How Office 365 Tenants Can Disable Self-Service Purchases for Power Platform Apps

MSCommerce PowerShell Module Now Available

MSCommerce PowerShell Module

Microsoft got itself in quite a mess when it announced that users in Office 365 tenants would be able to make self-service purchases for the Power Platform. Some frantic backtracking resulted in a decision to postpone the introduction of the feature until January 14, 2020 and a commitment to deliver administrative controls to allow tenants to disable self-service purchases. Self-service purchase capabilities are not available for Office 365 Government, Nonprofit, and Education tenants.

Without any fuss, Microsoft quietly updated their self-service FAQ on November 19 with the statement that:

Admins can also control whether users in their organization can make self-service purchases. For more information see Use AllowSelfServicePurchase for the MSCommerce PowerShell module.”

Subsequently, Microsoft published Office 365 notification MC196205 to announce the news.

Administrative control over self-service purchases is available through the MSCommerce PowerShell module. Version 1.2 of the module is the latest version, released via the PowerShell Gallery on November 15. This isn’t a particularly feature-rich or easy-to-use module, but it gets the job done.

Installing and Connecting

To install the module and connect to the MSCommerce endpoint, start PowerShell as an administrator to install the module. Then connect to the endpoint as shown below. You’ll be prompted for credentials: because you’re going to interact with the tenant configuration, make sure to use an account belonging to an Office 365 tenant or billing administrator. After connecting, run Get-Command to see the set of cmdlets loaded by the module.

The MsCommerce endpoint only supports TLS 1.2, so make sure that your workstation supports this protocol.

Policy-Driven Management

As is the norm for many Office 365 management entities these days, control is exerted through policies. If you run the Get-MSCommercePolicies cmdlet, you’ll find that there’s only one policy defined, called AllowSelfServicePurchase.

Looking at the AllowSelfServicePurchase policy, we find:

Disabling Self-Service Purchases for One or More Products

So we know that the three apps in the Power Platform are covered by this policy. There’s no granular disablement possible on an account basis; if you disable self-service purchases for a product, it’s off for everyone in the tenant. With that in mind, the Update-MSCommerceProductPolicy cmdlet is the way to disable self-service purchases. An inconsistency is that the other cmdlets report the enabled status as the PolicyValue property while this cmdlet uses the Enabled boolean as the control.

To disable self-service for all three products, run the command for each product or run:

We now wait for 14 January 2020 to test if the block on self-service purchases is effective.


Administration of an Office 365 tenant can be a pain at times. Learn how to work smarter through the Office 365 for IT Pros eBook.

Advertisements

9 Replies to “How Office 365 Tenants Can Disable Self-Service Purchases for Power Platform Apps”

  1. How did you make it work?
    If I try against my tenant, I get:

    PS C:\Users\administrator.PBNET> Get-MSCommercePolicies
    HandleError : Failed to retrieve policies, ErrorMessage – The underlying connection was closed: An unexpected error
    occurred on a send. ErrorDetails –
    At C:\Program Files\WindowsPowerShell\Modules\MSCommerce\1.2\MSCommerce.psm1:139 char:5
    + HandleError -ErrorContext $_ -CustomErrorMessage “Failed to retri …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,HandleError

    Thanks.

    1. I ran into the same issue and the solution is update the ServicePointManager Security Protocol. Below you can see the results.

      PS C:\WINDOWS\system32> Get-MSCommercePolicy -PolicyId AllowSelfServicePurchase
      HandleError : Failed to retrieve policy with PolicyId ‘AllowSelfServicePurchase’, ErrorMessage – The underlying connection was closed: An unexpected error occurred on a send.
      ErrorDetails –
      At C:\Program Files\WindowsPowerShell\Modules\MSCommerce\1.2\MSCommerce.psm1:176 char:5
      + HandleError -ErrorContext $_ -CustomErrorMessage “Failed to retri …
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
      + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,HandleError

      PS C:\WINDOWS\system32> [Net.SecurityProtocolType]

      IsPublic IsSerial Name BaseType
      ——– ——– —- ——–
      True True SecurityProtocolType System.Enum

      PS C:\WINDOWS\system32> [System.Net.ServicePointManager]::SecurityProtocol
      Ssl3, Tls
      PS C:\WINDOWS\system32> [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12
      PS C:\WINDOWS\system32> Get-MSCommercePolicy -PolicyId AllowSelfServicePurchase

      Description PolicyId
      ———– ——–
      This policy allows you to manage whether members of your organization can buy specified products using self-service purchasing. You can set this policy on a per-product basis. AllowSel…

      PS C:\WINDOWS\system32>

      1. The release notes say that you’ve got to use TLS 1.2 on the workstation to connect to the MSCommerce endpoint, so that’s why you had to update the protocol.

  2. Just to be clear, the solution to the “HandleError : Failed to retrieve policies, ErrorMessage – The underlying connection was closed: An unexpected error
    occurred on a send.” is to run the following PowerShell command:

    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.