Block Self service Purchase using PowerShell

How to Block Self-Service Purchase for Power Platform Products Using PowerShell

Recently Microsoft announced Self-service purchase capabilities for Power Platform products (Power BI, PowerApps, and Flow). 

Self-service purchase capability arrives automatically and enabled by default. Due to this change, individuals within the organization can buy subscriptions directly without contacting their IT department. Self-service purchasers are responsible for their own billing information, subscriptions, and license management.  

In some cases, this change might be useful since the end-user doesn’t need to wait weeks/months to get approval/license from the IT department. 

Through Self-service purchase, IT administrators lose their control over who could purchase and install Office 365. This also creates challenges in controlling data sprawling, compliance, and protection issues. Since Self-service purchase encourages Shadow IT, IT administrators are not gratified due to this change. 

The self-service purchase capabilities will start rollout from January 14, 2020. But Microsoft is providing the setting to toggle self-service purchase before it rolls out, as most Admins would want to disable it 😉. So, it’s good to disable the self-service purchase capabilities now, if you decide to turn off this setting for your organization.

Block Self-service Purchase for Power Platform Product using PowerShell:

Currently, there is no user interface solution to disable Self-service purchase in Office 365. You need to use PowerShell to block Self-service purchase.

Microsoft has created a PowerShell module ‘MSCommerce‘ particularly for this. At present, we need to disable self-service purchases for each power product separately. Microsoft is yet to release a global switch to turn off. 

If Microsoft releases any new power product in future, then we might need to disable the self-service purchase capability!  

The MSCommerce PowerShell module has the following capabilities currently. 

  • View the Self-service purchase status for your tenant.  
  • View the list of power products along with its self-service purchase status.
  • Modify the self-service purchase option for each power products. 

Install MSCommerce PowerShell Module: 

Microsoft recommends using the PowerShell module in a Windows 10 device. 

Install-Module -Name MSCommerce 
Import-Module -Name MSCommerce 
Connect-MSCommerce 

Note: To execute the cmdlet you need to be either Global or Billing admin.

1. Verify Self-service Purchase Status:

Get-MSCommercePolicy -PolicyId AllowSelfServicePurchase 

2. View the list of Power Products and its Self-service Purchase Status:

Get-MSCommerceProductPolicies -PolicyId AllowSelfServicePurchase 

3. Change the Self-Service Purchase Status for Power Products: 

Currently Microsoft offers 3 products under power platform. If you want to disable the self-service purchase for all three platform you need to execute the cmdlet for each product.  

To disable self-service purchase for Power Apps 

Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId CFQ7TTC0KP0P -Enabled $False  

 
To disable self-service purchase for Power Automate

Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId CFQ7TTC0KP0N -Enabled $False 

To disable self-service purchase for Power BI

Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId CFQ7TTC0L3PB -Enabled $False

Script to Disable Self-service Purchase for All Power Products.

If all you wanted to disable the self-service purchase option for all power products currently available, then just run the code below.  

Install-Module -Name MSCommerce #once you install you should remove this line
Import-Module -Name MSCommerce 
Connect-MSCommerce #sign-in with your global or billing administrator account when prompted
Get-MSCommerceProductPolicies -PolicyId AllowSelfServicePurchase | Where { $_.PolicyValue -eq “Enabled”} | forEach { 
Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId $_.ProductID -Enabled $false  }

More information about MSCommerce PowerShell module can be found here.

Troubleshooting Tip:

Error:

HandleError : Failed to retrieve policy with PolicyId ‘AllowSelfServicePurchase’, ErrorMessage – The underlying connection was closed: An unexpected error occurred on a send.

Solution:

This error is due to an older version of Transport Layer Security (TLS). Please use TLS 1.2 or greater.
Upgrade to TLS 1.2: https://docs.microsoft.com/configmgr/core/plan-design/security/enable-tls-1-2

5 comments / Add your comment below

  1. I am wondering because as a normal user in Portal.azure.com ** I believe** I can see the Self Service Options TODAY – but i cannot turn them off with powershell. Connect-MSOl, get-msoluser work.. Commerce -> installs, imports, connects, but listing any other commands yields a “Retrieve Policy Error”:
    >> Get-MSCommercePolicy -PolicyId AllowSelfServicePurchase
    HandleError : Failed to retrieve policy with PolicyId ‘AllowSelfServicePurchase’, ErrorMessage – The underlying connection was closed: An unexpected error occurred on a send. ErrorDetails –
    At C:\Program Files\WindowsPowerShell\Modules\MSCommerce\1.2\MSCommerce.psm1:176 char:5
    + HandleError -ErrorContext $_ -CustomErrorMessage “Failed to retri …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,HandleError
    **************************************************************************
    Catch from PSM1 is “HandleError -ErrorContext $_ -CustomErrorMessage “Failed to retrieve policy with PolicyId ‘$PolicyId'””
    **************************************************************************
    This might not work on EDUCATION skus, and the screen I believe is self service as a normal user: It asks if i want to start a trial or specify billing information, if i want to do something like Spin up a machine, database, etc.

      1. I can confirm that I still get this error even with TLS 1.2. I’m able to connect in to every other O365 sub-service with Powershell except this one.

        1. Yes, few people are reporting that the MS-Commerce script is not working even after TLS upgrade.

          Until we get the fix or more detailed error message, I request you to try to execute in some other system.

Leave a Reply

Your email address will not be published. Required fields are marked *

How to Block Self-Service Purchase for Power Platform Products Using PowerShell

time to read: 3 min
Follow us!