Publish and release your AI app or agent

Software as a service (Saas) offers

Successfully publishing an AI agent as a SaaS offer on Microsoft Marketplace requires meeting technical prerequisites, configuring cloud infrastructure, ensuring multitenant security, automating deployments, and passing Microsoft's validation. The SaaS checklist highlights essential steps and best practices to get your solution Marketplace-ready.

Container offers

For AI agent solutions delivered as containerized applications (deployed in the customer's Azure subscription via a Microsoft Container offer), many best practices overlap with SaaS, but there are unique considerations. The container checklist covers technical steps for packaging resources, automating deployment via infrastructure-as-code, and meeting Microsoft's requirements for a Kubernetes-based transactable offer.

Security

✔     Multi-tenancy and data isolation

Architect the SaaS for tenant isolation

Choose dedicated resources per tenant, a shared multitenant model with logical separation, or a hybrid approach. Whichever model you select, ensure one customer's data and AI interactions cannot influence or access another's. Use strict tenant IDs in data queries and separate model instances if needed.

Reliability

✔     Infrastructure and deployment automation

Set up robust, automated cloud infrastructure for your SaaS

Use Infrastructure-as-Code (IaC) tools such as ARM/Bicep or Terraform to provision resources like App Services, databases, storage, and Key Vault in a repeatable manner. Implement a continuous integration and continuous deployment (CI/CD) pipeline to deploy code updates reliably across staging and production.

✔     Microsoft Entra ID integration single sign-on (SSO)

Register a multitenant app

In the Microsoft Entra admin center, create an App Registration for your SaaS. Set Supported account types to Accounts in any organizational directory and personal Microsoft accounts (multitenant). Enable External Identities in Entra ID to allow guest users and customers outside your tenant if needed.

✔     Environment isolation for testing

Maintain a staging environment that mirrors production

Use a separate Entra ID tenant or separate app registrations to test the end-to-end purchase flow. Use multitenant configuration and scaled-down resources to validate new releases and Marketplace integration. Microsoft allows 'preview audience' testing; leverage this with your staging setup to simulate real Marketplace transactions and resolve issues in advance.

✔     Secure tenant onboarding (landing page)

This page, configured at the URL in Partner Center, must:

• Require Entra ID authentication: Ensure users sign in with their organizational or Microsoft accounts before proceeding
• Validate Marketplace token: Use the token provided by Marketplace to confirm the purchase and initiate account provisioning in your system
• Call Fulfillment APIs: Integrate Azure Marketplace SaaS Fulfillment APIs (Resolve and Activate) on the backend to complete subscription setup
• Securely Store Identifiers: Capture and protect the customer's Tenant ID and Subscription ID for lifecycle management and compliance

✔     Fulfillment API resilience

Make your use of SaaS Fulfillment APIs and Azure Service Bus calls idempotent and resilient

For example, queue the activation steps and implement retries in case of transient errors when contacting Microsoft's API. If an Activate call fails mid-way, your system should be able to resume or roll back cleanly, ensuring the customer is not left half-provisioned.

✔     License enforcement and webhook handling

Integrate the Marketplace SaaS Fulfillment Webhook for subscription events

Configure an endpoint in your SaaS that listens for events like seat quantity changes, plan upgrades, and cancellations. On receipt, update the customer's entitlements immediately to prevent any revenue leakage. Secure the webhook by validating the JSON web tokens (JWT) and payload to prevent spoofing.

✔     Application health and scalability

Design the SaaS application for robust performance under load

Microsoft's automated checks will test your landing page and APIs. Implement health probes and auto-scaling rules in Azure to handle spikes in usage. This is especially crucial if your revenue model is usage-based. The app should degrade gracefully when dependencies fail. By building in graceful-failure handling and high availability patterns, you ensure the application remains resilient and meets enterprise reliability expectations.

✔     Compliance and data protection

Prepare your SaaS for enterprise compliance requirements

• Implement data encryption at rest and in transit for all customer data
• Detail your use, collection, and storage of customer data to pass Microsoft Marketplace certification checks
• Document your compliance with standards such as SOC 2 Type II, ISO 27001, etc., and any applicable industry-specific restrictions
• Prepare security policy and audit documents to satisfy enterprise customers with security questionnaires

✔     Testing and validation

Test the complete SaaS offer flow end-to-end before publishing

Simulate a customer buying your offer via a Partner Center preview audience. Verify the purchase triggers the webhook or landing page correctly, your backend calls Resolve and Activate, and the customer tenant gets provisioned with appropriate defaults. Test subscription changes: upgrade/downgrade plans, add/remove users (if applicable), and cancellation to ensure your app and the Marketplace stay in sync. Additionally, conduct extensive functional tests on your application.

Performance efficiency

✔     Optimized multi-tenancy resource usage

Tune your multitenant architecture for scalable resource use

Use connection pooling and caching at the service level rather than per-tenant. Implement rate-limiting or workload isolation so one tenant's heavy usage doesn't degrade others. Ensure your AI agent component (e.g., model inference service) can handle parallel requests efficiently: consider batched requests or scaling that component separately.

Cost optimization

✔     Configure the App Service for autoscaling

Configure the App Service for autoscaling

If the SLA allows, scale down off-peak use horizontal scale rules tied to CPU/requests and scheduled profiles for nights/ weekends. Consolidate App Service plans where feasible (hosting multiple apps on one plan) and avoid "Always On" unless required.

✔     Dynamic configuration and tuning

Plan for adjusting and tuning the AI agent's behavior per tenant without redeploying code

Provide a robust admin UI to set configuration parameters, business rules, or AI thresholds. Build in guardrails and validation on these configs, so customers can't choose settings that break the system, like extremely low timeouts or overly large inputs.

✔     Choose cost-effective data SKUs

Make strategic SQL choices

For multitenant SaaS, use Elastic Pools for steadier, pooled workloads; consider serverless only for single databases with intermittent usage (serverless isn't supported in elastic pools).

Watch storage & scaling

Elastic pool billing is per-hour at the configured vCores + max storage; scale cautiously and monitor under-utilization.

✔     Packaging for reuse and scalability

Modularize your solution for straightforward scaling

Containerize stateless components or use Azure Functions for easily scalable parts of the workload. Adding more customers or throughput shouldn't require significant refactoring. You can simply allocate more instances or enable a larger SKU. Use Azure Cache for Redis or Coherence for expensive computations that might be reused across tenants (while still partitioning data).

✔     Set prices to support positive margins

Model your unit economics per tier

For "Basic $500/mo," calculate average Azure resource cost per tenant (App Service plan + SQL + Azure OpenAI tokens + Monitor, etc.) and ensure >0 margin |at typical usage. Use Azure Cost Management exports plus tags/resource groups to attribute costs per tenant or feature. Then, reallocate shared services to consuming tenants using Cost Allocation rules. Cost alerts + budgets. Set Cost Management budgets and anomaly alerts per subscription/resource group; review weekly with a "cost vs. plan" dashboard.

✔     Performance testing and optimization

Conduct pre-launch load testing to identify performance bottlenecks

Use Azure Load Testing or custom scripts to simulate multiple tenants performing AI operations simultaneously. Monitor CPU/memory of each component and response latencies. Optimize any slow points (add indexing if a query is slow) to ensure the application meets expected performance at scale. Performance efficiency is an important factor that may impact customer experience.

✔     Keep track of feature-level costs

Meter high-cost features as add-ons

If an agent capability (e.g., heavy inference or batch processing) is expensive, expose it in higher-priced tiers or meter it as overage using Marketplace Metered Billing dimensions; emit usage with the Metering Service APIs. Use the Metered Billing Accelerator to handle hourly aggregation, write-once rules, and retries.

✔     Partner Center offer configuration

✔     Dynamic scaling and config deployments

✔     Monitoring and alerts

✔     Validation and certification readiness

✔     Launch plan and support

Security

✔     Secure container image

Harden your AI agent's container image and store it in a private Azure Container Registry (ACR)

Use a minimal base image and remove unnecessary packages to reduce the attack surface. Scan for and fix vulnerabilities before publishing. Enable content trust or sign the image digest to ensure integrity.

Reliability

✔     Robust IaC templates

Package your solution with Infrastructure-as-Code templates for reliable deployment

The Azure Container offer requires a complete cloud native application bundle (CNAB) including these templates. Test your ARM/Helm on various scenarios: new resource group vs existing, different region, strict enterprise policies. Templates should deploy all required Azure resources (Azure Kubernetes Service [AKS] config, networking, storage classes) and the container itself with proper configuration. They must be flexible with parameters yet opinionated enough to ensure the app runs successfully.

✔     Infrastructure permissions

Design your Kubernetes deployment with least privilege

In your Helm charts/YAML, avoid requiring cluster-level permissions that enterprises may block. Run pods under dedicated service accounts with minimal RBAC permissions. If your solution needs to create Azure resources (Azure Cognitive Service instance), document those needs and consider using an assigned managed identity.

✔     Deployment validation

Utilize Microsoft's test toolkit or Preview audience to validate container deployment pre-launch

Use Partner Center to publish your container offer privately and test deployment. Verify that the container(s) come up healthy on AKS, all Azure dependencies (Key Vault, App Insights, if included) are properly configured, and the application is functional post-deployment. Microsoft's automated validation will simulate deployment as well. Ensure all required fields in CreateUIDef are present, and the deployment succeeds.

✔     Customer data isolation

Ensure customer data is segregated and protected

Ensure that if your solution pulls any data to your service, each customer's data is segregated and protected. For instance, if usage logs are sent to your cloud for metering, include the customer's subscription ID or other identifier to silo their data, and handle it according to your privacy policy. Document that all customer-specific data stays in their environment unless expressly permitted.

✔     Self-healing and updates

Embed reliability features into the Kubernetes specs

Use liveness and readiness probes for each microservice pod so AKS can auto-restart if something hangs. If your agent depends on external APIs or models, implement retry logic with backoff inside the container so transient failures don't require manual intervention. Plan for regular updates: have a versioning scheme for your container image and charts, and a process for customers to seamlessly apply updates.

Performance efficiency

✔     Resource optimization and sizing

Specify sane default resource requests/limits for your container in the Helm chart

Do not demand a large AKS node unless truly needed. If the AI agent can scale vertically, allow customers to choose a larger node or more cores via a parameter. Efficient resource usage reduces the cost barrier for smaller customers, while larger ones can allocate more for performance. Clearly document the minimum and recommended Azure resources to set performance expectations.

Cost optimization

✔     Efficient use of customer's Azure

Design to minimize Azure resource consumption in the customer's subscription

If your AI agent processes data, consider leveraging the customer's existing data stores or Azure services rather than duplicating. Use Kubernetes features like node autoscaling so that when your agent is idle, the AKS cluster can scale down nodes. Emphasize to customers any built-in cost controls, like the ability to throttle the agent's work to avoid runaway cloud spend.

✔     Auto-scaling support

Configure Kubernetes Horizontal Pod Autoscaler (HPA) in your templates

For example, scale out the agent's deployment when CPU > 70%. This ensures performance is maintained under peak loads automatically. If autoscaling isn't built-in, document how customers can scale the deployment (e.g., increase replica count manually).

✔     Metering and billing alignment

Choose a billing model that matches resource consumption

Azure Container offers support for billing per core, per node, per pod, or custom metering. If your agent is CPU-intensive, a per-core or per-node model ensures your revenue scales with the compute the customer allocates. If it's more aligned to outcomes (e.g., documents processed), implement a custom meter via the Marketplace Metering API. Report usage events from within the container.

✔     External service integration efficiency

Optimize how your containerized agent interacts with external Azure services

Use regional endpoints for AI services. Deploy the container and any Azure AI resource in the same region to minimize latency. Leverage caching for repeated operations within the container. For instance, if the AI agent fetches reference data or ML models at startup, use an Azure Blob or a ConfigMap mounted in the pod rather than re-fetching each time.

✔     ARM template parameterization

Parameterize your ARM templates so customers can use available Azure resources

If your solution can use an existing Azure Key Vault or VNET, provide parameters for those. This reuse can lower the incremental cost for the customer to deploy your solution. Document these options clearly, so cost-conscious IT teams can integrate your deployment with what they have.

✔     Dynamic configuration and extensibility

Provide configuration options

Use environment variables or config files so customers can tune performance-related settings. For example, allow adjusting batch sizes, timeouts, or logging verbosity through values in your Helm chart. All config options should have sensible defaults and be documented.

✔     Transparent cost documentation

Document the estimated Azure costs for running the solution

This transparency sets correct expectations and helps buyers budget for your solution. It can also highlight optimizations, such as "By default, logging is set to minimal to save storage costs; you can increase it if needed." Providing transparent cost information helps customers plan and understand potential resource requirements.

✔     Partner Center setup (container offer)

✔     End-to-end deployment testing

✔     Documentation and support readiness

✔     Compliance and certification

✔     Post-launch operations