Troubleshooting Private Plans in the commercial marketplace

This article discusses various issues and solutions when troubleshooting private plans.

Customer Blockers and Common Solutions

Here 's some common customer-blocking issues and information on how to resolve them.

How do I control my costs, and understand how much I'm spending on marketplace?

Involve your Microsoft account team for a detailed analysis of your particular environment, Azure subscription hierarchy, and EA setup.

For more information, see Cost Management Billing Overview.

Azure Administrator

  • The Azure Administrator is responsible for controlling users' Role Based Access Control. They have the ability to grant Marketplace purchase rights, and determine how these rights can be exercised, and into which Azure Subscriptions the user has access control.
  • Involve your Microsoft account team for a detailed analysis of your particular environment, Azure subscription hierarchy, and EA setup.
  • Microsoft recommends that at least two users carry the Azure Administrator role. Refer to the appropriate documentation.
  • For more information, see the documentation on Roles and Security Planning.

Marketplace purchases succeeded, but the deployment fails. The error message typically refers to contracts terms and conditions, what else can be going on?

  • Azure gives customers a blank slate in terms of security policies. These policies can have negative consequences. For example, they can block the deployment of marketplace resources into a particular Azure Subscription or Resource Group.
  • Involve your Microsoft account team for a detailed analysis of your particular environment, Azure subscription hierarchy, and Resource Group policies.
  • Upstream policies, implemented at higher levels of the Azure Subscription hierarchy can be hidden. If the policy that blocks the deployment isn't immediately evident, capture the API flow using a network browser trace (HAR) file. HAR files provide a trace of the HTTPS calls, and a log of the messages sent and received, during the deployment flow. Analysis of the HAR log helps you and Microsoft identify the ID of the specific policy causing the deployment failure.
  • Involve your Microsoft account team for a detailed analysis of your particular environment, Azure subscription hierarchy, and EA setup.
  • The Azure Administrator has to either add the new Marketplace resource to the list of allowed deployments, or temporarily suspend the policy until the deployment is done.

Marketplace purchase and deployment succeeds, but at a later date, they fail with no indication of the root cause. What else can be going on?

  • Remember that automated robots might scan the Azure Subscription for nonauthorized resources and delete them automatically. Investigate the automated security scans if a Marketplace deployment initially succeeds and then fails at a later stage. Also examine their logs for the root cause and eventual corrective action.


Microsoft gives customers a blank slate in terms of how to setup your Azure Account Hierarchy, your Tenants, Subscriptions, and Resource Groups.

  • Involve your Microsoft account team for a detailed analysis of your particular environment, Azure subscription hierarchy, Tenant IDs, and Resource groups.
  • Any user can have access to multiple subscriptions, tenant IDs, and Resource Groups. But only one is needed for the creation and deployment of a Private Plan in Marketplace.
  • It's imperative that you provide the independent software vendor (ISV) with the correct Tenant ID that's the default for your user. The Tenant ID is associated with a specific EA, and Billing Account, and that's the entity that will "buy" the Marketplace Private Plan.
  • If you can't "see" a Private Plan, investigate your Azure Subscription Hierarchy, whether the Tenant ID that your user defaults to is the same as what you provided.
  • Remember to "switch" Tenant IDs in the Azure portal to the Tenant ID that you provided to the ISV if you want to purchase under a Tenant ID that isn't the same as your default Tenant ID.
  • For more information, see Subscription Design Strategies in the Subscription Decision Guide.

Azure Subscription Hierarchy

While troubleshooting the Azure Subscription Hierarchy, keep these things in mind:

  • Can be up to six levels deep.
  • Security and resource group policies propagate down and affect Marketplace deployment, Private Plan audience, automation, etc.
  • ISV must ensure the right Subscription is being used by the end user when searching for Private Plans or deploying – users can access multiple subscriptions, and the mapping is nontrivial.

Displays the Azure subscription hierarchy

Troubleshooting Checklist

  • ISV to ensure the SaaS private plan is using the correct tenant ID for the customer - How to find your Microsoft Entra tenant ID. For VMs use the Azure Subscription ID.
  • ISV to ensure that the Customer isn't buying through a Cloud Solution Provider (CSP). Private Plans aren't available on a CSP-managed subscription.
  • ISV to ensure the purchaser tenant ID is always present in the private audience list and isn't removed until the customer SaaS subscription is unsubscribed as this could have potential consequences of managing or sending meter usage for that customer SaaS subscription.
  • Customer to ensure customer is logging in with an email ID that is registered under the same tenant ID. Use the same user ID they used in the preceding step #1.
  • ISV to ask the customer to find the Private Plan in Azure Marketplace: Private plans in Azure Marketplace
  • Customer to ensure marketplace is enabled - Azure Marketplace – if it isn't, the user has to contact their Azure Administrator to enable marketplace, for more information regarding Azure Marketplace, see Azure Marketplace.
  • (Customer) If the offer is still not visible, it's possible that the customer has Private Marketplace enabled - Customer to Ask the Azure Administrator to enable the specific Private Plan in Private Marketplace: Create and manage private Azure Marketplace collections in the Azure portal
  • If the Private Plan is visible, and the deployment fails, the troubleshooting moves to ensuring the customer allows for Marketplace billing:
    • (Customer) The Azure Administrator must follow the instructions at Enable Azure Marketplace purchases, and discuss with their Microsoft Representative the steps to enable billing for Marketplace.
    • (customer) Enable Azure Marketplace purchases explains the details to enable Marketplace billing for customers with an Azure Enterprise Agreement.

If all else fails, open a ticket and create a HAR file

  • If a customer has issues making a purchase on marketplace, a HAR file is a lifesaver. It's a type of log generated by the browser, which traces all the calls made between the APIs, using HTTP. Microsoft CSS requires a HAR file before moving forward and troubleshooting.
  • How do you create a HAR file?

Next steps