Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article describes how to publish a public or private Managed Service offer to Azure Marketplace by using the Azure Marketplace program in Partner Center. Customers who purchase the offer can delegate subscriptions or resource groups, so you can manage them through Azure Lighthouse according to the access you specify in the offer.
Managed Service offer publishing requirements
You must have a valid Azure Marketplace account in Partner Center to create and publish offers. If you don't have an account, the sign-up process guides you through the steps of creating an account in Partner Center and enrolling in the Azure Marketplace program.
Per the Managed Service offer certification requirements, you must have Solutions Partner designation for Infrastructure (Azure) or Security to publish a Managed Service offer.
Decide between Managed Service offers and ARM template onboarding
If you don't want to publish a Managed Service offer to Azure Marketplace, or if you don't meet all the requirements, you can onboard customers to Azure Lighthouse manually by using Azure Resource Manager templates. Use the following table to help you determine whether to onboard customers by publishing a Managed Service offer or by using ARM templates.
| Consideration | Managed Service offer | ARM templates |
|---|---|---|
| Requires Azure Marketplace account in Partner Center | Yes | No |
| Requires Solutions Partner designation for Infrastructure (Azure) or Security | Yes | No |
| Available to new customers through Azure Marketplace | Yes | No |
| Can limit offer to specific customers | Yes (only with private plans, which can't be used with subscriptions established through a reseller of the Cloud Solution Provider (CSP) program) | Yes |
| Can automatically connect customers to your CRM system | Yes | No |
| Requires customer acceptance in Azure portal | Yes | No |
| Can use automation to onboard multiple subscriptions, resource groups, or customers | No | Yes |
| Immediate access to new built-in roles and Azure Lighthouse features | Not always (generally available after some delay) | Yes |
| Customers can review and accept updated offers in the Azure portal | Yes | No |
Note
Managed Service offers might not be available in Azure Government and other national clouds.
Create your Managed Service offer
For detailed instructions about how to create your offer, including all of the information and assets you need to provide, see Create a Managed Service offer.
To learn about the general publishing process, review the Azure Marketplace documentation. You should also review the Azure Marketplace certification policies.
When a customer adds your offer, they can delegate one or more subscriptions or resource groups. The delegated resources are then onboarded to Azure Lighthouse.
Important
Each plan in a Managed Service offer includes a Manifest Details section. In this section, you define the Microsoft Entra entities in your tenant that will have access to the delegated resource groups and subscriptions for customers who purchase that plan. It's important to be aware that permissions for any group, user, or service principal will apply to every customer who purchases the plan.
To assign different groups to work with each customer, publish a separate private plan that is exclusive to each customer. These private plans don't support subscriptions established through a reseller of the Cloud Solution Provider (CSP) program.
Publish your Managed Service offer
When you complete all of the sections, publish the offer. After you initiate the publishing process, your offer goes through several validation and publishing steps. For more information, see Review and publish an offer to Azure Marketplace.
You can publish an updated version of your offer at any time. For example, you might want to add a new role definition to a previously published offer. When you update the offer, customers who already added that offer see an icon in the Service providers page in the Azure portal to let them know an update is available. Each customer can review the changes and choose whether to update to the new version.
Customer onboarding process for Managed Service offers
After a customer adds your offer, they can delegate one or more specific subscriptions or resource groups to onboard to Azure Lighthouse. If a customer accepts an offer but doesn't delegate any resources, they see a note at the top of the Service provider offers section of the Service providers page in the Azure portal.
Important
Delegation must be done by an account in the customer's tenant who has a role with the Microsoft.Authorization/roleAssignments/write, Microsoft.Authorization/roleAssignments/delete, and Microsoft.Authorization/roleAssignments/read permissions, such as Owner, for the subscription to onboard (or which contains the resource groups to onboard). To find users who can delegate the subscription, a user in the customer's tenant can select the subscription in the Azure portal, open Access control (IAM), and view all users with the Owner role.
When the customer delegates a subscription (or one or more resource groups within a subscription), the process automatically registers the Microsoft.ManagedServices resource provider for that subscription. Users in your tenant can access the delegated resources according to the authorizations that you defined in your offer.
Note
To delegate more subscriptions or resource groups to the same offer at a later time, the customer must manually register the Microsoft.ManagedServices resource provider on each subscription before delegating.
If you publish an updated version of your offer, the customer can review the changes in the Azure portal and accept the new version.
Next steps
- Learn about Azure Marketplace.
- Learn about cross-tenant management experiences in Azure Lighthouse.
- View and manage customers by going to My customers in the Azure portal.