Before Enterprise Marketplace users can access data and applications in Azure, ensure Azure has been configured to enable that access.

The Azure account used in Enterprise Marketplace must have a MicrosoftAzureBatch Contributor role set up. If the role does not already exist in the Azure account, the Catalog Admin must manually create this role. See the "Create a custom Role using Azure CLI" tutorial at https://learn.microsoft.com/en-us/ for instructions on setting up a custom role.

If an Azure service offering instance in Enterprise Marketplace uses an existing key vault to store Azure passwords or other secret information, the MicrosoftAzureBatch policy must exist in the key vault access policies. The policy properties for 

enabledForDeployment and enabledForTemplateDeployment

 must be set to the value true.

See the the "Microsoft.Azure.Management.KeyVault Namespace" and "Set-AzureRmKeyVaultAccessPolicy" documentation at https://learn.microsoft.com/en-us/ for more information on how to configure these policy properties.

Before using the Azure AD Graphic API to access Azure Active Directory (AD) information, you must set up access privileges in Azure. Failure to set up these privileges will result in insufficient privileges to complete the operation error. Set up the following permissions in Azure AD:

For details on configuring this access, see the article "Azure Active Directory Graph API" at https://learn.microsoft.com/en-us/.