Disable self-service purchase for Microsoft 365 Copilot
The permission democratization is a great things, but it can also be a security risk if not used properly. You can disable self-service purchase for Microsoft 365 Copilot to prevent users from purchasing subscriptions directly from Microsoft.
I recommend to disable all self-service purchase until you understand the implications and have a process in place to manage it.
Here is how you can do disable self-service purchase for Microsoft 365 Copilot:
Prerequisites
- Billing Administrator or Global Administrator role in Azure AD
List all services with self-service purchase enabled
- Open a PowerShell console.
- Run the following command to list all services with self-service purchase enabled:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
# Install the MSCommerce module
Install-Module -Name MSCommerce
# Allow the module to be imported
Set-ExecutionPolicy RemoteSigned
# Import the module
Import-Module MSCommerce
# Connect to the MSCommerce service
Connect-MSCommerce
# List all services with self-service purchase enabled
Get-MSCommerceProductPolicies -PolicyID AllowSelfServicePurchase
Disable Microsoft 365 Copilot self-service purchase
1
Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId CFQ7TTC0MM8R -Enabled $False
Disable all services self-service purchase
1
2
3
Get-MSCommerceProductPolicies -PolicyID AllowSelfServicePurchase | ForEach-Object {
Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId $_.ProductId -Enabled $False
}
This post is licensed under CC BY 4.0 by the author.