As an administrator, you can determine whether users in your organization can make self-service purchases or signups to get their own license.
With Microsoft’s recent announcement of self-service trials for MS Teams Premium, administrators are actively searching for cmdlets or scripts to block self-service purchase. This urgency arises from the fact that, once users sign up, administrators must subsequently cancel or delete the self-service purchased subscription—a task that is considered unnecessary and time-consuming.
But what’s the difference between self-service sign-up subscriptions and self-service purchases? Many people confuse one with the other. Let’s explore them in detail.
Self-service Purchase vs Self-service Signup Subscription:
Self-service purchase and self-service sign-up subscriptions differ primarily in cost and product availability.
Self-service purchase subscriptions: They require users to pay for their subscriptions, and they manage billing and renewals themselves. These subscriptions are available for a specific set of products.
Self-service sign-up subscriptions: They are free and offer a larger list of available products. Users can sign up and use these services without any cost or the need to handle billing.
Let’s see how to prevent users from self-service purchase and signup.
Block Self-service Purchase in Microsoft 365:
Microsoft continues to introduce new products to the self-service feature, causing headaches for admins who must disable each Office 365 product individually. This has led administrators to constantly monitor new self-service purchase announcements for products and take action to block them.
You can use both PowerShell and Microsoft 365 admin center to block self-service purchases.
The Problem with MSCommerce PowerShell Module:
While this can be accomplished using the ‘MSCommerce’ PowerShell module, many administrators are dissatisfied with it due to several issues, including:
- Limited Compatibility: The MSCommerce module only supports PowerShell 5 or older versions and doesn’t offer compatibility with the latest PS 6.x/7.x.
- Lack of Variable Pipelining Support: The latest MSCommerce module lacks support for variable pipelining.
- Non-Interactive Login Constraints: It doesn’t allow for non-interactive login, making it impossible to schedule the script to run periodically.
You can’t disable self-service purchases for Microsoft cloud-based apps and services at a tenant level; you need to disable them for each product individually. Additionally, whenever a new product is introduced, it will be in an enabled state. You will need to update the settings for each new product release.
As a simple solution, you can download and run the script below to block self-service purchase.
Download Script: DisableSelfServicePurchase.ps1
You can use the following format to execute the script.
1 |
.\DisableSelfServicePurchase.ps1 |
It will disable the self-service purchase capability for all current products.
Manage Self-Service Purchases and Trials for Each Product:
Additionally, administrators can fine-tune the self-service capability on a per-product basis using the MSCommerce PowerShell module. It includes a PolicyID for each product under the AllowSelfServicePurchase parameter, allowing precise control over whether users in your organization can make purchases or start trials.
You can check our comprehensive guidance on how to manage self-service purchase capabilities for each product effectively.
With the December 2023 update, admins can receive notifications in the Admin Center when users start trials, ensuring they stay informed about trial initiations. You can also manage self-service purchases from M365 admin center.
Globally Block Self-service Signup Subscription in M365:
Apart from disabling self-service purchases, admins need to disable self-service sign-up subscriptions as well if they want users to use only assigned licenses for compliance and security needs. Unlike self-service purchases, you can disable self-service sign-up subscriptions organization-wide. To disable Microsoft self-service sign-ups in Microsoft 365, you can simply execute the cmdlet below.
1 |
Update-MgPolicyAuthorizationPolicy -AllowedToSignupEmailBasedSubscriptions $false |
Note: You must install and connect to the MS Graph PowerShell module before running the cmdlet.
To check tenant-wide self-service status, execute the following cmdlet.
1 |
Get-MgPolicyAuthorizationPolicy | Select-Object AllowedToSignUpEmailBasedSubscriptions |
If the value is set to $true, self-service capability is enabled. If the value is set to $false, self-service signup for subscriptions are disabled.
At any time, administrators have the flexibility to enable self-service sign-up based on the organization’s requirements. To enable it, you can utilize the following cmdlet:
1 |
Update-MgPolicyAuthorizationPolicy -AllowedToSignupEmailBasedSubscriptions $true |
Thus, admins can also enable or disable self-service signup using Entra ID PowerShell module.
I hope this blog will help you block self-service signup and purchase. If automatic license assignment is your preferred method and have no option other than that, utilizing auto-claim policies in Microsoft 365 can be an effective approach to ensure optimal license usage. If you have any queries, reach us through the comment section.
Also Read: Top 5 Microsoft 365 features every admin wants to disable