The Risks of Self-Service Purchase Options

Recently Microsoft announced a Self-Service purchase option for their Power Platform products (PowerBI, Flow and PowerApps) and this shook the IT World. Though self-service purchase options aren’t new (SalesForce offers this, as an example), compliance officers, software license purchase departments and IT managers raised their eyebrows on the news. Hence, after consulting ‘the market’ Microsoft decided to make some adjustments. Following the news, in this article I like to present you some thoughts on the compliance risks of self-service purchase options.

Keeping control
The reason a lot of people raised their eyebrows was the Microsoft announcement that the self-service purchase option was a default setting on all cloud tenants and it couldn’t be turned off by administrators. With that, organizations would not have a choice whether or not offering this option to their users. With no possibility to turn the option ‘off’, organizations would lose control on cloud purchases. Yes, true, as Microsoft stated … cloud administrators could look into the Microsoft 365 Admin Center and ‘discover’ which employees had subscribed to what service. So, discovering would be ‘by accident’ because, as we all know, administrators don’t have the Microsoft 365 Admin Center as their default internet-page.
Keeping control of cloud subscriptions could be totally lost with a lot of compliance risks to follow. Luckily Microsoft has made some adjustments giving the administrators the option to turn down the self-service purchase option for the entire organization, though it has to be done by PowerShell scripting. It would be nice if there is a button ‘on/off’ for this …

modern software and cloud management

Double costs
Beside the compliance risk, there is also a financial risk. Because most users have no knowledge on the subscriptions already ‘owned’ by the company, these same employees might just subscribe to a service the organization is already paying for. This would mean double costs. At the same time, when there is a substantial amount of self-service purchasing, organizations would not have the option to totalize their cloud subscriptions and negotiate a financial attractive contract with Microsoft or a Microsoft partner.

Shadow IT
Let’s take this one step further than the self-service purchase option from Microsoft or some other vendors. Because even when there is no self-service purchasing option, this doesn’t mean that employees don’t subscribe to Apps and services. When an individual, business department or a subsidiary has the need for IT services and the IT department isn’t able to supply them the necessary resources in time, people tend to swipe their (business) credit card and buy online. The organization is lucky if they know these departments or individuals do so, but most of the time they don’t. It is only after an investigation during a Software Asset Management (SAM) project (or managed subscription) that those cloud subscriptions are discovered. We call this ‘shadow IT’ and – again – this is both a compliance and a financial risk for the organization.

Subscription for all
Another financial and compliance risk, with Microsoft as an example. They offer some cloud subscriptions which, after only a single subscription, will come available to all users within the tenant. Such as Advanced Threat Protection or Azure AD Premium. Customers only need subscriptions for their users who actually benefit from the service. But what if other users, who don’t have a subscription, find out about the new possibilities? Or the- by default – architecture that the service is available ‘to all’?

Let’s face the truth; Not everything can be foreseen and self-purchasing or shadow IT cannot be banned. But defining an ‘IT-must-support-the-business’ strategy that actually supports the business is a good start. Followed by defined governance and implementation in the organization. Software Asset Management can help. SAM is not only about the licensing part, but covers people and processes as well, as is defined in theISO / IEC 19770-1:2017 (IT Asset Management) standard. When you want to learn more about Modern Software Asset Management and how it can help prevent compliance and financial risks, but even more important, how it can help your business modernize with IT, talk to me or one of my peers at ModernSAM.

November, 2019