2. Microsoft Code of Conduct
Microsoft’s mission is to empower every person and every organization on the planet to achieve more. This includes all
Microsoft events and gatherings, including on digital platforms, where we seek to create a respectful, friendly, fun and
inclusive experience for all participants.
We expect all digital event participants to uphold the principles of this Code of Conduct, which covers the main digital
event and all related activities. We do not tolerate disruptive or disrespectful behavior, messages, images, or
interactions by any party participant, in any form, at any aspect of the program including business and social activities,
regardless of location.
Microsoft will not tolerate harassment or discrimination based on age, ancestry, color, gender identity or expression,
national origin, physical or mental disability, religion, sexual orientation, or any other characteristic protected by
applicable local laws, regulations, and ordinances.
We encourage everyone to assist in creating a welcoming and safe environment. Please report any concerns, harassing
behavior, suspicious, or disruptive activity to Business Conduct Hotline (1-877-320-MSFT or buscond@microsoft.com).
Microsoft reserves the right to refuse admittance to or remove any person from Microsoft Build at any time at its sole
discretion.
3. Topics
• Azure Managed
Applications
• Artifacts
• Partner Center
• Integrating VM
Offers
• Metered Billing
• Custom UX
• Managing
Customer
Deployments
• Advanced
Deployment
Scenarios
• Test your
knowledge
• Managed
Idenitites
• And more…
4. Engagement
Put questions into chat at any
time
Speakers will monitor chat as
we go
Links on slides will be posted
to chat
Please hold verbal questions
until breaks or labs
6. Azure Applications
• A type of offer in the
Azure Marketplace
• Deployed via ARM templates into
the customer subscription
• Custom installation UX for customer
7. Types of Azure Applications
Azure Solution Application
• Deploys into customer tenant
• Customer owns and maintains it
• The publisher has no maintenance
to do on the application
• Not transactable in the Azure
Managed Application
Azure Managed Application
• Deploys to customer subscription
• Publisher owns and maintains it
• The publisher controls the rights
the customer has to the solution
services
• Transactable in the Azure Managed
Application
10. What is a Managed Application?
A type of Azure Application
Maintenance of deployed resources is the
publisher’s responsibility
Resources are deployed to a resource group
managed by the publisher
2 Types – Internal and external
11. Internal vs. External
Internal
Used for enterprise deployments
Deployed via the Service Catalog
External
Used for public offers
Deployed via the Azure
Marketplace
12. Why use a Managed Application?
• Protect IP
• Control environment updates
• Manage customer permissions
on resources created in their
subscription
• Enable different deployments
based on different plans
13. Managed Application components
• Managed Resource Group (MRG)
• Application Resource Group
• Security Group (SG)
• Service Principal (SP)
14. Purchasing a Managed App
https://azuremarketplace.microsoft.com/ https://portal.azure.com/
35. The Partner Center portal
Publish offers on the
Azure Marketplace and AppSource
Works with many different
offer types
View Marketplace Subscriptions
Bill and get paid
36. Partner Center Summary Reports
Summary reports
Orders
Customers
Usage
Marketplace insights
Views across countries
38. Microsoft Commercial Marketplace billing types
Virtual
Machine
Azure Apps
(Multi-VM)
Container
Image
Consulting
& Managed
Services
SaaS
App
Office
365
Dynamics
365
PowerApps
List (Contact)
List (Trial)
Free
BYOL
Transact
AppSource
Azure Marketplace Both
PaaS
39. Monetization
Virtual Machine Azure Apps
(Multi-VM)
SaaS
App
Billing Cycle Monthly * Monthly * Monthly or Annual *
Pricing Model
Consumption per core/per
hour
Managed Apps: optional flat
rate
Both: Leverage VM pricing
Flat-rate
Per-user
Consumption-based
(metered event)
Trial Options 1-month or 3-months Leverages VM pricing 1-month
40. Changing Plan Pricing
A plan’s price is immutable
To “upgrade” one must purchase a different plan
A plan may deploy its resources incrementally
41. What are Azure Marketplace Meters?
• Consumable
• Meter ID
• Unit of Measure
• Quantity
• Report
• 1 per hour
• 1 per day (batch)
$1/hour 2 units
$2
m_parking 100W incl + $1/W extra 100 units
$100
m_charger
2 hours
200W
42. AMA offer Pricing Options: Metered
Pricing Option Description Example Plans for an Offer
Variable
Consumption based on variable
usage.
• Plan A - Number of Transactions $0.12/transaction
Fix + Variable
Consumption based on a fix
amount, plus variable usage.
• Plan B - Basic $25/Month (2000 transactions
included) + $0.10/transaction
Multi-Dimension
Consumption based on
multiple dimensions. Up to 10
dimensions allowed.
• Plan C – Basic (Picture Send/Picture Received/
Bandwidth(Mb))
• D1 – Picture Send $0.10/unit
• D2 – Picture Received $0.12/unit
• D3 – Per Megabit Send $0.25/unit
Multi-Dimension
Fix + Variable
Combination of a fixed price
and multi-dimension based
consumption
• Plan D – Basic $10/Month (1000 Pictures Send,
1000 Received and 100 Megabits)
+ Picture Send/Picture Received/ Bandwidth(Mb)
• D1 – Picture Send $0.10/unit
• D2 – Picture Received $0.12/unit
• D3 – Per Megabit Send $0.25/unit
45. Azure App
ARM Template
(mainTemplate.json)
VM Offer(s)
Azure Portal UI Definition
(createUiDefinition.json)
Azure Services
Metering
Meter
Service
Marketplace
Billing API
(Once
Certified)
Azure Portal View
Definition
(viewDefinition.json)
* Optional
Meter
Service
52. Azure Managed Application
ARM Template
(mainTemplate.json)
VM Offer(s)
UI Definition
(createUiDefinition.json)
Azure Services
VM Offer (hidden)
VM Template (.vhd)
Base VM
(Azure or Customer .vhd)
App Code
(binaries)
Integrated VM Model
Meter
Service
Marketplace
Billing API
(Once
Certified)
View Definition
(viewDefinition.json)
* Optional
53. Creating the VM Technical Assets
Building the VM Image
Build the VM Image that will be used as a
base for the Offer. You can use an MS Stock
image or build your own custom image
Open Ports
Define the Open Ports you want to have in
the Offer
(Optional) Data Disk Images
For each VM, you can attach up to fifteen (15)
Data disks
57. Azure Marketplace
Data Sharing Pilot Architecture
Share 1
Share 2
Share 3
Data Set
Data Set
Data Set
Data Set
Data Set
Offer 1
Offer 2
Plan 1
Plan 2
Plan 1
Publisher Subscription
Consumer Subscription
Webhook
Azure Function
Raw Data Resource Group
Provider Managed Resource Group
Data Share Resource Group
Data Share
service
Provider Managed Resource Group
Share
Snapshot
Data Share
service
Share
Subscription
Consumer
Managed
Resource
Group
Provider Managed Resource Group
Share
Snapshot
Data Share
service
Share
Subscription
Consumer
Managed
Resource
Group
59. Webhook
Customer
provisions AMA
AMA and managed
resources deploy
Webhook is called
with status
Webhook is called
with status
Webhook
returns 200
Webhook
returns 200
60. Deployment Status Notifications (Webhook)
• Called by the Azure Managed Application deployment process
• Communicates application status to an endpoint
• Stops when it reads a 200 response from the endpoint
POST https://{your_endpoint_URI}/resource?{optional_parameter}={optional_parameter_value}&sig=Guid HTTP/1.1
{ "eventType": "PUT",
"applicationId": "/subscriptions/<subId>/resourceGroups/<rgName>/providers/Microsoft.Solutions/applications/<applicationName>",
"eventTime": "2019-08-14T19:20:08.1707163Z",
"provisioningState": "Succeeded",
"billingDetails": {
"resourceUsageId":"<resourceUsageId>"
},
"plan": {
"publisher": "publisherId",
"product": "offer",
"name": "skuName",
"version": "1.0.1"
}
}
https://docs.microsoft.com/en-us/azure/azure-resource-manager/managed-applications/publish-notifications
62. Webhook
Events in the Azure Managed Application lifecycle
EventType ProvisioningState Trigger for notification
PUT Accepted Managed resource group has been created and projected
successfully after application PUT (before the deployment
inside the managed resource group is kicked off).
PUT Succeeded Full provisioning of the managed application succeeded after a
PUT.
PUT Failed Failure of PUT of application instance provisioning at any
point.
PATCH Succeeded After a successful PATCH on the managed application
instance to update tags, JIT access policy, or managed
identity.
DELETE Deleting As soon as the user initiates a DELETE of a managed app
instance.
DELETE Deleted After the full and successful deletion of the managed
application.
DELETE Failed After any error during the deprovisioning process that blocks
the deletion.
64. Upgrade my plan
I purchased the “Silver” plan previously
I want to upgrade to the “Gold” plan
65. Complete or incremental
deployments
Deploys all resources defined in
ARM
If selected resource group exists,
destroys it and re-installs
Replaces all resources
If selected resource group
exists, deploys only new
resources
Will not overwrite existing
resources
Deploys to the same RG as the
original solution
Incremental
Complete
67. Allowing Just In Time (JIT) Access
• Currently in preview
• Give consumers greater control over access to managed
resources
• Publisher sends a request for access to troubleshoot or update
the managed resources
• JIT is configured per plan
71. Metering Usage
POST https://marketplaceapi.microsoft.com/api/usageEvent?api-version={{ApiVersion}}
Content-Type: application/json
Authorization: Bearer {{access_token}}
{
"resourceId": "Identifier of the resource against which usage is emitted",
"quantity": 5.0,
"dimension": "Dimension identifier",
"effectiveStartTime": "Time in UTC when the usage event occurred",
"planId": "Plan associated with the purchased offer"
}
200 Response
{
"usageEventId": "Unique identifier associated with the usage event",
"status": "Accepted",
"messageTime": "Time this message was created in UTC",
"resourceId": "Identifier of the resource against which usage is emitted",
"quantity": 5.0,
"dimension": "Dimension identifier",
"effectiveStartTime": "Time in UTC when the usage event occurred",
"planId": "Plan associated with the purchased offer"
}
72. Metering Batch Usage
POST https://marketplaceapi.microsoft.com/api/batchUsageEvent?api-version={{ApiVersion}}
Content-Type: application/json
Authorization: Bearer {{access_token}}
200 Response
{
"count": 2,
"result": [
{
"usageEventId": "Unique identifier associated with the usage event",
"status": "Accepted|Expired|Duplicate|Error|ResourceNotFound|ResourceNotAuthorized|InvalidDimension|BadArgument",
"messageTime": "Time this message was created in UTC",
"resourceId": "Identifier of the resource against which usage is emitted",
"quantity": 5.0,
"dimension": "Dimension identifier",
"effectiveStartTime": "Time in UTC when the usage event occurred",
"planId": "Plan associated with the purchased offer",
"error": "Error object (optional)"
},
…
]
}
73. Emitting a meter using the REST APIs
https://github.com/microsoft/commercial-marketplace-managed-application-metering-samples
# Get Resource URI
$managementTokenUrl = "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F"
$Token = Invoke-RestMethod -Headers @{"Metadata" = "true"} -Uri $managementTokenUrl
# Get Subscription ID
$metadataUrl = "http://169.254.169.254/metadata/instance?api-version=2019-06-01"
$metadata = Invoke-RestMethod -Headers @{'Metadata'='true'} -Uri $metadataUrl
# Get AMA Details
$Headers = @{}
$Headers.Add("Authorization","$($Token.token_type) "+ " " + "$($Token.access_token)")
$managementUrl = "https://management.azure.com/subscriptions/" + $metadata.compute.subscriptionId + "/resourceGroups/" + $metadata.compute.resourceGroupName + "?ap
i-version=2019-10-01"
$resourceGroupInfo = Invoke-RestMethod -Headers $Headers -Uri $managementUrl
$managedappId = $resourceGroupInfo.managedBy
# Get Marketplace Token
$marketplaceTokenUrl = "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=20e940b3-4c77-4b0b-9a53-9e16a1b010a7"
$marketplaceToken = Invoke-RestMethod -Headers @{"Metadata" = "true"} -Uri $marketplaceTokenUrl
# Get Usage from the last 5 minutes
$lastHourMinusFiveMinutes = (Get-Date).AddMinutes(-65).ToString("yyyy-MM-ddTHH:mm:ssZ")
$body = @{ 'resourceUri' = $managedappId; 'quantity' = 15; 'dimension' = 'dim1'; 'effectiveStartTime' = $lastHourMinusFiveMinutes; 'planId' = 'userassigned'} | Con
vertTo-Json
# Post Meter
$Headers = @{} $Headers.Add("Authorization","$($marketplaceToken.token_type) "+ " " + "$($marketplaceToken.access_token)")
$response = Invoke-RestMethod 'https://marketplaceapi.microsoft.com/api/usageEvent?api-version=2018-08-31' -Method 'POST' -ContentType "application/json" -
Headers $Headers -Body $body -Verbose
$managementTokenUrl = "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F" $Token = Invoke-RestMethod -Headers @{"Metadata" = "true"} -Uri $managementTokenUrl
82. Storage Provider
Compute Device
Compute Device
Compute Device
Util/Billing Service
Metrics
Repo
2. Report Usage
3. Send Marketplace Meters (hourly)
Control Plane
Data Plane
1. Data Transfer
D
D
D
D
D
D
D
D
D
D
D
D
Managed Application
85. Containers
Util/Billing Service
Authorization
Service
Metrics
Repo
Private Container
Registry
1. Register the Customer Private Container Registry
2. Pull CIS Container Images
Container
Container
Container
3. Run the Images
Container
Metered Usage:
Per hour / Per Day
6. Send Marketplace Meters (hourly)
Virtual Machine
Container Runtime
Container
Container
Private Container
Registry
Managed Application
86. Custom Resources and Resource Providers
The feature is in preview
Only available in select regions
Works via Service Catalog today
Possible in AMAs today, but requires Swagger integration with Azure APIs
https://docs.microsoft.com/en-us/azure/azure-resource-manager/managed-applications/tutorial-create-managed-app-with-custom-provider?tabs=azurecli-interactive