Disable Self-Service Purchases for Power Platform Apps

Posted on by Tony Redmond

MSCommerce PowerShell Module Now Available

Updated May 21, 2020 – see below

MSCommerce PowerShell Module

Microsoft got itself in quite a mess when it announced that users in Office 365 tenants would be able to make self-service purchases for the Power Platform. Some frantic backtracking resulted in a decision to postpone the introduction of the feature until January 14, 2020 and a commitment to deliver administrative controls to allow tenants to disable self-service purchases. Self-service purchase capabilities are not available for Office 365 Government, Nonprofit, and Education tenants.

Without any fuss, Microsoft quietly updated their self-service FAQ on November 19 with the statement that:

Admins can also control whether users in their organization can make self-service purchases. For more information see Use AllowSelfServicePurchase for the MSCommerce PowerShell module.”

Subsequently, Microsoft published Office 365 notification MC196205 to announce the news.

Administrative control over self-service purchases is available through the MSCommerce PowerShell module. Version 1.2 of the module is the latest version, released via the PowerShell Gallery on November 15. This isn’t a particularly feature-rich or easy-to-use module, but it gets the job done.

Installing and Connecting

To install the module and connect to the MSCommerce endpoint, start PowerShell as an administrator to install the module. Then connect to the endpoint as shown below. You’ll be prompted for credentials: because you’re going to interact with the tenant configuration, make sure to use an account belonging to an Office 365 tenant or billing administrator. After connecting, run Get-Command to see the set of cmdlets loaded by the module.

Install-Module -Name MSCommerce -Scope AllUsers -Force
Import-Module MSCommerce
Connect-MSCommerce

Get-Command *-mscommerce*                                                            
CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Function        Connect-MSCommerce                                 1.2        mscommerce
Function        Get-MSCommercePolicies                             1.2        mscommerce
Function        Get-MSCommercePolicy                               1.2        mscommerce

The MsCommerce endpoint only supports TLS 1.2, so make sure that your workstation supports this protocol.

Policy-Driven Management

As is the norm for many Office 365 management entities these days, control is exerted through policies. If you run the Get-MSCommercePolicies cmdlet, you’ll find that there’s only one policy defined, called AllowSelfServicePurchase. 

Get-MSCommercePolicies | fl                                                          

Description  : This policy allows you to manage whether members of your organization can buy
               specified products using self-service purchasing. You can set this policy on a
               per-product basis.
PolicyId     : AllowSelfServicePurchase
DefaultValue : Enabled

Get-MSCommercePolicy -PolicyId AllowSelfServicePurchase | fl

Looking at the AllowSelfServicePurchase policy, we find:

Get-MSCommerceProductPolicies -PolicyId AllowSelfServicePurchase 
                    
ProductName    ProductId    PolicyId                 PolicyValue
-----------    ---------    --------                 -----------
Power Apps     CFQ7TTC0KP0P AllowSelfServicePurchase Enabled
Power BI Pro   CFQ7TTC0L3PB AllowSelfServicePurchase Enabled
Power Automate CFQ7TTC0KP0N AllowSelfServicePurchase Enabled

Disabling Self-Service Purchases for One or More Products

So we know that the three apps in the Power Platform are covered by this policy. There’s no granular disablement possible on an account basis; if you disable self-service purchases for a product, it’s off for everyone in the tenant. With that in mind, the Update-MSCommerceProductPolicy cmdlet is the way to disable self-service purchases. An inconsistency is that the other cmdlets report the enabled status as the PolicyValue property while this cmdlet uses the Enabled boolean as the control.

Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId CFQ7TTC0KP0P -Enabled $False
Update policy product success

ProductName ProductId    PolicyId                 PolicyValue
----------- ---------    --------                 -----------
Power Apps  CFQ7TTC0KP0P AllowSelfServicePurchase Disabled

To disable self-service for all three products, run the command for each product or run:

Get-MSCommerceProductPolicies -PolicyId AllowSelfServicePurchase | ? {$_.PolicyValue -eq "Enabled" }| ForEach {Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId $_.ProductId -Enabled $False }

Self Service Purchase User Request Workflow

Everyone loves a trier and the Microsoft team responsible for self-service purchases of Power Platform licenses are firmly in this category. Rebuffed in their first attempt to make self-service purchases available to all Office 365 tenants, Office 365 notification MC213897 (21 May) announces that in situations where tenants block self-service purchases, users will be able to request purchases of Power Platform licenses and have those requests added to a queue. Administrators can then review the request and assign licenses to users, if some are available in the tenant. If licenses aren’t available, Microsoft hopes that administrators will respond to user demand and buy some licenses. The feature will start rolling out in mid-June and is scheduled for completion in mid-July 2020.

Administration of an Office 365 tenant can be a pain at times. Learn how to work smarter through the Office 365 for IT Pros eBook.

15 Replies to “Disable Self-Service Purchases for Power Platform Apps”

  1. How did you make it work?
    If I try against my tenant, I get:

    PS C:\Users\administrator.PBNET> Get-MSCommercePolicies
    HandleError : Failed to retrieve policies, ErrorMessage – The underlying connection was closed: An unexpected error
    occurred on a send. ErrorDetails –
    At C:\Program Files\WindowsPowerShell\Modules\MSCommerce\1.2\MSCommerce.psm1:139 char:5
    + HandleError -ErrorContext $_ -CustomErrorMessage “Failed to retri …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,HandleError

    Thanks.

    Reply

    2. I ran into the same issue and the solution is update the ServicePointManager Security Protocol. Below you can see the results.

      PS C:\WINDOWS\system32> Get-MSCommercePolicy -PolicyId AllowSelfServicePurchase
      HandleError : Failed to retrieve policy with PolicyId ‘AllowSelfServicePurchase’, ErrorMessage – The underlying connection was closed: An unexpected error occurred on a send.
      ErrorDetails –
      At C:\Program Files\WindowsPowerShell\Modules\MSCommerce\1.2\MSCommerce.psm1:176 char:5
      + HandleError -ErrorContext $_ -CustomErrorMessage “Failed to retri …
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
      + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,HandleError

      PS C:\WINDOWS\system32> [Net.SecurityProtocolType]

      IsPublic IsSerial Name BaseType
      ——– ——– —- ——–
      True True SecurityProtocolType System.Enum

      PS C:\WINDOWS\system32> [System.Net.ServicePointManager]::SecurityProtocol
      Ssl3, Tls
      PS C:\WINDOWS\system32> [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12
      PS C:\WINDOWS\system32> Get-MSCommercePolicy -PolicyId AllowSelfServicePurchase

      Description PolicyId
      ———– ——–
      This policy allows you to manage whether members of your organization can buy specified products using self-service purchasing. You can set this policy on a per-product basis. AllowSel…

      PS C:\WINDOWS\system32>

      Reply

      1. The release notes say that you’ve got to use TLS 1.2 on the workstation to connect to the MSCommerce endpoint, so that’s why you had to update the protocol.

  2. Pingback: How Office 365 Tenants Can Disable Self-Service Purchases for Power Platform Apps – 365ForAll

  4. Just to be clear, the solution to the “HandleError : Failed to retrieve policies, ErrorMessage – The underlying connection was closed: An unexpected error
    occurred on a send.” is to run the following PowerShell command:

    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

    Reply
  5. Pingback: Microsoft 365 Naujienos – Gruodžio 9, 2019 [LT] – /w/root
  6. Pingback: Disable Power Platform Self Service Purchasing in Office 365 – Error "HandleError : Failed to retrieve product policy with PolicyId 'AllowSelfServicePurchase' – Blue Collab
  8. Pingback: Microsoft addresses some of the Power platform governance issues | Blog
  9. Pingback: Microsoft Adds Power BI Premium and Power Automate (with RPA) to Self-Service License Purchases - Office 365 for IT Pros

  10. Love the for loop. Suggest adding a little time delay because I found it runs a little too fast.
    Get-MSCommerceProductPolicies -PolicyId AllowSelfServicePurchase | ? {$_.PolicyValue -eq “Enabled” }| ForEach {Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId $_.ProductId -Enabled $False; Start-Sleep -s 1 }

    Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.