- Article
- 18 minutes to read
Azure AD Terms of Use policies provide a simple method that organizations can use to present information to end users. This presentation ensures that users see any disclaimers relevant to legal or compliance requirements. This article describes how to get started with terms of use (ToU) policies.
Observation
This article provides steps on how to remove personal data from your device or service and can be used to support your obligations under the GDPR. For general information on the GDPR, see theGDPR section of the Microsoft Trust CenterIt's inGDPR section of the Service Trust portal.
overview videos
The following video provides a quick overview of the ToU policies.
For more videos, see:
- How to implement a terms of use policy in Azure Active Directory
- How to implement a terms of use policy in Azure Active Directory
What can I do with the terms of use?
Azure AD Terms of Use policies have the following characteristics:
- Require employees or guests to agree to your terms of use policy before gaining access.
- Require employees or guests to accept your terms of use policy on all devices before gaining access.
- Require employees or guests to agree to your terms of use policy on a recurring schedule.
- Require employees or guests to accept your terms of use policy before enrolling security information in Azure AD Multi-Factor Authentication (MFA).
- Require employees to accept your terms of use policy before registering security information in Azure AD Self-Service Password Reset (SSPR).
- Present a general terms of use policy for all users in your organization.
- Present specific terms of use policies based on a user's attributes (such as doctors vs. nurses or national vs. international employees) usingdynamic groups).
- Enter specific terms of use policies when accessing high-business-impact apps like Salesforce.
- Present the terms of use policies in different languages.
- List who has and who has not accepted your terms of use policies.
- Help comply with privacy regulations.
- View a log of terms of use policy activity for compliance and auditing.
- Create and manage terms of use policies usingAPIs make Microsoft Graph.
previous requirements
To use and configure Azure AD Terms of Use policies, you must have:
- Licencias de Azure AD Premium P1, P2, EMS E3 o EMS E5.
- If you don't have one of these subscriptions, you canobtener Azure AD Premiumoactivate Azure AD Premium trial.
- One of the following administrator accounts for the directory you want to configure:
- global admin
- security administrator
- Conditional Access Manager
terms of use document
Azure AD Terms of Use policies use the PDF format to present content. The PDF file can have any content, such as existing contract documents, allowing you to collect end-user contracts during user login. To help mobile users, the recommended font size in the PDF is 24 points.
Add terms of use
After completing the terms of use policy document, use the following procedure to add it.
Login inAzure portalas conditional access administrator, security administrator or global administrator.
navigate toAzure Active Directory>Security>conditional access>Terms of use.
Select,new terms.
NoNameIn the box, type a name for the terms of use policy to use in the Azure portal.
Forterms of use document, browse to the PDF of the finalized terms of use policy and select it.
Select the language for your terms of use policy document. The language option allows you to upload multiple terms of use policies, each with a different language. The version of the terms of use policy that an end user will see will be based on their browser preferences.
NoDisplay namebox, enter a title that users will see when they log in.
To require end users to view the terms of use policy before accepting them, configureRequire users to expand terms of useforem.
To require end users to accept your terms of use policy on all devices they access, configureRequire users to give consent on all devicesforem. Users may be forced to install other apps if this option is enabled. For more information, seeTerms of use by device.
If you want the terms of use policy consent to expire on a scheduled basis, setExpiration of consentsforem. When enabled, two more schedule settings are displayed.
use theexpires frommiFrequencysettings to specify the schedule for expiration terms of the usage policy. The following table shows the output of some example configurations:
expires from Frequency Result Date Per month Starting today, users must agree to the terms of use policy and re-accept each month. date without future Per month Starting today, users must agree to the terms of use policy. When the future date occurs, consents will expire and users will need to re-accept each month. For example, if you set the expiration start date toJanuary 1and frequency forPer month, this is how timeouts can occur for two users:
From the user First acceptance date First expiration date Second expiration date Third expiration date Alicia January 1 february 1st March 1st April 1st Beto January 15 february 1st March 1st April 1st use theDuration before reacceptance required (days)to specify the number of days before the user must re-accept the terms of use policy. This allows users to follow their own schedule. For example, if you set the duration to30days, this is what the expirations might look like for two users:
From the user First acceptance date First expiration date Second expiration date Third expiration date Alicia January 1 January 31 March 2 April 1st Beto January 15 February 14th March 16 April 15 It is possible to use theExpiration of consentsmiDuration before reacceptance required (days)settings together, but usually one or the other is used.
Underconditional access, use theApply with Conditional Access Policy Templateto select the template to enforce the terms of use policy.
Model Description custom policy Select the users, groups and applications to which this terms of use policy will apply. Create Conditional Access Policy Later This terms of use policy will appear in the grant control list when creating a conditional access policy. Important
Conditional access policy controls (including terms of use policies) do not support enforcement on service accounts. We recommend excluding all service accounts from the Conditional Access policy.
(Video) Register and manage your security information | Azure Active DirectoryCustom Conditional Access policies allow for granular terms of use policies, down to a specific cloud application or group of users. For more information, seeQuickstart: Require acceptance of terms of use before accessing cloud applications.
SelectIn tears.
If you selected a custom Conditional Access template, a new screen will appear allowing you to create the custom Conditional Access policy.
You should now see your new terms of use policies.
View the report of who accepted and rejected
The Terms of Use sheet displays a count of users who have accepted and declined. These counts and who accepted/declined are stored for the duration of the terms of use policy.
Sign in to Azure and go toTerms of usenohttps://aka.ms/catou.
For a terms of use policy, select the numbers inacceptedorefusedto see the current status of users.
To view the history of an individual user, select the ellipsis (...) and soview history.
In the history view panel, you'll see a history of all acceptances, rejections, and expirations.
View Azure AD audit logs
If you want to see more activity, the Azure AD Terms of Use policies include audit logs. Each user consent triggers an event in the audit logs that are stored for30 days. You can view these logs in the portal or download them as a .csv file.
To get started with Azure AD audit logs, use the following procedure:
Login inAzure portalas conditional access administrator, security administrator or global administrator.
navigate toAzure Active Directory>Security>conditional access>Terms of use.
Select a terms of use policy.
SelectView audit logs.
On the Azure AD audit logs screen, you can filter the information using the provided lists to target specific audit log information.
You can also selectDescargarto download the information in a .csv file for local use.
If you select a record, a dashboard will appear with more details of the activity.
How are the conditions of use for users
Once a ToU policy is created and applied, users who are in scope will see the following screen upon login.
Users can view the terms of use policy and, if necessary, use buttons to zoom in and out.
The following screen shows what a ToU policy looks like on mobile devices.
Users only need to accept the terms of use policy once and will not see the terms of use policy again on subsequent logins.
How users can review their terms of use
Users can review and view the terms of use policies they have accepted by following the procedure below.
- enter tohttps://micuenta.microsoft.com/.
- Selectsettings and privacy.
- SelectPrivacy.
- Underorganization notice, selectTo seenext to the terms of use statement you want to review.
Edit the details of the terms of use
You can edit some details of the terms of use policies, but you can't modify an existing document. The following procedure describes how to edit the details.
Login inAzure portalas conditional access administrator, security administrator or global administrator.
navigate toAzure Active Directory>Security>conditional access>Terms of use.
Select the terms of use policy you want to edit.
Selectedit terms.
In the Edit Terms of Use panel, you can change the following options:
- Name– the internal name of the ToU that is not shared with end users
- Display name– the name that end users can see when viewing the ToU
- Require users to expand terms of use– Set this option toemwill force the end user to expand the terms of use policy document before accepting it.
- (Preview) You canupdate existing terms of usedocument
- You can add a language to an existing ToU
If there are other settings you would like to change, such as a PDF document, require users to consent on all devices, expiration of consents, duration before reacceptance, or conditional access policy, you must create a new policy. terms of use.
Once finished, selectsalvia to save your changes.
Update the version or pdf of the existing terms of use
Login inAzure portalas conditional access administrator, security administrator or global administrator.
navigate toAzure Active Directory>Security>conditional access>Terms of use.
Select the terms of use policy you want to edit.
Selectedit terms.
For the language in which you want to update a new version, selectTo updatebelow action column
In the right pane, upload the pdf to the new version
There is also a toggle option heredemand re-oilif you want to prompt your users to accept this new version the next time they log in. If you require your users to subscribe again, the next time they try to access the resource defined in your Conditional Access policy, they will be prompted to subscribe to this new version. If you don't ask your users to opt out again, the old consent remains in effect and only new users who didn't give consent before or whose consent has expired will see the new version. Until the end of the session,demand re-oilit does not require users to accept the new TOU. If you want to guarantee reacceptance, delete and recreate or create a new TOU for this case.
Once you've uploaded your new pdf and decided to accept it again, select Add at the bottom of the panel.
You will now see the latest version in the Document column.
See previous versions of a ToU
Login inAzure portalas conditional access administrator, security administrator or global administrator.
navigate toAzure Active Directory>Security>conditional access>Terms of use.
Select the terms of use policy for which you want to see a version history.
SelectLanguages and version history
SelectSee previous versions.
You can select the name of the document to download that version
(Video) Azure Active Directory - Identity Governance - Terms of Use
See who accepted each version
- Login inAzure portalas conditional access administrator, security administrator or global administrator.
- navigate toAzure Active Directory>Security>conditional access>Terms of use.
- To see who currently accepted the terms of use, select the number under theacceptedcolumn for the ToU you want.
- By default, the next page will display the current acceptance status of each user's TOU.
- If you want to see previous consent events, you can selectAllofActual statediscontinued. Now you can see each user's events in detail about each version and what happened.
- Alternatively, you can select a specific version ofVersiondropdown to see who accepted that specific version.
Add a ToU language
The following procedure describes how to add a ToU language.
Login inAzure portalas conditional access administrator, security administrator or global administrator.
navigate toAzure Active Directory>Security>conditional access>Terms of use.
Select the terms of use policy you want to edit.
Selectedit terms
Selectadd languageat the end of the page.
In the Add Terms of Use Language panel, upload your localized PDF and select your language.
Selectadd language.
Selectsalvia
SelectAddto add the language.
Terms of use by device
oRequire users to give consent on all devicesThe settings allow you to require end users to accept your terms of use policy on all devices they access from. The end user must register their device with Azure AD. When the device is registered, the device ID is used to enforce the terms of use policy on each device.
Supported platforms and software.
| iOS | Android | windows 10 | Of others | |
|---|---|---|---|---|
| native app | Sim | Sim | Sim | |
| board the Microsoft | Sim | Sim | Sim | |
| internet explorer | Sim | Sim | Sim | |
| Chrome (with extension) | Sim | Sim | Sim |
The terms of use per device have the following restrictions:
- A device can only be associated with one tenant.
- A user must have permissions to join your device.
- The Intune enrollment app is not supported. Make sure you are opted out of any conditional access policy that the terms of use policy requires.
- Azure AD B2B users are not supported.
If the user's device is not logged in, they will receive a message that they need to join the device. Your experience will depend on the platform and software.
Join a Windows 10 device
If a user is using Windows 10 and Microsoft Edge, they will receive a message similar to the following tosign in to your device.
If they are using Chrome, they will be prompted to installWindows 10 Accounts Extension.
Register an iOS device
If a user is using an iOS device, they will be prompted to install theAplicativo Microsoft Authenticator.
Register an Android device
If a user is using an Android device, they will be prompted to install theAplicativo Microsoft Authenticator.
browsers
If a user is using an unsupported browser, they will be prompted to use a different browser.
Delete terms of use
You can remove previous terms of use policies using the following procedure.
Login inAzure portalas conditional access administrator, security administrator or global administrator.
navigate toAzure Active Directory>Security>conditional access>Terms of use.
Select the terms of use policy you want to delete.
Selectremove terms.
In the message that appears asking if you want to continue, selectSim.
You should no longer see your terms of use policy.
(Video) Azure Active Directory | Azure Active Directory Tutorial | Azure Tutorial For Beginners |Simplilearn
Deletion of the user acceptance record
User subscription records are deleted:
- When the administrator explicitly removes the ToU. When this change occurs, all participation records associated with that specific ToU are also deleted.
- When the tenant loses their Azure Active Directory Premium license.
- When the tenant is removed.
policy changes
Conditional Access policies take effect immediately. When this happens, the admin will start to see "sad clouds" or "Azure AD token issues". The administrator must sign out and sign in to comply with the new policy.
Important
In-scope users will need to sign out and sign in to comply with a new policy if:
- a conditional access policy is enabled in a terms of use policy
- or a second terms of use policy is created
B2B guests
Most organizations have a process for their employees to agree to their organization's terms of use, policy, and privacy statements. But how can you enforce the same consents for business-to-business (B2B) Azure AD guests when they're added via SharePoint or Teams? With Conditional Access and Terms of Use policies, you can apply a policy directly to B2B guest users. During the invitation redemption flow, the user receives the terms of use policy.
Terms of Use policies will only be displayed when the user has a guest account in Azure AD. Currently, SharePoint Online has aad hoc external share recipient experienceto share a document or folder that does not require the user to have a guest account. In this case, a terms of use policy is not displayed.
Cloud application support
Terms of use policies can be used for different cloud applications, such as Azure Information Protection and Microsoft Intune. This support is currently in preview.
Azure Information Protection
You can configure a conditional access policy for the Azure Information Protection app and require a terms of use policy when a user accesses a protected document. This setting will trigger a terms of use policy before a user accesses a protected document for the first time.
Microsoft Intune registration
You can configure a conditional access policy for the Microsoft Intune enrollment app and require a terms of use policy before enrolling a device in Intune. For more information, see ReadChoosing the Right Terms Solution for Your Organization's Blog Post.
Observation
The Intune enrollment app doesn't supportTerms of use by device.
Frequent questions
Q: I can't sign in with PowerShell when terms of use is enabled.
A: The Terms of Use can only be accepted during interactive authentication.
Q: How do I see if a user has accepted the terms of use?
A: On the Terms of Use sheet, select the number belowaccepted. You can also view or search for engagement activity in Azure AD audit logs. For more information, see See who has agreed and declined to report andView Azure AD audit logs.
Q: How long is the information stored?
A: The user count in the terms of use report and those who accepted/declined are stored for the duration of the terms of use. Azure AD audit logs are stored for 30 days.
Q: Why do I see a different number of consents in the Usage Details Overview terms compared to the Azure AD audit logs?
A: General data for Terms of Use details is stored for the duration of that Terms of Use policy, while Azure AD audit logs are stored for 30 days.
Q: Why do I see a different number of consents in the general terms of usage details compared to the exported CSV report?
A: The overview of the terms of use details reflects the aggregated acceptances of the current version of the policy (updated once a day). If expiration is enabled or a TOU agreement is updated (with the need for a new acknowledgment), the count in the details summary resets as the acknowledgments have expired, thus displaying the count for the current version. All acceptance history is still captured in the CSV report.
Q: If the hyperlinks are in the usage policy PDF document, will end users be able to click them?
A: Yes, end users can select hyperlinks to other pages, but links to sections within the document are not supported. Also, the hyperlinks in terms of the usage policy PDFs do not work when accessed from the MyApps/MyAccount portal in Azure AD.
Q: Can a terms of use policy support multiple languages?
A: Yes. Currently, there are 108 different languages that an administrator can configure for a single terms of use policy. An administrator can upload multiple PDF documents and tag these documents with the corresponding language (up to 108). When end users log in, we check their browser's language preference and display the corresponding document. If there is no match, we display the default document, which is the first document loaded.
Q: When does the terms of use policy kick in?
A: The terms of use policy is activated during the login experience.
Q: Which apps can I target a terms of use policy for?
A: You can create a Conditional Access policy on corporate apps using modern authentication. For more information, seebusiness applications.
Q: Can I add multiple terms of use policies for a given user or app?
A: Yes, by creating multiple Conditional Access policies that target those groups or applications. If a user is within the scope of multiple terms of use policies, the user will agree to one terms of use policy at a time.
Q: What happens if a user opts out of the terms of use policy?
A: The user is blocked from accessing the application. The user would have to log in again and agree to the terms to gain access.
Q: Is it possible to opt out of a previously accepted terms of use policy?
A: you canreview previously accepted terms of use, but there is currently no way to unsubscribe.
Q: What happens if I also use the Intune terms and conditions?
A: If you have configured the Azure AD terms of use andIntune Terms and Conditions, the user must accept both. For more information, see theChoosing the Right Terms Solution for Your Organization's Blog Post.
Q: Which terminals does the terms of use service use for authentication?
A: The terms of use use the following endpoints for authentication:https://tokenprovider.termsofuse.identitygovernance.azure.com,https://micuenta.microsoft.commihttps://cuenta.directorioactivo.windowsazure.com. If your organization has a whitelist of sign-up URLs, you'll need to add those endpoints to your whitelist, along with the Azure AD endpoints for sign-in.
Next steps
- Quickstart: Require acceptance of terms of use before accessing cloud applications