Hey amazing ISV community !

We’ve got something awesome coming up, and I wanted to get you in the loop! On September 30th, we’re hosting a webinar all about Microsoft incentives for FY 2024-2025, and trust me, this is a must-attend for any ISV out there.

Why this is going to be 🔥:

For ISVs who aren’t transactable yet: This webinar is exactly what you need. We’re talking actionable steps to unlock revenue by getting onto the Marketplace. The final push you need to go from “thinking about it” to seeing real $$.For ISVs who are already transactable: It’s all about doubling down. We’ll show you how to take full advantage of Microsoft’s incentives and commit more to the Marketplace for even bigger returns.

Webinar Details:

Date: September 30thTime:Morning Session: 10:00 AM – 10:30 AM (CEST) [Link to register]Afternoon Session: 6:00 PM – 6:30 PM (CEST) [Link to register]Topic: Strategies for Leveraging Microsoft Incentives in FY 2024-2025

This webinar is tailored to help you understand the various Microsoft Marketplace incentive programs available and how to strategically apply them to drive growth.

Register Here:

[Morning Session] –  EMEA timezone[Afternoon Session] – AMEIRCAs timezone

Looking forward to see you there !

​Hey amazing ISV community !We’ve got something awesome coming up, and I wanted to get you in the loop! On September 30th, we’re hosting a webinar all about Microsoft incentives for FY 2024-2025, and trust me, this is a must-attend for any ISV out there.Why this is going to be 🔥:For ISVs who aren’t transactable yet: This webinar is exactly what you need. We’re talking actionable steps to unlock revenue by getting onto the Marketplace. The final push you need to go from “thinking about it” to seeing real $$.For ISVs who are already transactable: It’s all about doubling down. We’ll show you how to take full advantage of Microsoft’s incentives and commit more to the Marketplace for even bigger returns.Webinar Details:Date: September 30thTime:Morning Session: 10:00 AM – 10:30 AM (CEST) [Link to register]Afternoon Session: 6:00 PM – 6:30 PM (CEST) [Link to register]Topic: Strategies for Leveraging Microsoft Incentives in FY 2024-2025This webinar is tailored to help you understand the various Microsoft Marketplace incentive programs available and how to strategically apply them to drive growth. Register Here:[Morning Session] –  EMEA timezone[Afternoon Session] – AMEIRCAs timezoneLooking forward to see you there !  Read More

​

Hello,

I manage a website thingstoconsidertoday.com. I am trying to update the favicon to our logo, but it does not display on Bing. It displays on Google just fine. 

Any thoughts on how to push this favicon so that Bing updates?

Thanks,

Ryan

​Hello, I manage a website thingstoconsidertoday.com. I am trying to update the favicon to our logo, but it does not display on Bing. It displays on Google just fine.  Any thoughts on how to push this favicon so that Bing updates? Thanks,Ryan  Read More

​

Good morning to everyone.
I have a couple of questions that I hope you can help me resolve. These questions are related to Exchange Server 2013 (I know that this product is out of support and that is why we are migrating it to Exchange Server 2019).
This is my scenario:
I have a main site with 2 Exchange Server 2013 CU10 servers, I have a site with 1 Exchange Server 2013 CU23 server, I have another site with 1 Exchange Server 2013 CU23 server. The main idea is to migrate all mail servers to Exchange Server 2019.
These are the questions:
1. Is it possible to install a new server with Exchange Server 2019 on the main site without upgrading the remaining servers with Exchange Server 2013 to CU23?
2. What will happen to the mail flow after installing the new server with Exchange Server 2019? Will the main server with Exchange Server 2013 continue to manage the internal and external mail flow? Or will the new server with Exchange Server 2019 manage the mail flow?
3. In case the new server with Exchange Server 2019 is the one that manages the mail flow, is there a possibility that the server with Exchange Server 2013 will manage the mail flow until the migration is finished?
Thank you for your time and collaboration

​Good morning to everyone.I have a couple of questions that I hope you can help me resolve. These questions are related to Exchange Server 2013 (I know that this product is out of support and that is why we are migrating it to Exchange Server 2019).This is my scenario:I have a main site with 2 Exchange Server 2013 CU10 servers, I have a site with 1 Exchange Server 2013 CU23 server, I have another site with 1 Exchange Server 2013 CU23 server. The main idea is to migrate all mail servers to Exchange Server 2019.These are the questions:1. Is it possible to install a new server with Exchange Server 2019 on the main site without upgrading the remaining servers with Exchange Server 2013 to CU23?2. What will happen to the mail flow after installing the new server with Exchange Server 2019? Will the main server with Exchange Server 2013 continue to manage the internal and external mail flow? Or will the new server with Exchange Server 2019 manage the mail flow?3. In case the new server with Exchange Server 2019 is the one that manages the mail flow, is there a possibility that the server with Exchange Server 2013 will manage the mail flow until the migration is finished?Thank you for your time and collaboration  Read More

​

​Hello All: I recently created an end date as a calculated field in Microsoft SharePoint List. The calcuation’s data type returned is the date and time format. I want to use this new end date as an actual end date in my SharePoint Calendar view. Unfortunately, the end date does not appear in the calendar view drop down because it is not considered a “Date and Time” type. How do I convert my newly calculated end date to the Type “date and time” so that it will appear in the Calendar view end date drop down menu? This calculation works in the classic sharepoint , but renders no value in the modern SharePoint. I did see a similar request from Waqas in February 6, 2024. The response from Sophia Papadopoulos does not work. Also, the Microsoft Moderator offered a response that was not helpful.  See below:”We went through your post carefully and do understand your great idea of importing the calculated end date as an actual date into a calendar to arrange tasks efficiently. But we are really sorry to convey that it seems like we also failed to achieve it from our tests. Given this situation, I sincerely recommend you use Feedback Community to suggest this feature limitation and add your valuable idea in the SharePoint Feedback Community (microsoft.com) which is the best place to share ideas directly with the product building team and improve the Microsoft Products. ” Does anyone have a work-around to this issue?  Please let me know. It is amazing how the end date calucation is able to be picked up by the calendar view in the Classic version and not the Moderate version.  I look forward to your  help.  Thank you.  BW  Read More

​

QR codes are gaining popularity as an easy way to access information for services and products. While QR codes are often used as convenient shortcuts, they can also be used by cybercriminals to trick users into accidentally scanning QR codes and expose themselves to risks. Understanding the dangers of QR codes, such as being redirected to fake websites or downloading malware, is crucial. Education enables users to check if QR codes are genuine, examine destination URLs, and use reliable apps for scanning. In the ongoing fight against phishing, informed end users become an important line of defense, preventing possible threats and strengthening their organization’s resilience.

Recently, we have observed a new trend in phishing campaigns that leverage QR codes embedded in emails to evade detection and trick users into visiting malicious links. To help our customers defend against this emerging threat, Microsoft Defender for Office 365 has introduced several enhancements to its prevention capabilities that can detect and block QR code-based attacks. Check out this blog to learn more about QR codes and how Defender for Office 365 is protecting end users against such attacks: Protect your organizations against QR code phishing with Defender for Office 365

We also introduced several enhancements to its investigation, hunting and response capabilities to help security teams to hunt and respond to such threats. Read more about these enhancements here: Hunting and responding to QR code-based phishing attacks with Defender for Office 365

In addition to prevention, detection, and investigation capabilities, we are excited to share that Microsoft Defender for Office 365 has also made several updates to its simulation and training features.

As part of the simulation enhancements, you will now be able to perform the following tasks:

Running a simulation with QR codes and tracking user response
Utilizing out of the box Global payloads and creating a custom payload with QR codes
Utilizing training content through video modules and how to guides

Running a simulation

There is no change in running a simulation. The current flow which involves selection of users, selection of payload, scheduling training, and notifications is also applicable for QR code-based simulations. Within simulations, you can select payloads with QR codes and use them for simulation.

Currently configuring payloads with QR codes and use of these payloads in a simulation is applicable to the Email platform and for the attack techniques below. Support for Teams platform and Link in Attachment, and attachment malware techniques will follow later. 

Credential harvest
Link to malware 
Drive by URL
OAuth consent grant

Given that QR codes are another vector for the phishing URL, the user events around read/delete/compromises/clicks remain the same—if a user is navigating to the URL after scanning the QR code, then it is tracked as a click event. The existing mechanisms for tracking compromise, deletes, and report events remain the same.

Global and Tenant Payloads

Global payloads

Our payload library now includes 75 payloads in five languages, addressing various real-world scenarios involving QR code attacks. These payloads can be found in the Content Library- Global Payloads, each beginning with QR code payloads (for example, QR code payloads: Prize Winner Notification). You can locate these by typing “QR” in the search bar.

Before implementing these payloads in your simulations, we advise examining their different fields and contents thoroughly.

Image: Attack simulation trainings library

Tenant payloads

You can create a custom payload by duplicating the existing global payloads or creating a payload from scratch. Within the payload editing experience, you can insert QR codes using Dynamic Tags (Insert QR code) or formatting controls (QR code icon). You have the options to select the size and position of the QR code.

Image 1: Insert QR code dropdown

Image 2: Insert QR code

Image 3: Insert QR code menu

Image 4: Payload configuration and preview

The QR code that is generated will map to the phishing URL that is selected by you while configuring the payload in the payload wizard. When this payload is used in simulation, the service will replace the QR code with a dynamically generated QR code, to track click and compromise metrics. The size, position, and shape of the QR code would match the configuration of the QR set by you in the payload. 

Training content

We have provided two mechanisms for learning about QR based attacks: How-to guides, and new training modules from our content partner.

How-to guides

How-to guides are designed to provide lightweight guidance to end users on how to report a phishing message directly through email. By delivering these guides directly to the end user’s inbox, we can ensure that the end user has the information they need to confidently report any suspicious emails.

You can filter for the How-to Guide through either:

Filtering by Technique = How-to Guide
Search by name = ” Teaching Guide: How to recognize and report QR phishing messages

Image 5: Teaching guides

Out-of-the-box trainings

Within the trainings list (Content Library- Training Modules), we have added a new training called Malicious Digital QR Codes, which is a short learning to educate on what to do when a user receives a QR code in the email. You can assign the training as part of a simulation or use training campaigns to assign the training to your users.

Image 6: Out of the box training configuration

Image 7: Out of the box training preview

More information

More details around trainings are covered in this blog: Train your users to be more resilient against QR code phishing.
Review the documentation to learn more about the feature.
Note: As part of these changes, we will also be deprecating the alternative service, along with the GitHub repo.
Get started with attack simulation today.
Learn more about our latest features in Attack Simulation Training. 

If you have other questions or feedback about Microsoft Defender for Office 365, engage with the community and Microsoft experts in the Defender for Office 365 forum.

​Microsoft Tech Community – Latest Blogs –Read More 

If you work in smartcard federated authentication environments, here’s a much-anticipated security feature for you. Starting with the September 10, 2024 Windows security update, you can use strong name-based mapping on Windows Server 2019 and newer. This feature helps you with the hardening changes for certificate-based authentication on Windows domain controllers. 

What are weak and strong mappings in Active Directory? 

All certificate names must be correctly mapped onto the intended user account in Active Directory (AD). If there’s a likelihood that they aren’t, we call these mappings weak. Weak mappings give rise to security vulnerabilities and demand hardening measures such as Certificate-based authentication changes on Windows domain controllers.  

Following up on our May 2022 round of updates to address these vulnerabilities, we’re introducing a new feature called strong name-based mapping. You can now distinguish between “strong” and “weak” mappings within existing Alternative Security Identities (AltSecIDs) based on likelihood. With the new feature, you can allow some weak name-based mappings to be treated as strong name-based mappings. You just need to properly configure both the public key infrastructure (PKI) and the AD deployment. 

Key features and benefits of strong name-based mapping 

Strong name-based mapping has two main benefits: 

Compliance with strong certificate mapping enforcement. Strong name-based mapping allows certain weak certificate mappings, such as Issuer/Subject AltSecID and User Principal Names (UPN) mappings, to be treated as strong mappings. This type of strong mapping is compatible with the enforcement mode of certificate-based authentication changes on Windows domain controllers.  
Compatibility with government PKI deployments. Strong name-based mappings work by asking PKI deployments to attest certain security guarantees of certificates via object identifiers (OIDs) stamped on the certificate. It’s a common practice among government PKI and AD deployments.  

Security requirements for PKI deployments for strong name-based mapping 

Warning  

Unless you have a strong need for this type of deployment AND have a deep knowledge of how PKI deployments and AD authentication interact together, we DO NOT recommend deploying strong name-based mapping. We instead recommend that you following the guidance in KB5014754: Certificate-based authentication changes on Windows domain controllers.  

Fundamentally, strong name-based mapping deployment is your promise to Microsoft that your PKI is not susceptible to the attacks addressed by May 2022 and later updates. Namely, you take responsibility for the vulnerabilities that can arise from any unintentional mapping of the names in a certificate to multiple AD accounts. 

To prevent unintentional and unsafe mappings, we recommend that you take steps to strengthen your PKI and AD deployments. Some of these steps include:  

Names used in either the Subject Name and/or the Subject Alternative Name of certificates MUST NOT contain names that are queried and/or built from AD. 
Names used in either the Subject Name and/or the Subject Alternative Name of certificates MUST be both immutable and globally unique to the entire PKI deployment.  
AD and PKI administrators must ensure that certificate issuance for logons is not automatic. Instead, ensure that strong manual checks are in place to prevent a certificate with an incorrect or clashing name from being issued.  

Failing to secure your PKI and AD deployments can degrade the security of your environment.  

If your PKI meets or exceeds these security requirements, you MUST add an OID in the Issuance Policy of the certificate to denote this compliance. This OID (or multiple OIDs) will be used further below in the strong name-based mapping configuration.  

Setup instructions 

To enable strong name-based mapping on Windows Server 2019 and later, you need to take the following steps: 

Enable the Group Policy (GPO) Setting on the Domain Controllers: 
Computer Configuration > Administrative Template > System > KDC > “Allow name-based strong mappings for certificates”.  
Configure the GPO with the necessary tuples (more details below). 

This configuration relies on adding tuples to the GPO when strong name-based mapping is enabled. These tuples tell the Domain Controller which certificates meet the above security requirements by specifying both the Issuer certificate authority (CA) thumbprint and the OID(s) that denote that the PKI deployment is secured against the May 2022 vulnerabilities. Furthermore, the tuples also configure which “weak” name-based mappings can be upgraded to “strong” name-based mappings.  

The tuple is in the following format: 
 
<Issuer CA Certificate Thumbprint>;<OID(s)>;<IssuerSubject/UpnSuffix=()> 

Issuer CA Certificate Thumbprint: This is the certificate thumbprint of the Issuing CA. There can only be one Issuer CA Thumbprint in this field. If multiple Issuer CA Thumbprints are placed, it can prevent proper processing of the GPO policy. 
OID(s): This is a comma-separated list of OIDs that the PKI deployment has stamped on the certificate to attest that the security requirements against name collisions have been met. There can be multiple OIDs denoted in this field.  
IssuerSubject/UpnSuffix: This is a comma-separated list to denote what type of weak mapping should be treated as strong: 

IssuerSubject: This string behaves as a tag to denote that the Issuer/SubjectName AltSecID can be upgraded from “weak” to “strong.” There can only be one IssuerSubject tag in this field.  
UPNSuffix: This string denotes that certificate mappings can be upgraded form “weak” to “strong” wherever the UPN suffix of the SubjectName (that is, everything that comes after the @ symbol) matches the suffix in the tuple exactly. There can be multiple UPN suffixes in this field.  

The logic of the tuple is the following. For certificates whose Issuer is X that has any of the OID(s) Y, upgrade any of the weak mappings C to “strong.” This logic is summarized in the diagram. 

Flow chart illustrating the logic of strong name-based mapping configuration. The chart starts with a decision diamond asking if the certificate’s Issuer Certificate Thumbprint matches the specified thumbprint. If yes, it proceeds to check if the certificate has any of the specified OIDs. If both conditions are met, it allows a strong mapping for the certificate based on either Issuer/SubjectName AltSecID or UPNSuffix, depending on the configuration.

Two important configuration details are required for UPN Suffix mapping to work: 

Certificates must have the UPN of the user in the SAN. 
Mapping via UPNs has not been disabled via UseSubjectAltName. 

How to use and understand policy tuples: a walkthrough 

Policy tuple example 1 

Use this policy tuple to allow a strong mapping via Issuer/SubjectName AltSecID. 

fe40a3146d935dc248504d2dcd960d15c4542e6e; 2.16.840.1.101.3.2.1.3.45;IssuerSubject 

For certificates whose Issuer Certificate Thumbprint is fe40a3146d935dc248504d2dcd960d15c4542e6e, and 
The certificate has the OID 2.16.840.1.101.3.2.1.3.45, 
Allow a strong mapping if the certificate is mapped via Issuer/SubjectName AltSecID. 

This tuple would allow a certificate logon which passes checks (1) and (2) issued to the user Bob, if the AD object for Bob has the Issuer/SubjectName AltSecID correctly configured for the certificate.  

Policy tuple example 2 

Use this policy tuple to allow a strong mapping via a specified UPNSuffix. 

fe40a3146d935dc248504d2dcd960d15c4542e6e; 2.16.840.1.101.3.2.1.3.45;UPNSuffix=corp.contoso.com 

For certificates whose Issuer Certificate Thumbprint is fe40a3146d935dc248504d2dcd960d15c4542e6e, and 
The certificate has the OID 2.16.840.1.101.3.2.1.3.45, 
Allow a strong mapping if the certificate is mapped via UPNSuffix, which should be “corp.contoso.com.”  

This tuple would allow a certificate logon which passes checks (1) and (2) issued to the user Bob, if the AD object for Bob has the Issuer/SubjectName AltSecID correctly configured for the certificate.  

Policy tuple example 3 

Use this policy tuple to allow a strong mapping via any of the approved specifications. 

fe40a3146d935dc248504d2dcd960d15c4542e6e; 2.16.840.1.101.3.2.1.3.45, 2.16.840.1.101.3.2.1.3.44;UPNSuffix=corp.contoso.com,UPNSuffix=my.corp.contoso.com,IssuerSubject 

For certificates whose Issuer Certificate Thumbprint is fe40a3146d935dc248504d2dcd960d15c4542e6e, and 
The certificate has ANY of the following OIDs: 

2.16.840.1.101.3.2.1.3.45 
2.16.840.1.101.3.2.1.3.44 

Allow a strong name-based mapping if the certificate is mapped via either of the following: 

The user account in AD has a valid Issuer/SubjectName AltSecID mapping 
UPNSuffix, where the suffix is “corp.contoso.com” 
UPNSuffix, where the suffix is “my.corp.contoso.com” 

Event Log changes 

Two Event Log updates are here to help you as an AD administrator better troubleshoot strong name-based mapping scenarios. These are available to you with the September 10, 2024 and later updates. 

Updates to current event logs 

The current event logs now include policy OIDs found on the certificate used for authentication. This modifies the Key Distribution Center (KDC) events introduced by the May 10, 2022 and later updates.  

New event logs 

Additionally, a new event is available to log when the strong name-based mapping GPO encounters an issue processing the policy tuples. Track these events through Event ID 311. 

Event Log 

Microsoft-Windows-Kerberos-Key-Distribution-Center/Operational 

Event Type 

Error 

Event Source 

Kerberos-Key-Distribution-Center 

Event ID 

311 

Event Text 

The Key Distribution Center (KDC) encountered invalid certificate strong name match policy. 

Faulting line: <line number> 

Ready to improve Windows Server security? 

We’re excited to bring this feature to your government scenario. Consider strong name-based mappings on Active Directory and PKI deployments in Windows Server 2019 or later if you meet the security requirements and recommendations. If you have any questions or need assistance, our support team is here to help. 

Continue the conversation. Find best practices. Bookmark the Public Sector Tech Community, then follow us on the Public Sector Blog for updates. 

​Microsoft Tech Community – Latest Blogs –Read More 

Inspektor Gadget is a set of tools and a framework enabling observability of Kubernetes clusters and Linux hosts using  eBPF.
You can use the framework to create your own tools, _i.e._ gadgets, which are packaged as OCI images, enabling you to easily share them with other users.
Inspektor Gadget handles the enrichment of low-level data, like disk I/O to higher level ones, like container names.

Azure Linux is an open source Linux distribution developed by Microsoft.
It is the predominant Linux distribution for first-party Microsoft services and is also available for customers via, among others, Azure Kubernetes Service (AKS).

Recently, the Azure Linux team officially released its version 3.
Starting with this version, Inspektor Gadget is available in the official repository and can be installed by simply calling `dnf`.
This is a big improvement, as previously users had to download the RPM package available in our release pages themselves before proceeding with the installation.
Let’s now deploy an Azure Linux 3 VM to install and use Inspektor Gadget, specifically the `trace exec` gadget to monitor the corresponding syscalls:

# Let’s set some variables we will use to deploy the Azure Linux VM.
you@home$ resource_group=’azure-linux-3′
you@home$ vm=’azure-linux-3-vm’
you@home$ admin=’testadmin’
you@home$ image=’MicrosoftCBLMariner:azure-linux-3:azure-linux-3:latest’
# Let’s now create the resource group and the VM inside it.
you@home$ az group create –name $resource_group –location westeurope
…
you@home$ az vm create –resource-group $resource_group –name $vm –image $image –admin-username ${admin} –generate-ssh-keys –security-type Standard
…
you@home$ ip=$(az vm show –resource-group $resource_group –name $vm -d –query ‘[privateIps]’ –output tsv)
# We can now connect to the VM through ssh.
you@home$ ssh $admin@$ip
testadmin@azure-linux-3-vm [ ~ ]$ cat /etc/os-release
NAME=”Microsoft Azure Linux”
VERSION=”3.0.20240727″
ID=azurelinux
VERSION_ID=”3.0″
PRETTY_NAME=”Microsoft Azure Linux 3.0″
ANSI_COLOR=”1;34″
HOME_URL=”https://aka.ms/azurelinux”
BUG_REPORT_URL=”https://aka.ms/azurelinux”
SUPPORT_URL=”https://aka.ms/azurelinux”
# Let’s install ig!
testadmin@azure-linux-3-vm [ ~ ]$ sudo dnf install -y ig
Last metadata expiration check: 0:03:01 ago on Thu Aug 22 08:31:41 2024.
Dependencies resolved.
=========================================================================================================================================
Package Architecture Version Repository Size
=========================================================================================================================================
Installing:
ig x86_64 0.30.0-1.azl3 azurelinux-official-base 18 M

Transaction Summary
=========================================================================================================================================
Install 1 Package

Total download size: 18 M
Installed size: 69 M
Downloading Packages:
ig-0.30.0-1.azl3.x86_64.rpm 3.2 MB/s | 18 MB 00:05
—————————————————————————————————————————————–
Total 3.2 MB/s | 18 MB 00:05
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : ig-0.30.0-1.azl3.x86_64 1/1

Installed:
ig-0.30.0-1.azl3.x86_64

Complete!
testadmin@azure-linux-3-vm [ ~ ]$ ig version
v30.0.0
# Let’s run a simple loop spawning some processes.
testadmin@azure-linux-3-vm [ ~ ]$ while true; do date > /dev/null; sleep 1; done &
[1] 2035
# Let’s trace the exec syscall with the corresponding ig tool.
testadmin@azure-linux-3-vm [ ~ ]$ sudo ig trace exec –host
RUNTIME.CONTAINERNAME PID PPID COMM PCOMM RET ARGS
2127 2035 date bash 0 /usr/bin/date
2128 2035 sleep bash 0 /usr/bin/sleep 1
2129 2035 date bash 0 /usr/bin/date
2130 2035 sleep bash 0 /usr/bin/sleep 1
^C
testadmin@azure-linux-3-vm [ ~ ]$ kill 2035

As you can see, ig was able to report the exec() syscalls done to run date and sleep!
This way, you can use the tool to diagnose and troubleshoot AzureLinux host processes as well as processes running in containers!

This work would not have been possible without the help from the AzureLinux team, particularly Christopher Co and Muhammad Falak R. Wani.
We thank them for making it possible!

​Microsoft Tech Community – Latest Blogs –Read More 

We are discussing the Private offer configuration and prerequisites and looking for a bit of clarity.

We established that a public plan required based on the prerequisites mentioned in the following links:

https://learn.microsoft.com/en-us/partner-center/marketplace-offers/isv-customer

https://microsoft.github.io/Mastering-the-Marketplace/partner-center/pdfs/01.1-isv-private-offer-overview.pdf .

According to the above links, associating a private offer with a Private Plan is out of question. The benefit of a private offer is to offer a discounted rate which based on the already created public plan (does not make sense creating a private offer if the ISV is going to offer the full public plan price) and possibly associated it with specific terms and conditions different from the one already associated with the public plan.  

My questions:

Is the Public plan the only plan to use with the private offer? 

Some ISVs do not want to have their offer publicly available (only wants to work with specific type of clientele). If public plan is the only type of plan to associate the private offer with, it won’t be useful for the ISV. Because anyone can see the public plan and purchase the solution. 

Validation required every time a new plan created. In the case of a private offer, the offer will be associated with an already existing public plan (if no transactable offer in place, when an offer and a public plan created, a validation required in this case). Will validation kick in in this scenario?

A: 

yes, a public plan is required and is the only way to issue a private offer. Anyone can potentially purchase that plan but the ISV still needs to activate the plan for the purchase to complete – However, if the ISV does not activate, the subscription automatically expires in 30 days – so really no action is necessary (they don’t need to decline – they can just ignore). As a plus side, you can treat those purchases as leads, and choose to interact with the customer and see if this can translate in an actual sale. Additionally, please note that a private offer is not just a discount to a public plan, it can also be an absolute price – so the public plan can be set to $1 as to not divulge the anything about the ISV pricing – and then the actual price can be entered in the private offer only
You can create multiple private offers based on the same public plan, so you do not need to create a public plan for every sale. The sales cycle for the private offer is very fast – usually takes 15 minutes to configure and issue a private offer – no validation, certification required.

​We are discussing the Private offer configuration and prerequisites and looking for a bit of clarity.
We established that a public plan required based on the prerequisites mentioned in the following links:
https://learn.microsoft.com/en-us/partner-center/marketplace-offers/isv-customer
https://microsoft.github.io/Mastering-the-Marketplace/partner-center/pdfs/01.1-isv-private-offer-overview.pdf .
 
According to the above links, associating a private offer with a Private Plan is out of question. The benefit of a private offer is to offer a discounted rate which based on the already created public plan (does not make sense creating a private offer if the ISV is going to offer the full public plan price) and possibly associated it with specific terms and conditions different from the one already associated with the public plan.  
 
My questions:

Is the Public plan the only plan to use with the private offer? 

Some ISVs do not want to have their offer publicly available (only wants to work with specific type of clientele). If public plan is the only type of plan to associate the private offer with, it won’t be useful for the ISV. Because anyone can see the public plan and purchase the solution. 

Validation required every time a new plan created. In the case of a private offer, the offer will be associated with an already existing public plan (if no transactable offer in place, when an offer and a public plan created, a validation required in this case). Will validation kick in in this scenario?

 
A: 

yes, a public plan is required and is the only way to issue a private offer. Anyone can potentially purchase that plan but the ISV still needs to activate the plan for the purchase to complete – However, if the ISV does not activate, the subscription automatically expires in 30 days – so really no action is necessary (they don’t need to decline – they can just ignore). As a plus side, you can treat those purchases as leads, and choose to interact with the customer and see if this can translate in an actual sale. Additionally, please note that a private offer is not just a discount to a public plan, it can also be an absolute price – so the public plan can be set to $1 as to not divulge the anything about the ISV pricing – and then the actual price can be entered in the private offer only
You can create multiple private offers based on the same public plan, so you do not need to create a public plan for every sale. The sales cycle for the private offer is very fast – usually takes 15 minutes to configure and issue a private offer – no validation, certification required.

   Read More

​