Procurement recommendations and best practices
This article includes best practices and recommendations for procurement of solutions through the commercial marketplace. You can consult Microsoft's enterprise governance guide for best practices to add governance guardrails across your organization's Azure subscriptions, including those needed for deploying and purchasing cloud applications from Azure Marketplace.
Organizational hierarchy considerations
A well-structured organizational hierarchy helps you organize your cloud-based resources to procure efficiently from the marketplace, manage, and track costs. Azure provides four levels of management: management groups, subscriptions, resource groups, and resources. These hierarchies can be tailored to meet organizational needs, whether they're functional, organizational, or based on testing and production environments.
Any configured hierarchies apply equally to Azure Marketplace. When you purchase a solution from the marketplace, you're essentially deploying a resource into a resource group under an Azure subscription. Resources are deployed within a tenant and associated with an Azure subscription.
Example of a hierarchy structure:
To optimize resource organization, organizations should consult the governance guide for complex enterprises to learn Azure's governance guide, considering geographical and regional considerations.
Roles and permissions to purchase
Azure Marketplace uses Azure's role-based access control (RBAC) model for purchases. Users procuring solutions must have the right roles assigned. To learn more, see Roles and permissions to procure public or private offers. You can also learn how to list existing role assignments to users within your organization.
Consult the article private offers for the steps to procure a private offer, and the article offer pre-check report to confirm a user has all the necessary permissions to deploy private offers on their Azure subscription.
Decide on the preferred purchase setup
It's recommended to know in advance which subscriptions you want to use to purchase or subscribe to (for example, SaaS), and to run, and check who has permissions for that subscription. If you prefer to create a new subscription for the purchase, create it in advance and make yourself an owner of this subscription.
Some organizations prefer to create one subscription for all marketplace purchases and give procurement personas permissions to that subscription. This enables the procurement persona to complete all transactions by themselves. The purchases can later be moved to other subscriptions so they can be reflected under the correct cost centers.
Tag management
Tagging is an easy way to classify assets, and tags are a crucial part of organizing your Azure resources into a taxonomy. By following best practices, tags can be the basis for applying your business policies with Azure Policy or tracking Azure Marketplace costs with Cost Management. When tags are used to classify assets as part of a cost management effort, companies often need the following tags: business unit, department, billing code, geography, environment, project, and workload or application categorization. Microsoft Cost Management + Billing can use these tags to create different views of cost data, including resources deployed through Azure Marketplace.
Define your naming and tagging strategy as early as possible. A naming and tagging strategy include business and operational details. Follow this guidance for developing a tagging strategy. Ensure all workloads and resources follow proper naming and tagging conventions and enforce tagging conventions using Azure Policy. This will help your centralized governance teams make wise cost management decisions when deploying apps from the Azure Marketplace.
Configure subscription settings
After you decide on the subscription, make sure your subscription has been registered for marketplace resource providers, otherwise you won't be able to use it for deployments. In the Azure portal, go to: Subscriptions > Select the subscription > Select the resource providers > Filter by the word marketplace. Make sure all three results are enabled for Azure Marketplace.
Registering Microsoft partner applications via single sign-on (SSO)
To find if you can register Microsoft partner applications via single sign-on (SSO), check the Microsoft Entra ID menu on whether users can register applications. Activating a SaaS (Software as a Service) service requires SSO permissions to Microsoft partner applications:
To learn more, see Configure how users consent to applications. If you don't have the necessary permissions, you need to find someone in your organization who has them. In some organizations, there's a need for two or three different people who have each of the permissions. These people need to take action to complete the purchase.
Subscribing to SaaS solutions
For Software as a Service (SaaS) solutions, activation occurs outside Azure Marketplace, typically on the Independent Software Vendor's website. This process often requires Microsoft Entra permissions for single sign-on to Microsoft partner solutions. Configuring user consent to applications is a vital step in this process, see more information on configuring how users consent to applications.