Posey's Tips & Tricks
How To Block Self-Service Purchasing in Microsoft's Power Platform
Microsoft threw Office 365 admins a bone when it gave them the ability to block users from purchasing Power Platform tools without IT approval. Here's how to prevent total anarchy.
This fall, Microsoft made what could only be described as a "What were they thinking?" decision when it decided to allow end users to make self-service purchases of tools within the Office 365 Power Platform. For those who might not be familiar with the Power Platform, it includes Office 365 applications such as Power BI Pro, Power Automate and Power Apps.
Microsoft's decision to allow end users to circumvent their corporate IT department and purchase Power Platform tools understandably had administrators up in arms. Forums dedicated to the topic were suddenly filled with questions questioning Microsoft's sanity.
Thankfully, Microsoft listened to its customers -- well, sort of. While Microsoft has not completely reversed its decision to let users make self-service Power Platform tool purchases, the company has given administrators a way to block end user purchases.
I will show you how to turn off the self-service purchasing option in just a moment. Before I do, though, I want to quickly point out that the ability for users to make self-service purchases remains enabled by default. Therefore, if you want to keep users from making tool purchases, you will need to perform the procedure that I am about to show you.
If you want to disable self-service purchases in your own organization, you will have to delve into PowerShell. Go ahead and open an elevated PowerShell session.
The mechanism for disabling self-service purchases is not natively included in PowerShell. Instead, it is included in an external PowerShell module called MSCommerce. Before you can configure the self-service purchasing option, you will have to install the MSCommerce PowerShell module. To do so, enter the following command:
Install-Module -Name MSCommerce
With the module installed, the next step is to import it into your PowerShell session. The command for doing so is:
Import-Module -Name MSCommerce
The next step in the process is to connect the module to the Azure Active Directory tenant. To do so, just enter the Connect-MSCommerce cmdlet and then enter your credentials if necessary. You can see what this looks like in Figure 1.
Upon entering your credentials, PowerShell should display a message indicating that you have successfully established a connection. Now, enter the following command:
Get-MSCommerceProductPolicies -PolicyId AllowSelfServicePurchase
As you can see in Figure 2, this command will show you the product ID and the policy value for the various Power Platform tools. In other words, the results will tell you whether users are currently allowed to make self-service purchases.
As you look at Figure 2 above, you can see that self-service purchasing is currently enabled. To disable self-service purchasing, you will need to enter a command like this one:
Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId <product ID number> -Enabled $False
In the previous figure, for example, you can see that the product ID for Power Automate is CFQ7TTC0KP0N. Therefore, if you wanted to disable self-service purchasing for Power Automate, the command would be:
Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId CFQ7TTC0KP0N -Enabled $False
If you look at Figure 3, you can see that the policy value for Power Automate is now set to Disabled, indicating that self-service purchasing is no longer allowed for the product. You can re-enable self-service purchasing by repeating the command and changing $False to $True.
As you work through the procedure for disabling self-service tool purchases for end users, the most important thing to remember is that you will have to configure each tool individually. You can do this by repeating the command that I showed you (entering a different product ID each time). You could also conceivably create a simple script that retrieves the product IDs automatically, and then disables self-service purchases for each of the product IDs.
Brien Posey is a 16-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.