Self-service purchase capability arrives automatically and enabled by default. Due to this, individuals within the organization can buy subscriptions directly without contacting their IT department. Self-service purchasers are responsible for their own billing information, subscriptions, and license management.
In some cases, this change might be useful since the end-user doesn’t need to wait weeks/months to get approval/license from the IT department.
Through Self-service purchase, IT administrators lose their control over who could purchase and install Office 365. This also creates challenges in controlling data sprawling, compliance, and protection issues. Since Self-service purchase encourages Shadow IT, IT administrators are not gratified due to this change.
Microsoft is providing the setting to toggle self-service purchase before it rolls out, as most Admins would want to disable it 😉. So, it’s good to disable the self-service purchase capabilities now, if you decide to turn off this setting for your organization.
In addition to the self-service purchase capability, there are several features that many admins wish to disable to align with their organization’s needs. Here are the such top 5 Microsoft 365 features every admin wants to disable. take a moment to review your tenant settings, and if you haven’t disabled these features yet, now may be the time to do so.
Block Self-service Purchase for Products using PowerShell:
Currently, there is no user interface solution to disable Self-service purchase in Office 365. You need to use PowerShell to block Self-service purchase.
Microsoft has created a PowerShell module ‘MSCommerce‘ particularly for this. At present, we need to disable self-service purchases for each power product separately. Microsoft is yet to release a global switch to turn off.
If Microsoft releases any new power product in future, then we might need to disable the self-service purchase capability!
The MSCommerce PowerShell module has the following capabilities currently.
- View the Self-service purchase status for your tenant.
- View the list of power products along with its self-service purchase status.
- Modify the self-service purchase option for each power products.
Install MSCommerce PowerShell Module:
Microsoft recommends using the PowerShell module in a Windows 10 device.
Install-Module -Name MSCommerce
Import-Module -Name MSCommerce
Connect-MSCommerce
Note: To execute the cmdlet you need to be either Global or Billing admin.
1. Verify Self-service Purchase Status:
Get-MSCommercePolicy -PolicyId AllowSelfServicePurchase
2. View the list of Power Products and its Self-service Purchase Status:
Get-MSCommerceProductPolicies -PolicyId AllowSelfServicePurchase
3. Turn off Self-Service Purchase of Individual Products via PowerShell:
If you want to disable the self-service purchase for individual products, you need to execute the cmdlet for each product.
To disable self-service purchase for Power Apps
Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId CFQ7TTC0KP0P -Enabled $False
To disable self-service purchase for Power Automate
Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId CFQ7TTC0KP0N -Enabled $False
To disable self-service purchase for Power BI
Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId CFQ7TTC0L3PB -Enabled $False
To disable self-service purchase for Project Plan 1
Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId CFQ7TTC0KXND -Enabled $False
To disable self-service purchase for Project Plan 3
Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId CFQ7TTC0KXNC -Enabled $False
To disable self-service purchase for Visio Plan 1
Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId CFQ7TTC0KXN9 -Enabled $False
To disable self-service purchase for Teams Premium
Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId CFQ7TTC0RM8K -Enabled $False
To disable self-service purchase for Microsoft ClipChamp
Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId CFQ7TTC0N8SS -Enabled $False
Script to Disable Self-service Purchase for All Products:
If all you wanted to disable the self-service purchase option for all power platform, project and visio products (currently available), then just run the code below.
Install-Module -Name MSCommerce #once you install you should remove this line
Import-Module -Name MSCommerce
Connect-MSCommerce #sign-in with your global or billing administrator account when prompted
Get-MSCommerceProductPolicies -PolicyId AllowSelfServicePurchase | Where { $_.PolicyValue -eq “Enabled”} | forEach {
Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId $_.ProductID -Enabled $false }
More information about MSCommerce PowerShell module can be found here.
Troubleshooting Tip:
Error:
HandleError : Failed to retrieve policy with PolicyId ‘AllowSelfServicePurchase’, ErrorMessage – The underlying connection was closed: An unexpected error occurred on a send.
Solution:
This error is due to an older version of Transport Layer Security (TLS). Please use TLS 1.2 or greater.
Upgrade to TLS 1.2: https://docs.microsoft.com/configmgr/core/plan-design/security/enable-tls-1-2
Microsoft 365 Self-service Purchase Updates:
Dec 2023 Update: Notifications in the Admin Center when users initiate trial subscriptions.
Admins can easily track users starting self-service trials by checking the notification icon in the top-right corner of the Admin Center header.
Nov 2023 Update: Microsoft announced self-service purchase capability for Microsoft Clipchamp
Clipchamp is the video editor from Microsoft and users can self purchase them directly.
Aug 2023 Update: Microsoft announced self-service purchase capability for Teams Premium
Microsoft made announcement on self-service trial capability for Microsoft Teams Premium for commercial customers from September 2023 end.
Dec 2021 Update: Microsoft announced self-service trial capabilities for Project and Visio
Beginning on January 26, 2022, customers, and individuals without global or billing admin rights can sign up for Microsoft Project or Microsoft Visio 30-day trials before directly purchasing subscriptions or engaging their IT procurement team.
August 2020 Update: Microsoft Announced self-service purchase capabilities for Project and Visio
Microsoft has announced Self-service purchase capabilities for Microsoft Project (Project Plan 1 and Project Plan 3) and Visio products (Visio Plan 1 and Visio Plan 2).
This feature will be available from Sep 15, 2020.
June 2020 Update: Admin can Take Control of Self-service Purchase
Microsoft is planning to launch this feature from July 2020. With this feature, admin can take control of self-service subscription bought by users in their organization. This is useful when a user leaves the organization.
This feature will allow admins to
- Cancel the subscription
- Move users from the subscription to another subscription while canceling the original subscription
When the admin cancels the subscription, users with licenses will lose access to the specific product. The purchaser will still have access to the Microsoft 365 admin center and responsible for the remaining balance in the current billing period.
May 2020 Update: Self service Purchase User Request Workflow
Microsoft is planning to introduce a new feature called ‘Self service purchase user request workflow’ from June 2020. Once the feature is rolled out, blocked users will be able to submit a request to be unblocked. So, they can proceed with self-service purchasing. Admin can manage this request queue from the Admin center. i.e., admin can approve or reject the request.
As early mentioned, you can disable self- service purchases using the given script. Microsoft is expanding self-service purchase access, so stay vigilant and ensure your organization’s security by blocking access promptly! Suppose, automatic license assignment is your only choice, go with auto-claim policies in Microsoft 365, which ensures optimal license usage.
Related Posts:
Disable Self-service Purchase for Microsoft 365 Products 
How to Create Self-signed Certificate using PowerShell
Manage Self-service Sign-up for Guests in Microsoft Entra
Configure Self-Service Group Management in Microsoft…
Disable Access to Exchange Online PowerShell - A…
How to Clone Microsoft 365 Service Settings Using…
I am wondering because as a normal user in Portal.azure.com ** I believe** I can see the Self Service Options TODAY – but i cannot turn them off with powershell. Connect-MSOl, get-msoluser work.. Commerce -> installs, imports, connects, but listing any other commands yields a “Retrieve Policy Error”:
>> Get-MSCommercePolicy -PolicyId AllowSelfServicePurchase
HandleError : Failed to retrieve policy with PolicyId ‘AllowSelfServicePurchase’, ErrorMessage – The underlying connection was closed: An unexpected error occurred on a send. ErrorDetails –
At C:\Program Files\WindowsPowerShell\Modules\MSCommerce\1.2\MSCommerce.psm1:176 char:5
+ HandleError -ErrorContext $_ -CustomErrorMessage “Failed to retri …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,HandleError
**************************************************************************
Catch from PSM1 is “HandleError -ErrorContext $_ -CustomErrorMessage “Failed to retrieve policy with PolicyId ‘$PolicyId'””
**************************************************************************
This might not work on EDUCATION skus, and the screen I believe is self service as a normal user: It asks if i want to start a trial or specify billing information, if i want to do something like Spin up a machine, database, etc.
HandleError : Failed to retrieve policy with PolicyId 'AllowSelfServicePurchase', ErrorMessage - The underlyingconnection was closed: An unexpected error occurred on a send.
This is due to an older version of Transport Layer Security (TLS). Please use TLS 1.2 or greater
Upgrade TLS 1.2: https://docs.microsoft.com/configmgr/core/plan-design/security/enable-tls-1-2
I can confirm that I still get this error even with TLS 1.2. I’m able to connect in to every other O365 sub-service with Powershell except this one.
Yes, few people are reporting that the MS-Commerce script is not working even after TLS upgrade.
Until we get the fix or more detailed error message, I request you to try to execute in some other system.
I worked around this issue by forcing TLS 1.2 in the PowerShell session:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Good Job
Rather than disabling each service individually, you can pipe to a foreach:
Get-MSCommerceProductPolicies -PolicyId AllowSelfServicePurchase | Foreach-Object {Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId $_.ProductId -enabled $False}
If you really want, you can also only disable the products that are enabled (good for future use if additional products are to be allowed for self service), but with the list being so small, there’s little benefit from filtering:
Get-MSCommerceProductPolicies -PolicyId AllowSelfServicePurchase | Where-Object PolicyValue -eq ‘Enabled’ | Foreach-Object {Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId $_.ProductId -enabled $False}