With Microsoft’s recent announcement of self-service trials for MS Teams Premium, administrators are actively searching for cmdlets or scripts to block self-service purchase. This urgency arises from the fact that, once users sign up, administrators must subsequently cancel or delete the self-service sign-up subscription—a task that is considered unnecessary and time-consuming.
The Never-ending Cycle of Disabling Self-service Purchase Capability:
Microsoft continues to introduce new products to the self-service feature, causing headaches for admins who must disable each Office 365 product individually. This has led administrators to constantly monitor new self-service purchase announcements for products and take action to block them.
Since there is no user interface option to disable this capability, PowerShell becomes the only solution.
The Problem with MSCommerce PowerShell Module:
While this can be accomplished using the ‘MSCommerce’ PowerShell module, many administrators are dissatisfied with it due to several issues, including:
- Limited Compatibility: The MSCommerce module only supports PowerShell 5 or older versions and doesn’t offer compatibility with the latest PS 6.x/7.x.
- Lack of Variable Pipelining Support: The latest MSCommerce module lacks support for variable pipelining.
- Non-Interactive Login Constraints: It doesn’t allow for non-interactive login, making it impossible to schedule the script to run periodically.
Are you waiting for a one-stop solution? Yes, there is a way. You can disable self-service sign-up for Microsoft cloud-based apps and services at a tenant level. Once configured, you won’t need to update the settings for each new product release.
Globally Block Self-service Purchase in Microsoft 365:
To disable Microsoft self-service signups in Microsoft 365, you can simply execute the below cmdlet.
|
1 |
Set-MsolCompanySettings -AllowAdHocSubscriptions $false |
Note: You must install the MSOnline module before running the cmdlet. To install and connect to MSolService, run the below code.
Install-Module MSOnline
Import-Module –Name MSOnline
Connect-MsolService
To check tenant-wide self-service status, execute the following cmdlet.
|
1 |
Get-MsolCompanyInformation | fl AllowAdHocSubscriptions |
If the value is set to $true, self-service capability is enabled. If the value is set to $false, self-service trial and purchase are disabled.
At any time, administrators have the flexibility to enable self-service sign-up based on the organization’s requirements. To enable it, you can utilize the following cmdlet:
|
1 |
Set-MsolCompanySettings -AllowAdHocSubscriptions $true |
Thus, admins can enable or disable self-service signup using Azure AD PowerShell module.
Manage Self-Service Purchases and Trials for Each Product:
Additionally, administrators can fine-tune the self-service capability on a per-product basis using the MSCommerce PowerShell module. It includes a PolicyID for each product under the AllowSelfServicePurchase parameter, allowing precise control over whether users in your organization can make purchases or start trials.
You can check our comprehensive guidance on how to manage self-service purchase capabilities for each product effectively.
With the December 2023 update, admins can receive notifications in the Admin Center when users start trials, ensuring they stay informed about trial initiations.
No Microsoft Graph Equivalent Cmdlet to Turn Off Self-service Purchase in M365!
There is currently no Microsoft Graph equivalent cmdlet available for org-wide managing the self-service capability, such as Set-MsolCompanySettings -AllowAdHocSubscriptions $false. While Microsoft recommends users migrate from AzureAD PowerShell modules to Microsoft Graph, this particular functionality is not yet supported within the MS Graph.
Administrators are hopeful that Microsoft will provide an alternative Microsoft Graph cmdlet for this purpose before the eventual deprecation of the MSOnline module. Additionally, administrators are looking forward to having user-friendly UI-based settings to configure self-service purchase capabilities more easily.
I hope this blog will help you block self-service purchases tenant-wide with a single cmdlet. If automatic license assignment is your preferred method and have no option other than that, utilizing auto-claim policies in Microsoft 365 can be an effective approach to ensure optimal license usage. If you have any queries, reach us through the comment section.
Also Read: Top 5 Microsoft 365 features every admin wants to disable
