Skip to main content

 none
Is there a way to restrict Marketplace? RRS feed

  • Question

  • Hi,

    I am trying to find a solution to restrict Azure Marketplace. I know I can turn it on / off and that's it by default, but it doesn't meet my requirements. I need to enable it for one Resource Group, or at least one Subscription or list of users. 

    Quoting Marketplace FAQ, there is a hint to use policies to control MP, "all customers can use Azure Policy to restrict deployment options for their Azure subscriptions, including management of Azure Marketplace resources.", but that's pretty much it. I haven't found any article or guide describing how to set such policy and just going through Microsoft documentation (such as Not allowed resource types) doesn't help me, since I don't know what resource to allow / disable. If I try to deploy the policy I get a list to choose resources from, but the resources have names such as "Microsoft.MarketplaceApps/classicDevServices", "Microsoft.MarketplaceOrdering/agreements" and "Microsoft.MarketplaceOrdering/offertype" among hundreds of other resource types. Based on the name I am not able to understand what the resource type means and I was not able to find any documentation describing them. 

    I tried some PowerShell commands to dig a bit deeper and got to 

    Get-AzureRmResourceProvider -ListAvailable | Select-Object ProviderNamespace, resourcetypes

    which returns about 150 lines, such as

    Microsoft.Marketplace                    {privategalleryitems, offerTypes, offerTypes/publishers, offerTypes/publishers/offers...}
    Microsoft.MarketplaceApps                {classicDevServices, operations, listCommunicationPreference, updateCommunicationPreference}
    Microsoft.MarketplaceOrdering            {agreements, operations, offertypes}  

    Based on that I am still not able to move on with my issue. Could anyone please help me with that? Is it even possible to restrict Marketplace in any way? 

    Thanks a lot for any help

    Jan Duchač



    • Edited by Duchy90 Tuesday, July 24, 2018 9:55 AM
    Tuesday, July 24, 2018 9:54 AM

Answers

  • Apologies, Duchy90. I must've misunderstood your ask. Unfortunately I don't believe there's anyway to restrict all services from Marketplace. that said, I encourage you to file a feature request for this scenario so the responsible feature team can review and determine feasibility. Please send your feedback directly to the Marketplace feature team using this link.

    Have a nice weekend.

    Cheers.

    • Proposed as answer by FemisuluModerator Friday, August 3, 2018 11:06 PM
    • Marked as answer by Duchy90 Sunday, August 5, 2018 8:09 PM
    Friday, August 3, 2018 11:06 PM
    Moderator

All replies

  • Hi Duchy90,

    We don't have an out of the box ability to do this (except for the enrollment switch which you have already discovered), but you are on the right track. All marketplace items require agreements to be accepted. So theoretically by restricting access to the marketplaceordering API you can lock people out of being able to purchase marketplace items.

    Let me know how it goes.

    Ankit Sud

    Senior Program Manager

    Azure Marketplace

    Tuesday, July 24, 2018 6:04 PM
  • Hi Ankit,

    Thanks for your reply. My today's progress is that I was able to create and assign a custom Azure Policy to deny all VM publishers except for Microsoft. I guess that's a first step in the right direction. Now I just have to figure out how to restrict other services, other than VMs and I should be fine.

    Could anyone help me with restriction for, let's say, Check Point Security service? I have no idea how to recognize it. VMs are easy, since there is a "Microsoft.Compute/virtualMachines" resource type, but as for Security services, I have no idea which resource type to use in the script. The fact that I have never used JSON before and I am not a programmer might not help :-)

    Thanks again for any help.

    Jan Duchač


    Wednesday, July 25, 2018 1:42 PM
  • Hi Ankit,

    I tried to figure out how to further restrict the Marketplace, but I was not successful yet :-( Right now I have made simple Policy that denies any VM not published by Microsoft. The code is following: 

    {
      "if": {
        "not": {
          "field": "Microsoft.Compute/imagePublisher",
          "like": "Microsoft*"
        }
      },
      "then": {
        "effect": "deny"
      }
    }

    I would need something more general, that would deny any service not published by Microsoft, but I just can't figure out how to modify the code for anything else than VMs. For example I wanted to deny any service from Marketplace > Networking so I used PowerShell cmdlet

    Get-AzureRmResourceProvider -ProviderNamespace Microsoft.Network | fl resourcetypes

    to see if there is anything similar to imagePublisher, but I didn't find anything useful. Could you please help me modify the policy to simply deny anything from Marketplace, that was not published by Microsoft?

    Thanks a lot

    Best regards

    Jan Duchač

    Monday, July 30, 2018 2:18 PM
  • Hi Jan, have you seen this doc on authoring management policies? Hope it helps.
    • Proposed as answer by FemisuluModerator Tuesday, July 31, 2018 11:56 PM
    • Unproposed as answer by Duchy90 Wednesday, August 1, 2018 11:55 AM
    Tuesday, July 31, 2018 11:56 PM
    Moderator
  • Hi,

    thanks for the link. I went through the article, but I am not sure how it helps in my case :-(

    The article was about creating custom policy and as an example, they used VM restriction, which I already managed to create. Then it was about grouping multiple policies into one definition (which helps, but only once I am actually able to create the policies) and in the end, they talked about exceptions, which I am already able to create, since the UI has easy to understand options to set it up.

    My issue is about restricting all services from Marketplace (not just VMs or SQL DB, but pretty much anything that can be found in Marketplace). In the end one Resource Group would be able to use MP without restrictions and all other RGs in all subscriptions within EA could just use standard Azure services from Microsoft, such as Windows VMs and so on. So as a example, I need to stop users from activating services like "Citrix XenApp Essentials, Sophos XG Firewall, Sitecore Experience Cloud, Kentico CMS, Splunk Enterprise" (chosen randomly as an example). The problem is that as of now, I am only able to restrict VMs based on publisher / SKU or stuff like SQL database, but I just don't know how to define policy, that would restrict any of the services listed above.

    I don't even know if it is possible to create such policy at all :-( So far no one from Microsoft was able to help me with this issue (I was in contact with few MS TSP directly, as well as some Azure MVPs). 

    Once again, thanks for any help.

    Best regards

    Jan Duchač




    • Edited by Duchy90 Wednesday, August 1, 2018 11:56 AM typo
    Wednesday, August 1, 2018 9:43 AM
  • Apologies, Duchy90. I must've misunderstood your ask. Unfortunately I don't believe there's anyway to restrict all services from Marketplace. that said, I encourage you to file a feature request for this scenario so the responsible feature team can review and determine feasibility. Please send your feedback directly to the Marketplace feature team using this link.

    Have a nice weekend.

    Cheers.

    • Proposed as answer by FemisuluModerator Friday, August 3, 2018 11:06 PM
    • Marked as answer by Duchy90 Sunday, August 5, 2018 8:09 PM
    Friday, August 3, 2018 11:06 PM
    Moderator
  • Hi,

    no problem :-) Thanks for your help. I'll contact the MP team. 

    Best regards

    Jan Duchač

    Sunday, August 5, 2018 8:08 PM
  • Hello, I am looking a policy exactly like this. Do you able to identify any solution?

    Vamsidhar M.

    Monday, August 26, 2019 2:05 AM