Recently, Microsoft announced a self-service purchase option for its Power Platform products (PowerBI, Power Automate and PowerApps) that has shaken up the IT world a bit. Although self-service purchasing options are not new (SalesForce offers them, for example), compliance officers, software licensing purchasing departments and IT managers frowned at the news.
Based on feedback from the "market", Microsoft therefore decided to make some adjustments. In this regard, I would like to share my thoughts on compliance risks of self-service purchasing options with you
The reason why many people frowned was Microsoft's announcement that the purchase option for self-services was a default setting on all cloud tenants and could not be switched off by administrators. This meant that companies would have no choice about whether or not to offer this option to their users. Without the ability to "turn off" the option, companies would lose control over the purchase of cloud services. Cloud administrators could look into the Microsoft 365 Admin Center and "find out" which employees subscribed to which service. So the discovery would be "accidental" because, as we all know, administrators do not have the Microsoft 365 Admin Center as a default internet site.
Control over cloud subscriptions could be completely lost, creating many compliance risks. Fortunately, Microsoft has made some adjustments to allow administrators to decline the self-service purchase option for the entire enterprise, although this must be done through PowerShell scripting. It would be nice if there was an "on/off" button for this.
Besides the compliance risk, there is also a financial risk. Since most users have no knowledge of the subscriptions they already "own", these same employees may simply subscribe to a service that the organisation is already paying for. This would mean double costs. At the same time, with a high proportion of self-service purchases, organisations would not have the opportunity to totalise their cloud subscriptions and negotiate a financially attractive contract with Microsoft or a Microsoft partner.
Let's go a step further than the self-service purchase option from Microsoft or some other providers. Because even if there is no self-service purchase option, it does not mean that employees cannot subscribe to apps and services. When an individual, a business department or a subsidiary needs IT services and the IT department is not able to provide them with the necessary resources in a timely manner, employees tend to pull out their (business) credit card and buy online.
The organisation is lucky if they know these departments or people, but most of the time they do not. It is only after an investigation during a Software Asset Management (SAM) project (or managed subscription) that these cloud subscriptions are discovered. We call this "shadow IT" and - once again - this is both a compliance and a financial risk for the company.
Another financial and compliance risk, using Microsoft as an example: The company offers some cloud subscriptions that are available to all users within the tenant after only one subscription. Such as Advanced Threat Protection or Azure Active Directory Premium. Customers only need subscriptions for their users who actually benefit from the service. But what happens when users without subscriptions find out about these new capabilities or see through the default architecture that the service is available "to all"?
Let's face it: not everything is predictable and self-service purchasing or shadow IT cannot be banned. But defining an "IT-must-support-our-business" strategy that actually supports the business would be a good start. Followed by defined governance and subsequent implementation in the organisation. Software Asset Management can help with this. SAM is not only about the licensing part, but also about people and processes, as defined in the ISO / IEC 19770-1:2017 (IT Asset Management) standard.
Want to learn more about modern software asset management?
Contact me or my colleagues in the Modern SAM team and find out how to avoid compliance and financial risks and modernise your business through IT.