<img height="1" width="1" src="https://www.facebook.com/tr?id=1529264867168163&amp;ev=PageView &amp;noscript=1">
blog_listing_hero_img.jpg

Blocking Self-Service Purchases

On October 23rd, Microsoft announced – a little out of the blue – they were going to introduce self-service purchase options for users on November 19th. The details of this change were put forward in a post in the message center, article MC193609 to be exact. In short, this option would introduce the following changes for commercial tenants:

  • Allow end users to purchase Power Platform related subscriptions using their own payment method, e.g. Power Apps, Automate (formerly Flow) or PowerBI Pro.
  • These subscriptions could be made in their employee’s tenant, with the exception of government, non-profit and education.
  • It would not end with Power Platform subscriptions.
  • To make purchases, end users would be able to open a restricted view of the Microsoft 365 Admin Center.

While a handful individuals cheered ‘Power to the end user’, the vast majority of organizations were very unhappy with this announcement to say the least. This adoption booster would not only be opposing Microsoft’s own ‘Cloud on your terms’ and ‘Your tenant, your data’ principles they have been telling customers for years, it could also severely impact enterprise security and governance policies (or absence thereof), let alone lead to discussions when people expense their PowerBI Pro purchase. And I’m not even talking about the absence of admin controls.

So, swiftly after the massive backlash on social media, UserVoice as well as other channels, the announcement was altered, and a FAQ was published, which you can read here. The change itself was postponed until January 14th, 2020, and organizations would be handed controls to turn self-service purchases off before roll out.

Rather quietly, details on how to disable self-service purchase have been added to the FAQ. To accomplish this, you need to install yet another PowerShell module from the PowerShell gallery, MSCommerce. Of course, you cannot have enough PowerShell modules installed; I am sure there are good reasons for not adding this functionality to the existing Azure module for example.

So, from a PowerShell session, to install the module and connect to the MSCommerce service, run the following:





















Install-Module MSCommerce
Connect-MSCommerce

You should now have the following commands at your disposal:

image
Command Description
Connect-MSCommerce Connect to MSCommerce service
Connect-MSCommercePolicies Get information on configurable policies
Connect-MSCommercePolicy Get configuration of a specified policy
Connect-MSCommerceProductPolicies Get information on products settings for specified policy
Connect-MSCommerceProductPolicy Get information on policy setting for specific product
Update-MSCommerceProductPolicy Update setting for specified policy for specific product

For now, there is only one policy available, which is the AllowSelfServicePurchase policy. You can retrieve all existing policies using Get-MSCommercePolicies, and to inspect the single policy you can use Get-MSCommercePolicy -PolicyId <Policy>.

image

The policy has a DefaultValue of Enabled, which implies there should be ways to turn it off overall without fiddling with the underlying setting, but it is what it is.

Now we can inspect all the Product settings belonging to that policy using:







Get-MSCommerceProductPolicies -PolicyId <Policy>
image

As shown, the self service purchase options for Power Apps, Power BI Pro  and Automate are all enabled. To retrieve a single product setting, use Get-MSCommerceProductPolicy -PolicyId <Policy> -ProductId <Product>. You can fin the ProductId identifiers in the output displayed above.

image

Now, to turn the self-service purchase option for all these products off, you can use the following oneliner:




Get-MSCommerceProductPolicies -PolicyId AllowSelfServicePurchase | ForEach { Update-MSCommerceProductPolicy -PolicyId $_.PolicyId -ProductId $_.ProductId -Enabled $false }
image

Be sure to monitor the self-service purchase FAQ for any changes, as in the future new products may receive a self-service purchase option, and you may need to re-run the above command.



Monitor Your Hybrid - Office 365 Environment with ENow

ENow’s solution is like your own personal outage detector that pertains solely to your environment. ENow’s solution monitors all crucial components including your hybrid servers, the network, and Office 365 from a single pane of glass. Knowing immediately when a problem happens, where the fault lies, and why the issue has occurred, ensures that any outages are detected and solved as quickly as possible.Learn more