Disable Self-Service Purchases for Power Platform Apps

MSCommerce PowerShell Module Now Available

Updated May 21, 2020 – see below

Microsoft got itself in quite a mess when it announced that users in Office 365 tenants would be able to make self-service purchases for the Power Platform. Some frantic backtracking resulted in a decision to postpone the introduction of the feature until January 14, 2020 and a commitment to deliver administrative controls to allow tenants to disable self-service purchases. Self-service purchase capabilities are not available for Office 365 Government, Nonprofit, and Education tenants.

Without any fuss, Microsoft quietly updated their self-service FAQ on November 19 with the statement that:

“Admins can also control whether users in their organization can make self-service purchases. For more information see Use AllowSelfServicePurchase for the MSCommerce PowerShell module.”

Subsequently, Microsoft published Office 365 notification MC196205 to announce the news.

Administrative control over self-service purchases is available through the MSCommerce PowerShell module. Version 1.2 of the module is the latest version, released via the PowerShell Gallery on November 15. This isn’t a particularly feature-rich or easy-to-use module, but it gets the job done.

Installing and Connecting

To install the module and connect to the MSCommerce endpoint, start PowerShell as an administrator to install the module. Then connect to the endpoint as shown below. You’ll be prompted for credentials: because you’re going to interact with the tenant configuration, make sure to use an account belonging to an Office 365 tenant or billing administrator. After connecting, run Get-Command to see the set of cmdlets loaded by the module.

Install-Module -Name MSCommerce -Scope AllUsers -Force
Import-Module MSCommerce
Connect-MSCommerce

Get-Command *-mscommerce*                                                            
CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Function        Connect-MSCommerce                                 1.2        mscommerce
Function        Get-MSCommercePolicies                             1.2        mscommerce
Function        Get-MSCommercePolicy                               1.2        mscommerce

The MsCommerce endpoint only supports TLS 1.2, so make sure that your workstation supports this protocol.

Policy-Driven Management

As is the norm for many Office 365 management entities these days, control is exerted through policies. If you run the Get-MSCommercePolicies cmdlet, you’ll find that there’s only one policy defined, called AllowSelfServicePurchase.

Get-MSCommercePolicies | fl                                                          

Description  : This policy allows you to manage whether members of your organization can buy
               specified products using self-service purchasing. You can set this policy on a
               per-product basis.
PolicyId     : AllowSelfServicePurchase
DefaultValue : Enabled

Get-MSCommercePolicy -PolicyId AllowSelfServicePurchase | fl

Looking at the AllowSelfServicePurchase policy, we find:

Get-MSCommerceProductPolicies -PolicyId AllowSelfServicePurchase 
                    
ProductName    ProductId    PolicyId                 PolicyValue
-----------    ---------    --------                 -----------
Power Apps     CFQ7TTC0KP0P AllowSelfServicePurchase Enabled
Power BI Pro   CFQ7TTC0L3PB AllowSelfServicePurchase Enabled
Power Automate CFQ7TTC0KP0N AllowSelfServicePurchase Enabled

Disabling Self-Service Purchases for One or More Products

So we know that the three apps in the Power Platform are covered by this policy. There’s no granular disablement possible on an account basis; if you disable self-service purchases for a product, it’s off for everyone in the tenant. With that in mind, the Update-MSCommerceProductPolicy cmdlet is the way to disable self-service purchases. An inconsistency is that the other cmdlets report the enabled status as the PolicyValue property while this cmdlet uses the Enabled boolean as the control.

Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId CFQ7TTC0KP0P -Enabled $False
Update policy product success

ProductName ProductId    PolicyId                 PolicyValue
----------- ---------    --------                 -----------
Power Apps  CFQ7TTC0KP0P AllowSelfServicePurchase Disabled

To disable self-service for all three products, run the command for each product or run:

Get-MSCommerceProductPolicies -PolicyId AllowSelfServicePurchase | ? {$_.PolicyValue -eq "Enabled" }| ForEach {Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId $_.ProductId -Enabled $False }

Self Service Purchase User Request Workflow

Everyone loves a trier and the Microsoft team responsible for self-service purchases of Power Platform licenses are firmly in this category. Rebuffed in their first attempt to make self-service purchases available to all Office 365 tenants, Office 365 notification MC213897 (21 May) announces that in situations where tenants block self-service purchases, users will be able to request purchases of Power Platform licenses and have those requests added to a queue. Administrators can then review the request and assign licenses to users, if some are available in the tenant. If licenses aren’t available, Microsoft hopes that administrators will respond to user demand and buy some licenses. The feature will start rolling out in mid-June and is scheduled for completion in mid-July 2020.

---

Administration of an Office 365 tenant can be a pain at times. Learn how to work smarter through the Office 365 for IT Pros eBook.