New plan notifications for offers that already have one or more plans in the approved list.
  • Removed plan notifications for items that are in the approved list but were removed from the global Azure Marketplace.

To access the notification center:

  1. Select Notifications from the left-side menu.

    Shows the Notifications menu.

  2. Select the ellipsis menu for more actions.

    Shows the More Options menu results.

  3. For plan requests, Show requests opens the approval request form where you can review all user requests for the specific offer.

  4. Select Approve or Reject.

    Shows the approve and reject options.

  5. Select the plan to approve from the drop-down menu.

  6. Add a comment and select Submit.

Browsing Private Azure Marketplace

When Private Azure Marketplace is enabled, users will see which plans the Marketplace admin has approved.

  • A green Approved notice indicates a Partner (non-Microsoft) offer that is approved.
  • A blue Approved notice indicates a Microsoft offer (including Endorsed Linux distributions) that is approved.

Users can filter between offers that are and are not approved:

Shows the filtering option.

Buy or deploy in Private Azure Marketplace

While the product details page experience is similar to the global Azure Marketplace, there are three Private Azure Marketplace specific scenarios.

  • When a user selects an approved plan, the Create button is enabled:

    Shows the offer banner noting a plan can be created.

  • If a product plan selection does not appear in the product details page but the admin approved one or more plans, a banner notes which plans are approved and the Create button is enabled:

    Shows the offer banner noting that a plan can be created and showing available plans.

  • When a user selects a non-approved plan, a banner notes the plan as not approved and the Create button is disabled. The user can still request to add the plan to the approved list (see next section).

Request to add offers or plans

You can request to add a public offer or plan that is not currently approved in the Private Azure Marketplace.

  1. Select Request to add in the banner to open the Access request form.

    Shows the banner with the 'Request to add' link.

    Shows the access request form for offers or plans.

  2. Select which plans to add to the request (Any Plan tells the Marketplace admin that you don't have a preference for a plan within an offer).

  3. Add a Justification and select Request to submit your request.

    Shows the access request form for offers or plans with sample entries.

  4. An indication for a pending request will appear in the Access request form with an option to Withdraw request.

    Shows a list of approved or pending plans with Withdraw Request link.

Note

Once submitted, the approval request form will be sent to the Notification Center for the Marketplace admin to review the request and take action.

Frequently Asked Questions (FAQs)

I am already blocking Marketplace third-party application through Azure Policy. How is this different?

There are currently two ways to restrict third-party services in Marketplace:

  1. Through EA portal or the Azure portal, disable third-party services or restrict to “Free or BYOL SKUs only”.

    Shows how to restrict services in the Azure portal.

    Shows how to restrict services in the E A portal.

  2. Create an Azure policy to only allow specific VMs. For details on how to enforce policy to Windows VMs, see Apply policies to Windows VMs with Azure Resource Manager.

Private Azure Marketplace allows more flexibility on restricting and allowing specific offers and plans. It informs end users on the availability for deployment in the marketplace gallery even before they try to deploy third-party services. To allow deployment of third-party services, set Azure Marketplace to On/Enabled in EA Portal and the Azure portal.

  • Private Azure Marketplace can curate partner solutions not limited to virtual machines.
  • Private Azure Marketplace can curate at the plan level and can also set “Current and future plan”.
  • Private Azure Marketplace can inform the end users up front on what can and cannot be deployed.

What's the difference between a Private Offer and Private Azure Marketplace?

A Private Offer lets publishers create plans that are only visible to targeted customers. This lets them privately share customized solutions with negotiated pricing, private terms and conditions, and specialized configurations. For details, see Private offers in the commercial marketplace.

Private Azure Marketplace in the Azure portal lets administrators pre-approve which third-party solutions their users can deploy. With a Private Azure Marketplace, users can enjoy the benefits of Azure Marketplace by finding, buying, and deploying compliant offers. To manage subscription-based Private Offers in Private Marketplace, the Marketplace admin must have a minimum of “read” role on the specific subscription.

I added a Private Offer to the Private Azure Marketplace, why is it not showing in the manage marketplace tab?

Subscription-based Private Offers are visible only for the listed subscriptions in the Private Offer settings. To view the Private Offer, ensure the global subscription filter is showing all the subscriptions.

Shows the private marketplace filter.

Can we include custom images in Private Azure Marketplace?

No. Private Azure Marketplace allows any IT administrator to manage and curate third-party solutions from global Azure Marketplace. Since custom images are not on global Azure Marketplace, the IT administrator cannot pick and choose your custom images. If you would like to share custom images, use Shared Image Gallery.

  1. Step-by-step guide Create a Shared Image Gallery (SIG) (CLI, PowerShell).
  2. Create an image definition within a SIG. Customer should choose Generalized for the OS-state field. (CLI, PowerShell).
  3. Bring managed image into the Shared Image Gallery (CLI, PowerShell).
  4. The SIG VM images would reside in one subscription. To make it available to other subscriptions, use an app registration (CLI, PowerShell).

Why do I see some offers Approved by default even though the publisher is not Microsoft?

Microsoft supports Linux and open-source technology in Azure. Endorsed Linux distributions are supported on Azure and the price is integrated in virtual machines. Because Azure Linux Agent is already pre-installed on Azure Marketplace, it is treated like a Microsoft offer. Since Microsoft offers are approved by default, endorsed Linux distributions cannot be managed in Private Azure Marketplace and are approved by default.

Contact support