Microsoft Self-Service Purchase for Power Platform Products and How to Block it using PowerShell

Nov 25, 2019 2:30:00 PM

system admin

Welcome! If you’re here reading this, chances are you’re looking for some information about Microsoft’s recent announcement pertaining to self-service purchasing capabilities in Office 365. If that’s the case, you’re in the right place! Ever since the announcement for MC193609 showed up in Office 365 message centers, I’ve been fielding questions from clients about what to do; so I took this opportunity to summarize the recent history of this roadmap item and offer a few tips on how to make sure your organization is ready for the January 2020 rollout.

Microsoft recently announced a new Self-Service purchase capability for their Power Platform Products that will be enabled in Office 365 tenants by default by early January 2020. These changes will allow any individual within the organization to purchase the Microsoft Power Platform subscriptions directly, circumventing their IT department. With this announcement, Microsoft also stated that IT organizations would have no control over disabling this feature. Shortly after posting this update in the Office 365 message center, Microsoft posted a knowledgebase article stating with this change they were addressing a demand from the user community who has been requesting the self-service purchase capability. Additionally, Microsoft indicated they would offer the organizational admins an updated view to monitor and track the self-service purchases made in their organizations. Many of the users (non-admins) in the Office 365 community took to the online forums praising Microsoft and reinforcing this change as a great thing. Some people elaborated stating they would no longer need to wait weeks, months or even years for purchasing approval from their IT department. Others stated this change would allow them to purchase tools enabling them to perform their job better or more efficiently.

On the other side of the fence, there were the IT admins with an overwhelmingly different opinion about Microsoft’s announcement. Within a week, thousands of upset IT admins took to a Microsoft UserVoice forum, pleading with the powers that be at Microsoft, to make some critical adjustments to the self-service purchasing plan before it was rolled out in a few short weeks. Some of the business challenges highlighted by the IT admins included:

  • This would allow the business users to circumvent controlled IT procurement processes that at times may include negotiated and/or discounted pricing.
  • IT organizations were not ready for this change and would not have an appropriate amount of time to implement the appropriate DLP controls to properly protect the company data on these platforms.
  • Many IT organizations do not have in-house staff with subject matter expertise to support the suite of Microsoft Power products.

Leading up to Microsoft’s Ignite conference in Orlando Florida, the feedback from IT admins and organizations could no longer be ignored. Microsoft sited how much they value their community of IT admins, respect their feedback, and publicly acknowledged the demand for change to this service rollout. As a result, Microsoft stated they would provide organizations a method to disable the self-service purchasing in the weeks leading up to their self-service feature launch. It’s important to note that the self-service purchasing capability will still be automatically enabled come January 14th, 2020 but, there is a way to manually shut it off! On November 19th, Microsoft released the new MSCommerce PowerShell module and provided the steps to disable to disable the self-service purchasing capabilities if you so choose. My advice; If your organization intends to disable this feature, don’t wait and do it now!

How to Block Self-Service Purchase for Power Platform Products Using PowerShell:

I’ve tried to streamline the steps and add some context for you where applicable. The reference Microsoft article can be found at https://docs.microsoft.com/en-us/microsoft-365/commerce/subscriptions/allowselfservicepurchase-powershell

Install the MSCommerce PowerShell module

You install the MSCommerce PowerShell module on your Windows 10 device once and then import it into each PowerShell session you start. Download the MSCommerce PowerShell module from the PowerShell Gallery.

Launch PowerShell using the “Run as Administrator” option. Install the module by running the following command: Install-Module -Name MSCommerce

Step1

 

Import the MSCommerce module into the PowerShell session

To import it into a PowerShell session, run the following command: Import-Module -Name MSCommerce

Step 2

 

Connect to MSCommerce with your credentials

To connect to the PowerShell module with your credentials, run the following command: Connect-MSCommerce

You will be prompted to enter your Office 365 Global Administrator or Billing Administrator credentials to connect.

Step 3

 

View a list of self-service purchase products and their status

To view a list of all available self-service purchase products and the status of each, run the following command: Get-MSCommerceProductPolicies -PolicyId AllowSelfServicePurchase

Step 4

 

Note: When I first ran this command, I received an error here that stated “HandleError : Failed to retrieve policy with PolicyId 'AllowSelfServicePurchase', ErrorMessage - The underlying connection was closed: An unexpected error occurred on a send. ErrorDetails –“

For me, this was due to strong cryptography being disabled on my server for .Net based applications where only SSL 3.0 and TLS 1.0 were being used. I was able to resolve this by adding a registry key and rebooting.

DISCLAIMER: While this fix worked for me, it may not work for you and may cause unintended consequences. Use at your own risk! The steps provided are for general informational purposes only. All information is provided in good faith however we make no representation or warranty of any kind, express or implied, regarding the accuracy, adequacy, validity, reliability or completeness.

To set strong cryptography on 32-bit .Net Framework (version 4 and above):
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord

View or set the status for AllowSelfServicePurchase

Referencing the product Id’s obtained in the previous step, you can disable the policy setting for a specific product by running the following command: Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId <ProductId> -Enabled $False

Step 5

 

If you’d like some assistance configuring, managing or updating your Office 365 environment, give us a call today! Call us at 877.217.3397

 

Greg Marts

Written by Greg Marts

Microsoft Practice Lead, Cloud and Systems Engineer at Versatile

Recent Posts