How to Block Ad-Hoc Email-Based Subscriptions

No MSOL Module, So How Can You Block Email-Based Subscriptions

By now, I assume that every Microsoft 365 tenant administrator knows about the deprecation of the MSOL and AzureAD PowerShell modules. The MSOL module is already retired; the Azure AD module will be retired any day now. Some of the cmdlets in the modules have already stopped working because of the withdrawal of a dependent service.

Which brings me to a note I read in a Microsoft article the other day solemnly informing me that I should block users from signing up for “viral” trial subscription of Copilot Studio by running the Set-MsolCompanySettings cmdlet to block ad-hoc or email-based subscriptions as follows:

Set-MsolCompanySettings -AllowAdHocSubscriptions $False

Of course, the cmdlet is now retired and unavailable, but as the page hasn’t been updated since October 2024, it strikes me that perhaps people haven’t noticed.

In any case, it’s terrifically difficult to maintain total accuracy in documentation for an area that is in a state of constant flux. After coping with change in Microsoft 365 for the last ten years to keep the Office 365 for IT Pros eBook updated, I think I’m an authority on this topic.

The more important issue raised by the documentation deficiency is what is the replacement for the Set-MsolCompanySettings cmdlet? There’s no mention of the cmdlet in Microsoft’s change map page, which helps people find equivalent commands in the Microsoft Graph PowerShell SDK.

No Block for Copilot Studio in the Microsoft 365 Admin Center

It all depends on what you want to do. In this case, the advice given in the page is how to block ad-hoc subscriptions of the type that Copilot Studio allows people to sign up for over a 60-day period. Although Microsoft 365 Copilot is on the list, Copilot Studio is not one of the products governed by the self-service settings in the Microsoft 365 admin center (Figure 1), so Copilot Studio can’t be blocked here or by using the MSCommerce PowerShell module. Copilot Studio uses email-based subscriptions to allow anyone to sign up using an Entra ID or other account, so that’s probably why it’s not on the self-service trials list.

Some of the products governed by self-service settings in the Microsoft 365 admin centre.
Figure 1: Some of the products governed by self-service settings in the Microsoft 365 admin centre

Use the Entra Authorization Policy to Block Email-Based Subscriptions

This brings us to the Entra ID authorization policy. Using the Get-MgPolicyAuthorizationPolicy cmdlet (the Microsoft Graph PowerShell SDK cmdlet that maps the Get method for the resource) to examine the policy settings for my tenant, I see:

Get-MgPolicyAuthorizationPolicy | Format-List

AllowEmailVerifiedUsersToJoinOrganization : False
AllowInvitesFrom                          : everyone
AllowUserConsentForRiskyApps              : False
AllowedToSignUpEmailBasedSubscriptions    : True
AllowedToUseSspr                          : True
BlockMsolPowerShell                       : True
DefaultUserRolePermissions                : Microsoft.Graph.PowerShell.Models.MicrosoftGraphDefaultUserRolePermissions
DeletedDateTime                           :
Description                               : Used to manage authorization related settings across the company.
DisplayName                               : Authorization Policy
GuestUserRoleId                           : 2af84b1e-32c8-42b7-82bc-daa82404023b

The formal documentation for Set-MsolCompanySettings is no longer available, but some source text in GitHub defines the use of AllowAdHocSubscriptions as “to allow users to sign up for email based subscriptions.” That seem to match the AllowedToSignUpEmailBasedSubscriptions setting, so let’s see what happens if I update the setting to false by running the Update-MgPolicyAuthorizationPolicy cmdlet:

Update-MgPolicyAuthorizationPolicy -AllowedToSignUpEmailBasedSubscriptions:$false

The Policy.Read.All permission is required to read the policy settings, and the Policy.ReadWrite.Authorization permission is required to update policy settings.

After updating the policy settings, I removed the Microsoft 365 Copilot license from a user account. This license contains a service plan for Copilot Studio. Removing the license means that the user is forced to take out an email-based subscription to use Copilot Studio.

After going to the Copilot Studio page, the user can click the Try for free button to start their trial. After proving that they’re a human, the process detects that the user has an Entra ID account and asks them to sign in. After signing in, Entra ID checks the tenant authorization policy and declines to go further to complete the email-based subscription because of the policy block (Figure 2).

No way to sign-up for Copilot Studio because email-based subscriptions are blocked.
Figure 2: No way to sign-up for Copilot Studio because email-based subscriptions are blocked

To revert, update the setting to true.

Update-MgPolicyAuthorizationPolicy -AllowedToSignUpEmailBasedSubscriptions:$true

The user can now complete the sign-in process and access Copilot Studio (Figure 3).

Email-based subscription succeeded and access granted to Copilot Studio.
Figure 3: Email-based subscription succeeded and access granted to Copilot Studio

No One-to-One Mapping for the Old Cmdlet

My original question asked what is the replacement for the Set-MsolCompanySettings cmdlet? The answer is that there isn’t a single 1:1 replacement. The Entra ID authorization policy takes care of authorization settings for the tenant, such as email-based subscriptions and whether the tenant allows self-service password reset (SSPR). Some of the other settings are supported in the Entra admin center UX. As to changing tenant id or setting the default usage location for user accounts, I’ll have to go searching…


Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

One Reply to “How to Block Ad-Hoc Email-Based Subscriptions”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.