Disabling Self-Service Purchases of Microsoft 365 Licenses

I dislike the mechanism which allows users to purchase licenses like Teams Premium without tenant administrator oversight or knowledge. I strongly believe that license management is a core competence of tenant administrators and that allowing users to purchase their own licenses is a guaranteed way to waste money on underused or unwanted licenses. Self-service licenses operate under the radar and can’t be detected by normal license reporting, even by the redoubtable Microsoft 365 tenant licensing report.

Starting with Power BI Pro and Premium licenses in 2019, Microsoft has gradually built out a set of 25 self-service purchases, including Windows 365, Python on Excel, Visio, and Dynamics 365. Users buy licenses using credit cards and can assign licenses to other users in the same tenant.

Naturally, I advise all tenants to disable this capability by using the odd MsCommerce PowerShell module. These commands are enough to do the job and produce the result shown in Figure 1.

Import-Module MsCommerce
Connect-MsCommerce
Get-MSCommerceProductPolicies -PolicyId AllowSelfServicePurchase | ForEach {Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId $_.ProductId -Enabled $False }

Self-Service Sign Up Might Work for Some

I grudgingly admit that self-service purchases (or self-service sign-up as Microsoft refers to the capability) can work for some environments. Microsoft 365 serves many different kinds of organizations and some like to offload optional license management onto their users.

Organizations that permit self-service purchases will be delighted by the news in message center notification MC818889 (18 July 2024) that the Microsoft 365 admin center will soon post notifications (Figure 2) when users make self-service purchases. Notifications are due to start appearing in late July 2024 and should be available in all tenants by the end of August 2024 and will be seen by accounts holding the Global administrator and billing administrator roles. Notifications are turned on by default.

Microsoft says that the change is significant because:

• Awareness: Keeping you informed is crucial. With these notifications, you will stay updated on all activities in the tenant(s) you manage.
• Actionable Insights: We aim to empower you to take necessary steps. Whether it is managing subscriptions or ensuring security and compliance for vetted products, these insights will help align with your processes

One might ask why it’s taken Microsoft five years to realize that keeping tenant administrators informed is crucial, but that’s another day’s work. The point is that notifications will now happen, and that’s a welcome development.

Handling Self-Purchase Notifications

When administrators see notifications about self-service purchases, they can:

• Ignore the notification (the pretend it didn’t happen tactic).
• Realize that self-service purchases shouldn’t be happening and run the PowerShell command shown above to disable self-service purchases.
• Take over the licenses purchased by self-service sign ups.
• Cancel the self-service licenses

Taking over licenses (to cancel or absorb the licenses in the general set managed for the tenant) requires some work from administers. I’ve never done this because I have never allowed self-service purchases, but the process is covered in the self-service purchases FAQ.

Self-Service Notifications Can be Easily Overlooked

Receiving notifications when users take the plunge and buy a license for something like Power BI Premium is not enough to make me think that self-service licensing is a good idea. However, I acknowledge that it is a good step forward and will ease the administrative load in organizations where self-service purchases are allowed.

A nagging doubt that I have is that notifications are easily overlooked or dismissed without thinking, especially when people hurry to complete another task. A weekly digest of self-service purchases would round out the notification process. I guess that I shall wait another five years for that idea to arrive.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across the Microsoft 365 ecosystem. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

Three Windows 365 Options Available for Purchase

Microsoft’s announcement of Windows 365 on July 14 created a great deal of excitement in some organizations seeking a way to deploy and manage PC assets more easily (here’s an independent view on the topic). Five days later, Microsoft notified Office 365 tenants in MC271483 that end users will be able to buy Windows 365 licenses through the self-purchase license mechanism in the Microsoft 365 admin center. By default, Microsoft enables self-service purchases of Windows 365 licenses, so if you don’t want this to happen, you must disable the self-purchase option for Windows 365 using PowerShell.

Windows 365 comes in two versions. Microsoft’s definitions for the two are:

• Windows 365 Enterprise is for organizations that want to manage their Cloud PCs with Microsoft Endpoint Manager and take advantage of integrations with other Microsoft services, including Azure Active Director and Microsoft Defender for Endpoint.
• Windows 365 Business is for smaller organizations that want a simple way to buy, deploy, and manage Cloud PCs.

According to Microsoft, self-service purchases are integrated into the two versions as follows:

• Microsoft 365 Enterprise: IT admins who use Microsoft Endpoint Manager (MEM) will be able to purchase a license during the resize action on a user’s Cloud PC if their organization does not have any licenses available. 
• Microsoft 365 Business: Any user can purchase a license from windows365.com and automatically have a Cloud PC created for them.

Self-Service Purchase Options

Three Windows 365 options are available for self-purchase. Microsoft won’t confirm prices until August 1.

• Windows 365 Enterprise (CFQ7TTC0HHS9).
• Windows 365 Business with Windows Hybrid Benefit (“).
• Windows 365 Business (CFQ7TTC0J203). Apparently, this two CPU, 4GB RAM, and 128GB of storage option costs $31/month.

Self-service purchases are unavailable for government and academic tenants.

Using PowerShell to Block Windows 365 Self-Service License Purchases

Control over Windows 365 self-service license purchases uses the same mechanism as Power Apps, Power Automate, Power BI, Visio, Project Online, and (most recently) Power BI Premium and Power Automate with RPA. Here’s what you need to do:

First, if your workstation doesn’t already have version 1.6 of the MSCommerce PowerShell module, download and install the module. After the installation finishes, run the Connect-MSCommerce cmdlet to connect to the Commerce endpoint, authenticating using a global tenant administrator account.

Connect-MSCommerce

You can disable each Windows 365 option separately. For instance, here’s how to disable Windows 365 Business:

Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId CFQ7TTC0J203 -Enabled $False

To disable the three Windows 365 self-service purchase options, use this code:

$Windows365Options = @("CFQ7TTC0HHS9", "CFQ7TTC0HX99", "CFQ7TTC0J203")
ForEach ($Option in $Windows365Options) {
   Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId $Option -Enabled $False }

Finally, check the current enablement status for each product available for self-purchase with:

Get-MSCommerceProductPolicies -PolicyId AllowSelfServicePurchase

ProductName                                      ProductId    PolicyId                 PolicyValue
-----------                                      ---------    --------                 -----------
Windows 365 Enterprise                           CFQ7TTC0HHS9 AllowSelfServicePurchase Disabled
Windows 365 Business with Windows Hybrid Benefit CFQ7TTC0HX99 AllowSelfServicePurchase Disabled
Windows 365 Business                             CFQ7TTC0J203 AllowSelfServicePurchase Disabled
Power Automate per user                          CFQ7TTC0KP0N AllowSelfServicePurchase Disabled
Power Apps per user                              CFQ7TTC0KP0P AllowSelfServicePurchase Disabled
Power Automate RPA                               CFQ7TTC0KXG6 AllowSelfServicePurchase Disabled
Power BI Premium (standalone)                    CFQ7TTC0KXG7 AllowSelfServicePurchase Disabled
Visio Plan 2                                     CFQ7TTC0KXN8 AllowSelfServicePurchase Disabled
Visio Plan 1                                     CFQ7TTC0KXN9 AllowSelfServicePurchase Disabled
Project Plan 3                                   CFQ7TTC0KXNC AllowSelfServicePurchase Disabled
Project Plan 1                                   CFQ7TTC0KXND AllowSelfServicePurchase Disabled
Power BI Pro                                     CFQ7TTC0L3PB AllowSelfServicePurchase Disabled

To Block or Not to Block

Self-service licensing has its place in some organizations. Others consider it inappropriate and unhelpful to allow end users to drive what they consider should be organization-led purchasing. If you’re in the latter category, go ahead and run the couple of lines of PowerShell given above to block users. If not, consider how to educate people about how self-service licensing works and when it should be used.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what’s happening.

More Products for End Users to Buy

In November 2019, Microsoft launched an initiative to allow users with an Azure AD account belonging to an Microsoft 365 tenant to self-purchase licenses for a limited set of products. At that time, the range was Power Apps, Power BI Pro, and Power Automate. The uproar from customers was such that Microsoft was forced to backtrack on the plan until they introduced the ability to disable self-service purchases through PowerShell. Sales then began in January 2020.

Roll on to August 2020 and Microsoft augmented the range with Visio and Project Online. Now, MC245825 posted on March 22 tells us that the range increases again to cover Power BI Premium and Power Automate with RPA (Robotic Process Automation) from April 19, 2021.

The Arguments Around Self-Service Purchases

Tenant administrators usually object to self-service license purchases because they want to know what’s happening in the tenant. They point out that it’s difficult enough to exert any control due to the volume of changes introduced by Microsoft. Adding the need to track what spending end users do to buy licenses from Microsoft just complicates matters, especially if cheaper (discounted) licenses can be bought through a software purchase agreement at the organization level.

End users like self-service purchases because they can buy licenses with a credit card through in-app purchases or a Microsoft product website. Access to software they need is immediate without having to involve administrators.

Microsoft loves self-service license purchases because they’re selling to a captive audience. It’s an easy way to sell direct to a targeted audience (anything to drive usage and sell more licenses is grist to Microsoft’s mill; auto-claim policies also fall into this category). Read Microsoft’s FAQ for more details about self-service purchases.

New Products on Sale

The new products eligible for self-service purchases are:

• Power BI Premium per user (code CFQ7TTC0KXG7).
• Power Automate per user plan with attended RPA (code CFQ7TTC0KXG6).

From a technical perspective, RPA is the more interesting. Adding an RPA license to Flows allows the automation of repetitive actions (the robot part of the name). For an insight into what’s possible, you can watch these Microsoft Mechanics videos for an introduction to RPA and how to setup the Power Automate desktop.

Disabling Self-Service Purchases

You can only disable self-service purchases by running cmdlets in the MSCommerce PowerShell module. The current version is 1.6. The commands are simple:

• Import the MSCommerce module.
• Connect to the MSCommerce endpoint with an administrator account.
• Run the Update-MSCommerceProductPolicy cmdlet to disable purchases for each product you want to bar. The product code identifies the target product.
• Check that the current purchase status is as you require by running the Get-MSCommerceProductPolicies cmdlet.

Here’s the code I ran to disable purchases for the two new products:

# Import the MSCommerce module
Import-Module MSCommerce
# Connect to the MSCommerce endpoint
Connect-MSCommerce
# Disable Power BI Premium per user license self-service purchase
Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId CFQ7TTC0KXG7 -Enabled $False

Update policy product success

ProductName                   ProductId    PolicyId                 PolicyValue
-----------                   ---------    --------                 -----------
Power BI Premium (standalone) CFQ7TTC0KXG7 AllowSelfServicePurchase Disabled

# Disable Power Automate with RPA license self-service purchase
Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId CFQ7TTC0KXG6 -Enabled $False

Update policy product success

ProductName        ProductId    PolicyId                 PolicyValue
-----------        ---------    --------                 -----------
Power Automate RPA CFQ7TTC0KXG6 AllowSelfServicePurchase Disabled

Get-MSCommerceProductPolicies -PolicyId AllowSelfServicePurchase

ProductName                   ProductId    PolicyId                 PolicyValue
-----------                   ---------    --------                 -----------
Power Automate per user       CFQ7TTC0KP0N AllowSelfServicePurchase Disabled
Power Apps per user           CFQ7TTC0KP0P AllowSelfServicePurchase Disabled
Power Automate RPA            CFQ7TTC0KXG6 AllowSelfServicePurchase Disabled
Power BI Premium (standalone) CFQ7TTC0KXG7 AllowSelfServicePurchase Disabled
Visio Plan 2                  CFQ7TTC0KXN8 AllowSelfServicePurchase Disabled
Visio Plan 1                  CFQ7TTC0KXN9 AllowSelfServicePurchase Disabled
Project Plan 3                CFQ7TTC0KXNC AllowSelfServicePurchase Disabled
Project Plan 1                CFQ7TTC0KXND AllowSelfServicePurchase Disabled
Power BI Pro                  CFQ7TTC0L3PB AllowSelfServicePurchase Disabled

After updating the commerce policies, all self-service purchases are blocked in my tenant (all are disabled).

Nothing Against Self-Service Purchases

I don’t really have a problem with the concept of self-service purchases, but I do not like the implementation inside Microsoft 365. If Microsoft wanted to help organizations manage self-service purchases, they could create a customizable app which could be distributed to end users. Microsoft writes applications based on Power Automate to demonstrate concepts (the Milestones and Bulletins apps are examples). Maybe something similar to allow users to request approval for self-service purchases would work?

Keep up to date about developments inside Office 365 by subscribing to the Office 365 for IT Pros eBook. We do the work to research and analyze changes across the ecosystem to make sure that our monthly updates are as valuable as possible to our subscribers.

MSCommerce PowerShell Module Now Available

Updated May 21, 2020 – see below

Microsoft got itself in quite a mess when it announced that users in Office 365 tenants would be able to make self-service purchases for the Power Platform. Some frantic backtracking resulted in a decision to postpone the introduction of the feature until January 14, 2020 and a commitment to deliver administrative controls to allow tenants to disable self-service purchases. Self-service purchase capabilities are not available for Office 365 Government, Nonprofit, and Education tenants.

Without any fuss, Microsoft quietly updated their self-service FAQ on November 19 with the statement that:

“Admins can also control whether users in their organization can make self-service purchases. For more information see Use AllowSelfServicePurchase for the MSCommerce PowerShell module.”

Subsequently, Microsoft published Office 365 notification MC196205 to announce the news.

Administrative control over self-service purchases is available through the MSCommerce PowerShell module. Version 1.2 of the module is the latest version, released via the PowerShell Gallery on November 15. This isn’t a particularly feature-rich or easy-to-use module, but it gets the job done.

Installing and Connecting

To install the module and connect to the MSCommerce endpoint, start PowerShell as an administrator to install the module. Then connect to the endpoint as shown below. You’ll be prompted for credentials: because you’re going to interact with the tenant configuration, make sure to use an account belonging to an Office 365 tenant or billing administrator. After connecting, run Get-Command to see the set of cmdlets loaded by the module.

Install-Module -Name MSCommerce -Scope AllUsers -Force
Import-Module MSCommerce
Connect-MSCommerce

Get-Command *-mscommerce*                                                            
CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Function        Connect-MSCommerce                                 1.2        mscommerce
Function        Get-MSCommercePolicies                             1.2        mscommerce
Function        Get-MSCommercePolicy                               1.2        mscommerce

The MsCommerce endpoint only supports TLS 1.2, so make sure that your workstation supports this protocol.

Policy-Driven Management

As is the norm for many Office 365 management entities these days, control is exerted through policies. If you run the Get-MSCommercePolicies cmdlet, you’ll find that there’s only one policy defined, called AllowSelfServicePurchase.

Get-MSCommercePolicies | fl                                                          

Description  : This policy allows you to manage whether members of your organization can buy
               specified products using self-service purchasing. You can set this policy on a
               per-product basis.
PolicyId     : AllowSelfServicePurchase
DefaultValue : Enabled

Get-MSCommercePolicy -PolicyId AllowSelfServicePurchase | fl

Looking at the AllowSelfServicePurchase policy, we find:

Get-MSCommerceProductPolicies -PolicyId AllowSelfServicePurchase 
                    
ProductName    ProductId    PolicyId                 PolicyValue
-----------    ---------    --------                 -----------
Power Apps     CFQ7TTC0KP0P AllowSelfServicePurchase Enabled
Power BI Pro   CFQ7TTC0L3PB AllowSelfServicePurchase Enabled
Power Automate CFQ7TTC0KP0N AllowSelfServicePurchase Enabled

Disabling Self-Service Purchases for One or More Products

So we know that the three apps in the Power Platform are covered by this policy. There’s no granular disablement possible on an account basis; if you disable self-service purchases for a product, it’s off for everyone in the tenant. With that in mind, the Update-MSCommerceProductPolicy cmdlet is the way to disable self-service purchases. An inconsistency is that the other cmdlets report the enabled status as the PolicyValue property while this cmdlet uses the Enabled boolean as the control.

Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId CFQ7TTC0KP0P -Enabled $False
Update policy product success

ProductName ProductId    PolicyId                 PolicyValue
----------- ---------    --------                 -----------
Power Apps  CFQ7TTC0KP0P AllowSelfServicePurchase Disabled

To disable self-service for all three products, run the command for each product or run:

Get-MSCommerceProductPolicies -PolicyId AllowSelfServicePurchase | ? {$_.PolicyValue -eq "Enabled" }| ForEach {Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId $_.ProductId -Enabled $False }

Self Service Purchase User Request Workflow

Everyone loves a trier and the Microsoft team responsible for self-service purchases of Power Platform licenses are firmly in this category. Rebuffed in their first attempt to make self-service purchases available to all Office 365 tenants, Office 365 notification MC213897 (21 May) announces that in situations where tenants block self-service purchases, users will be able to request purchases of Power Platform licenses and have those requests added to a queue. Administrators can then review the request and assign licenses to users, if some are available in the tenant. If licenses aren’t available, Microsoft hopes that administrators will respond to user demand and buy some licenses. The feature will start rolling out in mid-June and is scheduled for completion in mid-July 2020.

Administration of an Office 365 tenant can be a pain at times. Learn how to work smarter through the Office 365 for IT Pros eBook.

Lack of Control Over Self-Service Purchases Makes Office 365 Tenants Unhappy

Update: In an update to the self-service purchase FAQ posted on October 31, Microsoft announced that based on customer feedback, they will provide Office 365 tenants with a PowerShell-based method to turn off self-service purchasing on a per-product basis. They also said that the launch date for self-service purchases has been pushed out to January 14, 2020.

The unfavorable customer reaction to Microsoft’s decision to allow Office 365 users make self-service purchases for Power Platform licenses (starting November 19 – Figure 1) hasn’t calmed down. Multiple people have weighed in on the subject in the Microsoft Technical Community, and none seem too pleased. Comments like “an underhanded money grab by Microsoft,” “unacceptable practice,” and “flipping unbelievable” are representative of the feedback seen there, Twitter, Facebook, and other fora. A user voice on the topic has clocked up many votes since the announcement.

Anyone with an Azure Active Directory account in an Office 365 commercial tenant will be able to buy through self-service. It’s an oddity of the program that self-service purchases won’t be available to users in government, non-profit, or education sector tenants, possibly because Microsoft could run into difficulties if government users (in particular) started to buy their own software.

The biggest issue is the lack of control for tenant administrators. Simply put, introducing a feature to allow employees of a company buy their own licenses for tools that might be unapproved by the organization is unacceptable, especially when the organization has no way of blocking these purchases. In one way, it’s like Microsoft is endorsing shadow IT on one hand while advocating the use of tools like Cloud App Security to discover and suppress shadow IT on the other.

An Unhelpful Self-Service Purchases FAQ

Microsoft’s FAQ about self-service purchases published on October 25 isn’t really much help. It smells like a hastily-put together document that tries to put lipstick on a pig. Bland marketing assertions like “The intent of the self-service purchase option is to enable users to develop their own solutions to unlock productivity and drive business impact, while respecting organizations’ data governance and compliance” don’t address tenant concerns. No evidence is offered to prove the existence of “increased demand from both users and organizations to enable users to buy subscriptions on their own.”

Blather, Fud, and Incoherence

Buried in the FAQ is an incoherent statement saying: ”We’re being responsive to our customers who have requested this capability while allowing admins to maintain control over the services and respecting data governance and compliance. To learn more about managing Azure AD service principals, see Set-MsolServicePrincipal.”

First, apart from allowing admins to see when self-service purchases are made, there’s no evidence that Microsoft is giving admins control over the services. The comment about respecting data governance and compliance is surely nonsensical in the light of poor organization oversight and no ability to block these purchases. Allowing self-service purchases drives a coach and horses through the governance that a tenant is entitled to exert if it says that its policy is that all software purchases must go corporate procurement. Just what compliance happens in that case?

A Buried Hint?

The comment about Azure Active Directory Service Principals hangs out there its own and doesn’t appear to have anything to do with self-service purchases. Unless someone put the sentence into the FAQ to mean that self-service purchases might depend on a service principal that a tenant can disable to block purchases. Service principals exist to allow apps and services to access Azure services in a controlled manner. If you look in your tenant, you might find that more service principals exist than you expect or know about.

I looked in my tenant and used a PowerShell script (below) to discover the set of service principals holding Azure Active Directory roles within the tenant.

# Report Service Principals holding Azure AD admin roles
$Roles = Get-MSolRole
Foreach ($Role in $Roles) {
     $RoleMembers = $Null
     $RoleMembers = (Get-MsolRoleMember -RoleObjectId $Role.ObjectId)
     If ($RoleMembers) {
     ForEach ($RoleMember in $RoleMembers) {
       If ($RoleMember.RoleMemberType -eq "ServicePrincipal") {Write-Host $Role.Name "service principal:" $RoleMember.DisplayName }}
}}
Company Administrator service principal: Microsoft Rights Management Services
Directory Readers service principal: Power BI Service
Directory Readers service principal: Office 365 Yammer
Directory Readers service principal: Cogmotive Reports
Directory Readers service principal: O365SecureScore
Directory Readers service principal: MS-PIM
Directory Readers service principal: MicrosoftAzureActiveAuthn
Directory Writers service principal: O365trustportal
Directory Writers service principal: O365 Secure Score

If you prefer to use the Azure AD cmdlets, the code is:

# Report Service Principals holding Azure AD admin roles
$Roles = Get-AzureADDirectoryRole
Foreach ($Role in $Roles) {
     $RoleMembers = $Null
     $RoleMembers = (Get-AzureADDirectoryRoleMember -ObjectId $Role.ObjectId)
     If ($RoleMembers) {
     ForEach ($RoleMember in $RoleMembers) {
       If ($RoleMember.ObjectType -eq "ServicePrincipal") {Write-Host $Role.DisplayName "service principal:" $RoleMember.DisplayName }}
}}

Some of the role assignments seem duplications (like the two for Office 365 Secure Score. All except one hold the Directory Readers role, which means that they can read Azure Active Directory for information. The exception is Rights Management, which has full administrative rights.

A Route to the Solution?

The point is this: it may be the case that self-service purchases depend on a service principal that reads Azure Active Directory to confirm that someone belongs to a tenant. If so, disabling that service principal by removing its role assigning to the Directory Readers role should be enough to knock self-service purchases on the head.

Wouldn’t it be delicious if a hint dropped in the FAQ turned out to be the way to the block that administrators want, and Microsoft is curiously reluctant to deliver? I’ve created a To Do task to remind myself to check this out on November 19.

Keeping track of Office 365 Administration is tough enough without Microsoft making it hard through some odd decisions. We do our best to help by chasing things down and explaining what’s important in the Office 365 for IT Pros eBook. If you have anything to do with Office 365 administration, you should be a subscriber!