01
How to Add EnAIbler to Microsoft Marketplace
Publishing EnAIbler LMS on Microsoft AppSource / Commercial Marketplace means customers can find, buy, and activate it directly — without any manual sales process. Here is the complete step-by-step process to get listed.
1
Create a Microsoft Partner Center Account
Go to
partner.microsoft.com and sign up as a publisher. You'll need a valid business email, company details, and a Microsoft account. Complete identity verification — this may take 1–3 business days.2
Enroll in the Commercial Marketplace Program
Inside Partner Center, go to Account Settings → Programs and enroll in the Commercial Marketplace program. Accept the publisher agreement. This unlocks the ability to create transactable SaaS offers.
3
Create a New SaaS Offer
In Partner Center, go to Commercial Marketplace → Overview → + New Offer → Software as a Service (SaaS). Give it an Offer ID (e.g.,
enabler-lms) and an Offer Alias. This cannot be changed after creation.4
Configure Offer Setup
Set the offer as transactable (not just listing). Enter your Landing Page URL (e.g.,
https://enabler.etraininglibrary.com/activate) and your Webhook URL. Connect a Microsoft Entra ID app registration for SSO authentication.5
Fill in Offer Listing Details
Add the offer name, description (short + long), search keywords, screenshots (min. 1, recommended 5), a logo (216×216 px PNG), support URL, privacy policy URL, and contact details. This is what customers see on AppSource.
6
Define Plans & Pricing
Create at least one plan (e.g., Basic, Pro, Enterprise). For each plan, set: Plan ID, name, description, pricing model (flat rate or per-user), price per month/year, and which markets/regions it's available in.
7
Set Up Your Azure App Registration (for SSO)
In Azure Portal → App Registrations, create a new registration for EnAIbler. Generate a client secret. Copy the Application (client) ID and Tenant ID — you'll link these back into Partner Center under Offer Setup.
8
Build & Deploy the Technical Components
Your landing page, Fulfillment API integration, webhook endpoint, tenant provisioning, and SSO must all be live before you can publish. These are covered in detail in the sections below. Microsoft validates these during review.
9
Test Using a Test Offer
In Partner Center, use the Preview feature to create a test offer. Add your own email as a preview audience and simulate the full purchase → activation → LMS flow without real billing.
10
Submit for Microsoft Review & Publish
Once all sections are complete and marked ✅ in Partner Center, click Review and Publish. Microsoft's team will review technical compliance, listing quality, and policy adherence. Approval typically takes 1–5 business days. After approval, EnAIbler goes live on AppSource.
💡 Quick tip: You can save progress and come back — Partner Center auto-saves drafts. You don't need to complete everything in one session. Start with Steps 1–3 while your technical team works on Steps 7–8 in parallel.
02
What This Enables & Key Benefits
Sell via Microsoft Marketplace
Customers can find, purchase, and activate EnAIbler LMS directly on AppSource — no manual sales process.
Multi-Tenant SaaS
Each customer gets their own isolated LMS tenant, auto-provisioned on purchase — zero manual setup per client.
Microsoft SSO Integration
Customers sign in with their existing Microsoft 365 / Azure AD accounts — frictionless onboarding.
Automated Lifecycle
Plan changes, suspensions, cancellations, and reinstatements are handled automatically via API — no manual intervention.
Billing by Microsoft
Microsoft handles all billing, currency conversion, and payouts — reducing your billing infrastructure complexity.
Global Distribution
Reach enterprise customers worldwide instantly through Microsoft's commercial marketplace reach.
03
SaaS Architecture Requirements
The full subscription flow must follow this exact sequence. Every step is required for Microsoft certification.
1
Customer Subscribes on AppSource
Customer browses Microsoft AppSource, selects an EnAIbler plan, and completes purchase. Microsoft generates a unique subscription token.
2
Marketplace Redirects to EnAIbler Landing Page
Microsoft redirects the user to your landing page URL (e.g.,
https://enabler.etraininglibrary.com/activate) with the subscription token in the URL.3
Landing Page Validates the Token
Your landing page calls Microsoft's Fulfillment API to resolve and validate the subscription token, extracting customer and subscription details.
4
Tenant is Created or Mapped
If new customer → create a fresh LMS tenant. If existing customer → link to their existing tenant. Store the subscription ID and tenant association.
5
Subscription Activated via Fulfillment API
Your backend calls Microsoft's Activate Subscription API to confirm the subscription is live. This must happen within 10 seconds of the landing page call.
6
User Redirected to Their LMS Tenant
User is redirected to their EnAIbler LMS instance, fully set up and ready to use.
04
Implementation Phases
→
Set up Azure App Service / AKS for EnAIbler hosting
Ensure the app runs on Azure infrastructure. Choose between App Service (simpler) or AKS (more control). Configure Azure SQL / Cosmos DB for data storage.
→
Design the multi-tenant data model
Every table or collection must be scoped to a TenantID. Verify no cross-tenant data leakage is possible at the database query level.
→
Register your app on Microsoft Partner Center
Create a SaaS offer in Partner Center, configure plans, pricing, and set the landing page URL and webhook URL before development begins.
→
Build the Marketplace Landing Page
Accept the
token parameter, call Resolve API, create tenant, then activate. See Section 05 for full details.→
Integrate SaaS Fulfillment APIs
Implement all lifecycle endpoints: activate, change plan, suspend, reinstate, cancel. Sync subscription state to your database.
→
Implement the Webhook Receiver
Create an HTTPS endpoint that receives Microsoft notifications for subscription changes and responds within 10 seconds.
→
Integrate Microsoft Entra ID (Azure AD)
Implement OAuth 2.0 / OpenID Connect. Users sign in with their Microsoft account and land in the correct tenant automatically.
→
Implement user-to-tenant mapping on login
On SSO login, resolve which tenant the user belongs to from the stored subscription association and route them correctly.
→
Audit security: HTTPS, token handling, isolation
Verify all endpoints use HTTPS, API keys are stored in Azure Key Vault (never in code), and tenant isolation is enforced at every layer.
→
Create a test SaaS offer in Partner Center
Use Microsoft's test offer feature to simulate the full purchase flow without real billing. Run every scenario.
→
Use the Marketplace API Emulator for local testing
The microsoft/Commercial-Marketplace-SaaS-API-Emulator lets you simulate Marketplace API calls locally without connecting to Microsoft's live systems.
→
Verify all checklist items, then publish
Run through the Deployment Checklist (Section 13 of the guide). Submit for Microsoft review. Certification takes 1–3 business days typically.
05
Landing Page — Step-by-Step Build
The landing page is the most critical component. It bridges the Marketplace purchase with your LMS. Microsoft redirects the customer here after purchase.
⚠️ Your landing page URL must be registered in Partner Center before development. The endpoint must be publicly accessible over HTTPS at all times.
# Landing Page Logic Flow (Pseudocode)
GET /activate?token=<marketplace_token>
Step 1: Call Microsoft Resolve API with the token
POST https://marketplaceapi.microsoft.com/api/saas/subscriptions/resolve
Authorization: Bearer <your_access_token>
x-ms-marketplace-token: <token>
Step 2: Extract subscription ID, plan, customer details
subscription = response.subscription
tenantId = subscription.beneficiary.tenantId
Step 3: Create or map the tenant
if tenant_exists(tenantId):
map_subscription_to_existing_tenant(subscription.id, tenantId)
else:
create_new_tenant(tenantId, subscription)
Step 4: Activate the subscription
POST /subscriptions/<subscription.id>/activate
planId: subscription.planId
Step 5: Redirect user to their LMS tenant
redirect → https://<tenant-slug>.enabler.etraininglibrary.com
Error Handling Requirements
Invalid Token
Return a clear error page. Do not attempt to create a tenant. Log the failed attempt.
Expired Token
Microsoft tokens expire quickly. Show an error and instruct the customer to retry from AppSource.
Provisioning Failure
If tenant creation fails, log the error with full context and alert your ops team. Do not activate the subscription.
06
SaaS Fulfillment API — Lifecycle Events
Your backend must implement handlers for all of these lifecycle events. Microsoft sends them via webhook and expects your system to sync accordingly.
| Event | Method | Your Action | Time Limit |
|---|---|---|---|
| Activate Subscription | POST | Mark tenant as active, grant access | 10 seconds |
| Change Plan | PATCH | Update subscription tier, adjust feature access | 10 seconds |
| Suspend Subscription | PATCH | Disable tenant access (keep data) | 10 seconds |
| Reinstate Subscription | PATCH | Re-enable tenant access | 10 seconds |
| Cancel Subscription | DELETE | Revoke access, begin data retention period | 10 seconds |
| Resolve Token | POST | Called from landing page to validate token | Real-time |
| List Subscriptions | GET | Used for admin reconciliation | On demand |
💡 Use the .NET Client Library (
microsoft/commercial-marketplace-client-dotnet) or test with Postman Collections to validate all lifecycle calls before going live.
07
Webhook Integration
Microsoft pushes real-time subscription state changes to your webhook endpoint. Without this, you'd have to poll the API constantly.
1
Create an HTTPS webhook endpoint
Expose a public HTTPS POST endpoint (e.g.,
/api/marketplace/webhook). Register this URL in Partner Center.2
Validate the incoming request
Microsoft signs webhook payloads. Verify the JWT token in the Authorization header against Microsoft's public keys before processing.
3
Respond with HTTP 200 immediately
Return 200 OK within 10 seconds. Process the event asynchronously (queue it). Delayed responses cause Microsoft to retry and flag your offer.
4
Process the event asynchronously
Based on the
action field (Subscribed, Suspended, Unsubscribed, ChangePlan), update your database and tenant state accordingly.
08
Tenant Provisioning Logic
New Tenant Creation
On first subscription: allocate a unique tenant ID, create isolated database schema or container, set up default LMS configuration, and send the admin a welcome email.
Existing Tenant Mapping
If the customer's Azure AD Tenant ID already exists in your system, link the new subscription to their existing tenant instead of creating a duplicate.
Data Isolation
Every query to the database must filter by TenantID. Use row-level security or separate schemas. Never allow cross-tenant data access — this is a hard Microsoft requirement.
User Association
Map users to their tenant on login using the Azure AD Tenant ID from their SSO token. Store the mapping in your auth layer.
09
Identity & Authentication (SSO)
1
Register EnAIbler in Azure App Registration
Create an app registration in your Azure AD tenant. Configure redirect URIs, expose API permissions, and generate a client secret (store in Key Vault).
2
Implement OpenID Connect login flow
Users click "Sign in with Microsoft." Your app redirects to
https://login.microsoftonline.com/common/oauth2/v2.0/authorize with your client_id and scopes.3
Extract tenant info from the ID token
The returned JWT contains
tid (tenant ID), oid (user ID), and other claims. Use tid to route the user to the correct LMS tenant.4
Handle first-time vs. returning users
On first login, provision the user record in the LMS tenant. On returning login, update their session and log the event.
10
Azure Hosting Requirements
Compute
Azure App Service (easiest start) or AKS for container orchestration. Must be on Azure — other clouds are not accepted by Microsoft for transactable SaaS.
Database
Azure SQL (relational) or Cosmos DB (NoSQL). Choose based on your data model. Must support tenant isolation at the data layer.
Storage
Azure Blob Storage for uploaded content, media, and documents. Each tenant's files should be in separate containers or folders with scoped access.
Video / CDN
Azure CDN for video delivery if EnAIbler serves training videos. Reduces latency globally and offloads bandwidth from app servers.
Key Vault
Store all secrets (Marketplace API keys, client secrets, connection strings) in Azure Key Vault. Never hardcode credentials.
Custom Domains
Configure custom domain with HTTPS (via Azure-managed certificates or Let's Encrypt) for the landing page and all tenant URLs.
11
Logging & Monitoring
Use Azure Monitor + Application Insights. These events must be logged as a minimum:
Subscription Activation
Log subscription ID, tenant ID, plan selected, timestamp, and success/failure status.
Fulfillment API Calls
Log every call to Microsoft Fulfillment APIs — request, response code, latency, and payload summary.
Tenant Provisioning
Log each provisioning step: tenant created, default data seeded, admin user created, redirect URL generated.
Errors & Exceptions
Capture full stack traces for any failure in the onboarding flow. Alert your team immediately via Azure Alerts.
Webhook Events
Log every incoming webhook — action type, subscription ID, processing status, and response time.
SSO Login Events
Log user login with tenant ID, user OID, and any routing decisions made during login.
12
Security & Compliance
All endpoints use HTTPS with valid certificates
Marketplace tokens validated before processing any action
All API keys and secrets stored in Azure Key Vault
Database queries always include TenantID filter (row-level isolation)
Webhook payloads validated via JWT signature verification
No credentials in source code or environment files in repo
CORS configured to allow only known origins
Rate limiting on landing page and API endpoints
Penetration test / security review before go-live
13
Testing Requirements
T1
End-to-end subscription flow
Use Partner Center's test offer to complete a full purchase → landing page → activation → LMS redirect cycle with a real Microsoft account.
T2
Landing page edge cases
Test with: expired token, invalid token, missing token, duplicate subscription attempt, and slow network conditions.
T3
All Fulfillment API lifecycle events
Trigger each event (activate, change plan, suspend, reinstate, cancel) using Postman Collections. Verify your database and tenant state update correctly.
T4
Multi-tenant isolation test
Create at least 3 test tenants. Verify that data from Tenant A is completely inaccessible when authenticated as Tenant B or C.
T5
SSO login flow testing
Test login with accounts from different Azure AD tenants. Verify each user lands in the correct LMS tenant and cannot access others.
T6
Use the Marketplace API Emulator
Run
microsoft/Commercial-Marketplace-SaaS-API-Emulator locally to simulate all Microsoft API responses without live Marketplace access.
14
Deployment Checklist — Before Publishing
Landing page is live at the registered URL and publicly accessible
Fulfillment APIs fully integrated (all 5 lifecycle events handled)
Webhook endpoint is live and returning 200 within 10 seconds
Tenant provisioning tested with new and existing customer scenarios
SSO login working with Microsoft Entra ID across multiple test tenants
Azure Monitor / Application Insights enabled and capturing events
No critical errors in the activation flow (verified via test offer)
All secrets stored in Azure Key Vault — none in code
Multi-tenant data isolation verified by testing
Error handling in place for all known failure scenarios
Partner Center offer details complete (description, plans, pricing, screenshots)
Technical review with Microsoft partner support (recommended)
15
Key Risks & How to Mitigate
Broken subscription activation — Microsoft will reject the offer. Mitigate: thorough testing with test offer before going live.
Missing API lifecycle support — Customers can't change plans or cancel cleanly. Mitigate: implement all 5 events, not just activate.
Broken tenant provisioning logic — Customers get stuck after purchase. Mitigate: build retry logic and ops alerts for provisioning failures.
SSO failures — Users can't log in at all. Mitigate: test with multiple real Azure AD accounts from different tenants.
Incomplete error handling — Customers see blank pages or cryptic errors. Mitigate: build friendly error pages for every known failure mode.
Incorrect token handling — Tokens expire in minutes. Mitigate: validate and act on tokens immediately, never cache them.
16
Official Resources & Tools
Documentation & Tutorials
Getting Started
Mastering the Marketplace — End-to-End SaaS Tutorial
microsoft.github.io
Reference
Create a SaaS Offer in Commercial Marketplace
learn.microsoft.com
Landing Page
Build the Landing Page for a Transactable SaaS Offer
learn.microsoft.com
Fulfillment API
SaaS Fulfillment APIs in the Commercial Marketplace
learn.microsoft.com
Webhook
Implementing a Webhook on the SaaS Service
learn.microsoft.com
Lifecycle
Managing the SaaS Subscription Lifecycle
learn.microsoft.com
Testing
Plan a Test and Development SaaS Offer
learn.microsoft.com
Billing
Metered Billing for SaaS Offers + Metering Service APIs
learn.microsoft.com
GitHub Repositories & Tools
Accelerator
Azure/Commercial-Marketplace-SaaS-Accelerator
Pre-built landing page + admin portal (C#, ASP.NET MVC)
.NET Client
microsoft/commercial-marketplace-client-dotnet
Backend SDK for Fulfillment API integration
Emulator
microsoft/Commercial-Marketplace-SaaS-API-Emulator
Local testing of Marketplace APIs without live connection
Sample
neelavarshad/SaaS-Demo
Sample landing page implementation reference
Samples
commercial-marketplace-solutions/saas-samples
SaaS samples including metered billing engine
Testing
Postman Collections for Marketplace APIs
Trigger and test Fulfillment API calls manually
Publishing success depends on three things done right: the Subscription Activation Flow (landing page + resolve + activate), the Fulfillment API (all 5 lifecycle events), and Tenant Provisioning (isolated, automated, reliable). Everything else — SSO, logging, monitoring, security — supports these three pillars. Build in this order, test end-to-end before submitting, and EnAIbler will be live on Microsoft AppSource.