Block Self service Purchase using PowerShell

How to Block Self-Service Purchase for Power Platform Products Using PowerShell

Recently Microsoft announced Self-service purchase capabilities for Power Platform products (Power BI, PowerApps, and Flow). 

Self-service purchase capability arrives automatically and enabled by default. Due to this change, individuals within the organization can buy subscriptions directly without contacting their IT department. Self-service purchasers are responsible for their own billing information, subscriptions, and license management.  

In some cases, this change might be useful since the end-user doesn’t need to wait weeks/months to get approval/license from the IT department. 

Through Self-service purchase, IT administrators lose their control over who could purchase and install Office 365. This also creates challenges in controlling data sprawling, compliance, and protection issues. Since Self-service purchase encourages Shadow IT, IT administrators are not gratified due to this change. 

The self-service purchase capabilities will start rollout from January 14, 2020. But Microsoft is providing the setting to toggle self-service purchase before it rolls out, as most Admins would want to disable it 😉. So, it’s good to disable the self-service purchase capabilities now, if you decide to turn off this setting for your organization.

Block Self-service Purchase for Power Platform Product using PowerShell:

Currently, there is no user interface solution to disable Self-service purchase in Office 365. You need to use PowerShell to block Self-service purchase.

Microsoft has created a PowerShell module ‘MSCommerce‘ particularly for this. At present, we need to disable self-service purchases for each power product separately. Microsoft is yet to release a global switch to turn off. 

If Microsoft releases any new power product in future, then we might need to disable the self-service purchase capability!  

The MSCommerce PowerShell module has the following capabilities currently. 

  • View the Self-service purchase status for your tenant.  
  • View the list of power products along with its self-service purchase status.
  • Modify the self-service purchase option for each power products. 

Install MSCommerce PowerShell Module: 

Microsoft recommends using the PowerShell module in a Windows 10 device. 

Install-Module -Name MSCommerce 
Import-Module -Name MSCommerce 
Connect-MSCommerce 

Note: To execute the cmdlet you need to be either Global or Billing admin.

1. Verify Self-service Purchase Status:

Get-MSCommercePolicy -PolicyId AllowSelfServicePurchase 

2. View the list of Power Products and its Self-service Purchase Status:

Get-MSCommerceProductPolicies -PolicyId AllowSelfServicePurchase 

3. Change the Self-Service Purchase Status for Power Products: 

Currently Microsoft offers 3 products under power platform. If you want to disable the self-service purchase for all three platform you need to execute the cmdlet for each product.  

To disable self-service purchase for Power Apps 

Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId CFQ7TTC0KP0P -Enabled $False  

 
To disable self-service purchase for Power Automate

Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId CFQ7TTC0KP0N -Enabled $False 

To disable self-service purchase for Power BI

Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId CFQ7TTC0L3PB -Enabled $False

Script to Disable Self-service Purchase for All Power Products.

If all you wanted to disable the self-service purchase option for all power products currently available, then just run the code below.  

Install-Module -Name MSCommerce #once you install you should remove this line
Import-Module -Name MSCommerce 
Connect-MSCommerce #sign-in with your global or billing administrator account when prompted
Get-MSCommerceProductPolicies -PolicyId AllowSelfServicePurchase | Where { $_.PolicyValue -eq “Enabled”} | forEach { 
Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId $_.ProductID -Enabled $false  }

More information about MSCommerce PowerShell module can be found here.

Troubleshooting Tip:

Error:

HandleError : Failed to retrieve policy with PolicyId ‘AllowSelfServicePurchase’, ErrorMessage – The underlying connection was closed: An unexpected error occurred on a send.

Solution:

This error is due to an older version of Transport Layer Security (TLS). Please use TLS 1.2 or greater.
Upgrade to TLS 1.2: https://docs.microsoft.com/configmgr/core/plan-design/security/enable-tls-1-2

May 2020 Update: Self service Purchase User Request Workflow

Microsoft is planning to introduce a new feature called ‘Self service purchase user request workflow’ from June 2020. Once the feature is rolled out, blocked users will be able to submit a request to be unblocked. So, they can proceed with self-service purchasing. Admin can manage this request queue from the Admin center. i.e., admin can approve or reject the request.

June 2020 Update: Admin can Take Control of Self-service Purchase

Microsoft is planning to launch this feature from July 2020. With this feature, admin can take control of self-service subscription bought by users in their organization. This is useful when a user leaves the organization.

This feature will allow admins to

  • Cancel the subscription
  • Move users from the subscription to another subscription while canceling the original subscription

When the admin cancels the subscription, users with licenses will lose access to the specific product. The purchaser will still have access to the Microsoft 365 admin center and responsible for the remaining balance in the current billing period.

6 comments / Add your comment below

  1. I am wondering because as a normal user in Portal.azure.com ** I believe** I can see the Self Service Options TODAY – but i cannot turn them off with powershell. Connect-MSOl, get-msoluser work.. Commerce -> installs, imports, connects, but listing any other commands yields a “Retrieve Policy Error”:
    >> Get-MSCommercePolicy -PolicyId AllowSelfServicePurchase
    HandleError : Failed to retrieve policy with PolicyId ‘AllowSelfServicePurchase’, ErrorMessage – The underlying connection was closed: An unexpected error occurred on a send. ErrorDetails –
    At C:\Program Files\WindowsPowerShell\Modules\MSCommerce\1.2\MSCommerce.psm1:176 char:5
    + HandleError -ErrorContext $_ -CustomErrorMessage “Failed to retri …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,HandleError
    **************************************************************************
    Catch from PSM1 is “HandleError -ErrorContext $_ -CustomErrorMessage “Failed to retrieve policy with PolicyId ‘$PolicyId'””
    **************************************************************************
    This might not work on EDUCATION skus, and the screen I believe is self service as a normal user: It asks if i want to start a trial or specify billing information, if i want to do something like Spin up a machine, database, etc.

      1. I can confirm that I still get this error even with TLS 1.2. I’m able to connect in to every other O365 sub-service with Powershell except this one.

        1. Yes, few people are reporting that the MS-Commerce script is not working even after TLS upgrade.

          Until we get the fix or more detailed error message, I request you to try to execute in some other system.

          1. I worked around this issue by forcing TLS 1.2 in the PowerShell session:

            [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

Leave a Reply

Your email address will not be published. Required fields are marked *

How to Block Self-Service Purchase for Power Platform Products Using PowerShell

time to read: 3 min
Follow us!