Prevent User Subscriptions to Office365 Services

Microsoft are releasing more and more application services as part of the Office365 platform. Its getting harder and harder to keep pace with the development and release cycle and new products seem to be launching month on month. Just recently we have seen the release of Microsoft Stream, Microsoft Forms, Staff Hub and Microsoft Flow to name but only a few. These services are part of almost every Enterprise plan with Office 365.

You may have assigned full E1,E3 or E5 licences to your users with a view of letting them become drunk on Office 365. However, most of you will undoubtedly have sub licenced your E plans so that users are only licenced for business approved Office 365 services. However, the default settings of Office 365 mean that a user can visit a services page such as Power BI, Microsoft Stream etc. and use their corporate credentials to sign up to these services.

Unbeknownst to you and the business, users can be consuming features that have yet to be baked into your business process. This could cause issues as a result. In order to prevent these ad-hoc sign ups there is a tenant setting accessible by PowerShell to disable this feature

You will need the Azure AD PowerShell module installed, then log in via PS and execute this command

Set-MsolCompanySettings –AllowAdHocSubscriptions $False

image

Now a user with selective licence assignments won’t be able to sign up for services that they have not been assigned to by an admin. Here we see a user that is only licenced for ProPlus

image

Now, when this user tries to sign up to Microsoft Stream for instance at https://stream.microsoft.com this is what happens

image

and when we try and complete the sign up the user is presented with a failure screen

image

This is a tenant setting that will affect all users, at the moment there appears to be no way to limit this to a user or sub group.

Advertisements

5 comments

  1. Excellent article.
    Is there a way to determine the current settings of the tenant.
    There is no PowerShell cmdlet – Get-MsolCompanySettings – that I can use to see the settings.
    Is it available in the Portal somewhere? I would like to check before setting configuration in my Production tenant of course.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s