RSS – PostsMicrosoft are releasing more and more application services as part of the Office365 platform. Its getting harder and harder to keep pace with the development and release cycle and new products seem to be launching month on month. Just recently we have seen the release of Microsoft Stream, Microsoft Forms, Staff Hub and Microsoft Flow to name but only a few. These services are part of almost every Enterprise plan with Office 365.
You may have assigned full E1,E3 or E5 licences to your users with a view of letting them become drunk on Office 365. However, most of you will undoubtedly have sub licenced your E plans so that users are only licenced for business approved Office 365 services. However, the default settings of Office 365 mean that a user can visit a services page such as Power BI, Microsoft Stream etc. and use their corporate credentials to sign up to these services.
Unbeknownst to you and the business, users can be consuming features that have yet to be baked into your business process. This could cause issues as a result. In order to prevent these ad-hoc sign ups there is a tenant setting accessible by PowerShell to disable this feature
You will need the Azure AD PowerShell module installed, then log in via PS and execute this command
Set-MsolCompanySettings –AllowAdHocSubscriptions $False
Now a user with selective licence assignments won’t be able to sign up for services that they have not been assigned to by an admin. Here we see a user that is only licenced for ProPlus
Now, when this user tries to sign up to Microsoft Stream for instance at https://stream.microsoft.com this is what happens
and when we try and complete the sign up the user is presented with a failure screen
This is a tenant setting that will affect all users, at the moment there appears to be no way to limit this to a user or sub group.
Mark is an Independent Microsoft Teams Consultant with over 15 years experience in Microsoft Technology. Mark is the founder of Commsverse, a dedicated Microsoft Teams conference and former MVP. You can follow him on twitter @UnifiedVale
Excellent article.
Is there a way to determine the current settings of the tenant.
There is no PowerShell cmdlet – Get-MsolCompanySettings – that I can use to see the settings.
Is it available in the Portal somewhere? I would like to check before setting configuration in my Production tenant of course.
Hi Terry
You can check the status by using this PowerShell Command
Get-MsolCompanyInformation | Select AllowAdhocSubscriptionsThanks
Doesn’t block Flow or PowerApps
Thanks Michel, Flow and PowerApps I didn’t test them, but the others worked ok. So I amend the above to say that these can be disabled by disallowing sign in via Azure AD in a similar way to this post here: https://three65.blog/2017/08/17/prevent-web-client-access-to-microsoft-teams/ replacing Teams with Flow and PowerApps services respectively.
Paul checked some more scenarios
https://practical365.com/blog/managing-adoption-of-office-365-by-controlling-access-to-apps/
[…] bron […]