Create and manage Private Azure Marketplace collections in the Azure portal

  • Article

Note

This article covers Private Azure Marketplace collections.

Private Azure Marketplace lets administrators govern which third-party solutions their users can use. It does this by allowing the user to deploy only offers that are approved by the administrator and comply with your enterprise's policies. With Private Azure Marketplace, users can search the online store for compliant offers to purchase and deploy.

As a Marketplace admin (assigned role), you will start with a disabled and empty Private Marketplace and one collection where you can add your approved offers and plans. This article explains how to assign the needed role, create a private store, manage collections and items, approve user requests, and enable Private Azure Marketplace for your users.

Note

  • Private Azure Marketplace is at a tenant level; once enabled, it will set the policy for all users under the tenant.
  • Manage the approved list on a subscription level using collections.
  • All Microsoft solutions (including Endorsed Linux Distributions) are automatically added to Private Azure Marketplace.

Assign the Marketplace admin role

The tenant Global administrator must assign the Marketplace admin role to the Private Azure Marketplace admin who will manage the private store.

Important

Access to Private Azure Marketplace management is only available to IT admins with the Marketplace admin role assigned.

Prerequisites

These prerequisites are required before you can assign the Marketplace Admin role to a user on the tenant scope:

  • You have access to a Global administrator user.
  • The tenant has at least one subscription (can be any type).
  • The Global administrator user is assigned the Contributor role or higher for the chosen subscription.

Assign the Marketplace admin role with access control (IAM)

  1. Sign in to the Azure portal.

  2. Select All services and then Marketplace.

  3. Select Private Marketplace from the menu on the left.

    Shows the private marketplace menu option on the left side of the Marketplace.

  4. Select Access control (IAM) to assign the Marketplace admin role.

    Shows the I A M access control screen.

  5. Select + Add > Add role assignment.

  6. Under Role, choose Marketplace Admin.

    Shows the Role assignment menu.

  7. Select the desired user from the dropdown list, then select Done.

Assign the Marketplace admin role with PowerShell

Use the following PowerShell script to assign the Marketplace Admin role; it requires the following parameters:

  • TenantId: The ID of the tenant in scope (Marketplace admin role is assignable on the tenant scope).
  • SubscriptionId: A subscription of which the global admin has Contributor role or higher assigned.
  • GlobalAdminUsername: The username of the global admin.
  • UsernameToAssignRoleFor: The user name to which the Marketplace admin role will be assigned.

Note

For guest users invited to the tenant, it may take up to 48 hours until their account is available for assigning the Marketplace Admin role. For more information, see Properties of an Azure Active Directory B2B collaboration user.

For more information about the cmdlets contained in the Az.Portal PowerShell module, see Microsoft Azure PowerShell: Portal Dashboard cmdlets.

Create Private Azure Marketplace

  1. Sign in to the Azure portal.

  2. Select All services and then Marketplace.

    Shows the Azure portal main window.

  3. Select Private Marketplace from the left-nav menu.

  4. Select Get Started to create Private Azure Marketplace (you only have to do this once).

    Shows how to select the 'Get Started on the Azure portal' main window.

    If Private Azure Marketplace already exists for this tenant, Manage Marketplace will be selected by default.

  5. Once completed you will have a disabled Private Azure Marketplace with one Default Collection.

    Shows the empty Private Azure Marketplace screen.

    Note

    • Default Collection is a system-generated collection set with the scope of all the subscriptions under the same tenant.
    • The name and scope of the Default Collection cannot be changed, and the collection cannot be deleted.

An item is a combination of an offer and a plan. You can search for and add items on the collection page.

  1. Select the collection name to manage that collection.

  2. Select Add items.

  3. Browse the Gallery or use the search field to find the item you want.

    Shows how to browse the gallery or use the search field.

  4. As default, when adding a new offer, all current plans will be added to the approved list. To modify the plan selection before adding the selected items, select the drop-down menu in the offer and update the required plans.

    Shows how to update required plans.

  5. Select Done at the bottom-left after you've made your selections.

Note

Add Items to the Marketplace will be available for non-Microsoft offers only. Microsoft solutions (including Endorsed Linux Distributions) will be tagged as "Approved by default" and cannot be managed in Private Marketplace.

Edit item plans

Edit an item's plans on the collection page.

  1. In the Plans column, review the available plans from the dropdown menu for that item.

  2. Select or clear the check boxes to choose which plans to make available to your users.

    Shows how to select or clear the check box for the required item.

    Note

    Each offer needs at least one plan selected for the update to occur. To remove all plans related to an offer, delete the entire offer (see next section).

Delete items

On the collection page, check the box next to the offer name and select Delete items.

Shows how to select the check box and choose 'Delete items'.

Copy items

  1. On the manage collection page, check the box next to the offer name and select Copy items.

    Shows the Copy Items button.

  2. In the right pane, select the destination collection (if needed, create a new collection by selecting Create new collection).

    Shows the Create a Collection dialogue box.

  3. Select Copy.

Enable/disable a collection

  1. The Manage collection page will display a banner showing the current state of the collection:

    Shows the Collection Disabled banner.

    Shows the Collection Enabled banner.

  2. On the Manage Marketplace page, select the collection and use the top action bar to enable or disable the collection.

    Shows the Manage Marketplace action bar with enable and disable collection buttons.

Enable/disable Private Azure Marketplace

The Manage Marketplace page displays one of these banners showing the current state of Private Azure Marketplace:

Shows the Private Azure Marketplace Disabled banner.

Shows the Private Azure Marketplace Enabled banner.

To enable or disable Private Azure Marketplace:

  1. Select Settings from the left-nav menu.
  2. Select the radio button for the desired status.
  3. Select Apply on the bottom of the page.

Add new collection

With collections, Marketplace Admin (assigned role) can create multiple lists of approved items which will be available for different subscriptions throughout their organization.

  1. Select Add collection.

  2. Name your collection.

  3. Select subscriptions from the drop-down menu.

  4. Select Create at the bottom (not shown below) after you've made your selections.

    Shows the Create a Collection dialog box.

  5. This creates a new empty and disabled Private collection. Select a collection name to manage it.

    Shows a new and empty Collection Items window.

Update collection properties

  1. Select the name of the collection you want to manage.

  2. Select Collection properties from the left-nav menu.

    Shows the Collection Properties window.

  3. Update the name and selected subscriptions as needed.

  4. Select Apply (not shown).

Delete a collection

On the Manage Marketplace page, check the box next to the collection name and select Delete collection.

Shows the Private Azure Marketplace screen with the 'Delete collection' button highlighted.

Note

Default Collection is a system-generated collection and can't be deleted.

Private Azure Marketplace notification center

Notification Center consists of three types of notifications and allows the Marketplace admin to take actions based on the notification:

  • Approval requests from users for items that are not in the approved list (see Request to add offers or plans below).
  • New plan notifications for offers that already have one or more plans in the approved list.
  • Removed plan notifications for items that are in the approved list but were removed from the global Azure Marketplace.

To access the notification center:

  1. Select Notifications from the left-nav menu.

    Shows the Notifications menu.

  2. Select an ellipsis menu on the right for more actions.

    Shows the More Options menu results.

  3. For plan requests, Show requests opens the approval request form where you can review all user requests for the specific offer.

  4. Select Approve or Reject.

    Shows the approve and reject options.

  5. Select the plan to approve from the drop-down menu.

  6. Select the collection to add the offers/plans to.

  7. Add a comment and select Submit.

Notifications settings

Marketplace Admin (assigned role) can enable email notifications from Private Azure Marketplace for the list of notifications mentioned above.

To enable notifications:

  1. Select Settings from the left-nav menu.
  2. To send notification to the Marketplace Admin group click the checkbox next to the “Send all marketplace admins”.
  3. To send notifications to an Azure AD group select Add recipients (only Microsoft 365 groups can receive email notifications).
  4. Select the desired Azure AD group from the list, then select Add.

For more information about creating and managing Microsoft 365 Azure AD Groups, refer to How to manage groups.

Browsing Private Azure Marketplace (User experience)

When Private Azure Marketplace is enabled, users will see which plans the Marketplace admin has approved.

  • A green Approved notice indicates a Partner (non-Microsoft) offer that is approved.
  • A blue Approved notice indicates a Microsoft offer (including Endorsed Linux distributions) that is approved.

Users can filter between offers that are and are not approved:

Shows the filtering option.

Buy or deploy in Private Azure Marketplace

While the product details page experience is similar to the global Azure Marketplace, there are three Private Azure Marketplace specific scenarios.

  • When a user selects a combination of approved plan and approved subscription, the Create button is enabled:

    Shows the offer banner noting a plan can be created.

  • If a product plan selection does not appear in the product details page but the admin approved one or more plans, a banner notes which plans are approved and the Create button is enabled:

    Shows the offer banner noting that a plan can be created and showing available plans.

  • When a user selects a non-approved plan or subscription, a banner notes the plan as not approved for the selected subscription and the Create button is disabled. The user can still request to add the plan to the approved list (see next section).

Request to add offers or plans

You can request to add a public offer or plan that is not currently approved in the Private Azure Marketplace.

  1. Select Request to add in the banner to open the Access request form.

    Shows the access request form for offers or plans.

  2. Select which plans to add to the request (Any Plan tells the Marketplace admin that you don't have a preference for a specific plan within an offer).

  3. Add a Justification and select Request to submit your request.

  4. An indication for a pending request will appear in the Access request form with an option to Withdraw request.

    Shows a list of approved or pending plans with Withdraw Request link.

Note

Once submitted, the approval request form will be sent to the Notification Center for the Marketplace admin to review the request and take action.

Frequently Asked Questions (FAQs)

I am already blocking Marketplace third-party application through Azure Policy. How is this different?

There are currently two ways to restrict third-party services in Marketplace:

  1. Through EA portal or the Azure portal, disable third-party services or restrict to "Free or BYOL SKUs only".

    Shows how to restrict services in the Azure portal.

    Shows how to restrict services in the E A portal.

  2. Create an Azure policy to only allow specific VMs. For details on how to enforce policy to Windows VMs, see Apply policies to Windows VMs with Azure Resource Manager.

Private Azure Marketplace allows more flexibility on restricting and allowing specific offers and plans. It informs end users on the availability for deployment in the marketplace gallery even before they try to deploy third-party services. To allow deployment of third-party services, set Azure Marketplace to On/Enabled in EA Portal and the Azure portal.

  • Private Azure Marketplace can curate partner solutions not limited to virtual machines.
  • Private Azure Marketplace can curate at the plan level and can also set "Current and future plan".
  • Private Azure Marketplace can inform the end users up front on what can and cannot be deployed.

What's the difference between a Private Offer and Private Azure Marketplace?

A Private Offer lets partners create plans that are only visible to targeted customers. This lets them privately share customized solutions with negotiated pricing, private terms and conditions, and specialized configurations. For details, see Private offers in the commercial marketplace.

Private Azure Marketplace in the Azure portal lets administrators pre-approve which third-party solutions their users can deploy. With a Private Azure Marketplace, users can enjoy the benefits of Azure Marketplace by finding, buying, and deploying compliant offers. To manage subscription-based Private Offers in Private Marketplace, the Marketplace admin must have a minimum of "read" role on the specific subscription.

I added a Private Offer to the Private Azure Marketplace. Why is it not showing in the manage marketplace tab?

Subscription-based Private Offers are visible only for the listed subscriptions in the Private Offer settings. To view the Private Offer, ensure the global subscription filter is showing all the subscriptions.

Shows the private marketplace filter.

Can we include custom images in Private Azure Marketplace?

No. Private Azure Marketplace allows any IT administrator to manage and curate third-party solutions from global Azure Marketplace. Since custom images are not on global Azure Marketplace, the IT administrator cannot pick and choose your custom images. If you would like to share custom images, use Azure Compute Gallery.

  1. Step-by-step guide Create an Azure Compute Gallery (CLI, PowerShell).
  2. Create an image definition within an Azure Compute Gallery. Customer should choose Generalized for the OS-state field. (CLI, PowerShell).
  3. Bring managed image into the Azure Compute Gallery (CLI, PowerShell).
  4. The Azure Compute Gallery VM images would reside in one subscription. To make it available to other subscriptions, use an app registration (CLI, PowerShell).

Why do I see some offers Approved by default even though the partner is not Microsoft?

Microsoft supports Linux and open-source technology in Azure. Endorsed Linux distributions are supported on Azure and the price is integrated in virtual machines. Because Azure Linux Agent is already pre-installed on Azure Marketplace, it is treated like a Microsoft offer. Since Microsoft offers are approved by default, endorsed Linux distributions cannot be managed in Private Azure Marketplace and are approved by default.

Contact support