- Article
- 18 minutes to read
Azure AD Terms of Use provide a simple way for organizations to present information to end users. This presentation ensures that users see the disclaimers relevant to legal or compliance requirements. This article describes how to get started with Terms of Service (TOU) policies.
Use
This article provides steps to remove personal data from your device or service and can be used to support your obligations under the GDPR. General information on the GDPR can be found atGDPR section of the Microsoft Trust Centerand theGDPR section of the Service Trust portal.
overview videos
The following video provides a quick overview of the ToU guidelines.
More videos can be found at:
- How to implement a terms of service policy in Azure Active Directory
- How to implement a terms of service policy in Azure Active Directory
What can I do with the Terms of Use?
Azure AD Terms of Use have the following capabilities:
- Require employees or guests to agree to your terms of service before being granted access.
- Require employees or guests to accept your terms of service on each device before being granted access.
- Prompt employees or guests to agree to your terms of service on a regular basis.
- Require employees or guests to accept your terms of service before registering security credentials in Azure AD Multi-Factor Authentication (MFA).
- Require employees to accept your terms of service before registering security information in Azure AD Self-Service Password Reset (SSPR).
- Present general terms of use to all users in your organization.
- Present specific terms of use based on a user's attributes (e.g. doctors vs. nurses or national vs. international staff).dynamic groups).
- Present special terms of use when accessing high business impact applications such as B. Salesforce.
- Present the terms of service in different languages.
- List who has accepted or not accepted your Terms of Service.
- Help us comply with data protection regulations.
- View a log of Terms of Use policy activity for compliance and auditing.
- Create and manage Terms of Service withAPI von Microsoft Graph.
previous requirements
To use and configure the Azure AD Terms of Service, you need the following:
- Azure AD Premium P1, P2, EMS E3, or EMS E5 licenses.
- If you don't have any of these subscriptions, you canGet Azure AD PremiumÖActivate the Azure AD Premium Trial.
- One of the following administrator accounts for the directory you want to configure:
- global admin
- security administrator
- Conditional Access Manager
Terms of Use Document
Azure AD Terms of Use use PDF format to present content. The PDF file can have any content, e.g. B. Existing contract documents so you can collect end user agreements during user enrollment. To help mobile users, the recommended font size in PDF is 24 points.
Add Terms of Use
After you have completed your Terms of Service policy document, follow these steps to add it.
Log inblue portalas a conditional access admin, security admin, or global admin.
navigate toAzure Active Directory>security>conditional access>Terms of Use.
Choose,new terms.
insideNameIn the field, enter a name for the terms of use to use in the Azure portal.
ForTerms of Use Document, navigate to and select the PDF of the Final Terms of Use.
Select the language for your Terms of Use document. The language option allows you to upload multiple terms of use, each with a different language. The version of the Terms of Service that an end user sees is based on their browser settings.
insidedisplay nameIn the field, enter a title that users will see when they log in.
To require end users to read the terms of service before accepting them, configurePrompt users to expand the terms of serviceaIn.
To require end users to accept your terms of service on all devices they access it from, configureRequire user consent on any deviceaIn. Users may need to install other apps when this option is enabled. For more information, seeTerms of Use by Device.
If you want to expire terms of use policy consents on a schedule, configureallow consents to expireaIn. When enabled, two more schedule settings appear.
Use theExpires fromjfrequencySettings to set the schedule for the expiration of the Terms of Service. The following table shows the output of some sample configurations:
Expires from frequency Result Datum Per month Starting today, users must agree to the terms of service and then re-accept them each month. date in the future Per month Starting today, users must agree to the Terms of Service. If the date is in the future, the consents will expire and users will have to re-accept them every month. For example, if you set the expiration date of1st of Januaryand frequency tooPer month, two users may experience histories:
user First acceptance date First expiry date Second expiration date Third Expiration Date Alice 1st of January February 1st 1st March 1. April be to 15 January February 1st 1st March 1. April Use theDuration until renewed acceptance required (days)to indicate the number of days before the user must accept the terms of use again. This allows users to follow their own schedule. For example, if you set the duration to30Days, two users can experience history:
user First acceptance date First expiry date Second expiration date Third Expiration Date Alice 1st of January 31 January 2nd March 1. April be to 15 January 14th of February March 16th 15. April It is possible to use thatallow consents to expirejDuration until renewed acceptance required (days)settings together, but usually one or the other is used.
Underconditional access, Use theApply with Conditional Access policy templateto select the template for enforcing the terms of use.
model description custom policy Select the users, groups, and applications to which these Terms of Service apply. Create Conditional Access policy later These terms of use appear in the grant control list when creating a Conditional Access policy. Important
Conditional Access policy controls (including Terms of Service) do not support enforcement for service accounts. We recommend excluding all service accounts from the Conditional Access policy.
(Video) Azure Active Directory - Identity Governance - Terms of UseCustom Conditional Access policies enable granular terms of use down to a specific cloud application or user group. For more information, seeQuickstart: Require agreement to terms of service before accessing cloud apps.
SelectCreate.
If you selected a custom Conditional Access template, a new screen will appear where you can create the custom Conditional Access policy.
You should now see your new Terms of Service.
See report of who accepted and declined
The Terms of Use blade shows the number of users who have accepted and rejected them. These counts and who was accepted/rejected are stored for the duration of the Terms of Service.
Sign in to Azure and switch toTerms of Useahttps://aka.ms/catou.
For a terms of service policy, select the numbers inAcceptedÖDeclinedto see the current status of users.
To view a single user's history, select the ellipsis (...) and sosee history.
In the View History section, you can see a history of all acceptances, rejections, and expiration times.
View Azure AD audit logs
If you want to see more activity, the Azure AD Terms of Service policies include audit logs. Each user consent triggers an event in the audit logs that is saved for30 dia. You can view these logs in the portal or download them as a CSV file.
To get started with Azure AD audit logs, use the following procedure:
Log inblue portalas a conditional access admin, security admin, or global admin.
navigate toAzure Active Directory>security>conditional access>Terms of Use.
Select a Terms of Use.
SelectView audit logs.
On the Azure AD Audit Logs screen, you can use the provided lists to filter the information to target specific audit log information.
You can also chooseTo disposeto download the information in a .csv file for local use.
When you select a record, a pane appears with more details about the activity.
What the terms of service look like for users
Once a ToU policy is created and applied, affected users will see the following screen during login.
Users can view the terms of service and use zoom in and out buttons if needed.
The following screen shows what a ToU policy looks like on mobile devices.
Users only have to accept the Terms of Use once and will not see the Terms of Use on subsequent logins.
How users can review their Terms of Service
Users can review and view the Terms of Service they accept by following the procedure below.
- Registerhttps://micuenta.microsoft.com/.
- SelectSettings and Privacy.
- Selectprivacy.
- UnderNote from the organization, SelectVistanext to the Terms of Service you want to review.
Edit the Terms of Service details
You can edit some Terms of Service details, but you can't modify an existing document. The following procedure describes how to edit the details.
Log inblue portalas a conditional access admin, security admin, or global admin.
navigate toAzure Active Directory>security>conditional access>Terms of Use.
Select the terms of use you want to edit.
Selectedit conditions.
In the Edit Terms of Use section, you can change the following options:
- Name– the internal name of the terms of use, which is not shared with end users
- display name– the name that end users can see when viewing the Terms of Service
- Prompt users to expand the terms of service– Set this option onInforces the end user to expand the terms of use document before accepting it.
- (Preview) You canupdate existing terms of usedocument
- You can add a language to existing Terms of Service
If you want to change other settings, such as For example, a PDF document, user consent on each device, consent expiration, re-acceptance time, or Conditional Access policy, you need to create a new TOU policy.
When you're done, selectSave on computerto save your changes.
Update the version or PDF of an existing Terms of Use
Log inblue portalas a conditional access admin, security admin, or global admin.
navigate toAzure Active Directory>security>conditional access>Terms of Use.
Select the terms of use you want to edit.
Selectedit conditions.
Choose for the language in which you want to update a new versionTo updateunder the action column
In the right pane, upload the PDF of the new version
There is also a toggle option hereAccept againif you want to prompt your users to accept this new version at next login. If you require your users to re-accept, they will be prompted to accept that new version the next time they try to access the resource defined in your Conditional Access policy. If you don't prompt your users to sign in again, their previous consent will remain in effect and only new users who have not previously consented or whose consent has expired will see the new version. Until the session expiresAccept againdoes not require users to accept the new Terms of Service. If you want to make sure you accept the terms of use again, delete and recreate them, or create a new terms of use for that case.
After you've uploaded your new PDF and decided to accept it again, select Add at the bottom of the panel.
You will now see the latest version in the Document column.
See previous versions of any Terms of Use
Log inblue portalas a conditional access admin, security admin, or global admin.
navigate toAzure Active Directory>security>conditional access>Terms of Use.
Select the Terms of Service for which you want to view version history.
SelectLanguages and version history
SelectSee previous versions.
You can select the document name to download this version
(Video) Azure AD Authentication Methods and Policies
See who accepted which version
- Log inblue portalas a conditional access admin, security admin, or global admin.
- navigate toAzure Active Directory>security>conditional access>Terms of Use.
- To see who has currently accepted the Terms of Service, select the number belowAcceptedColumn for the desired terms of use.
- By default, the next page shows you the current status of each user's acceptance of the ToU.
- If you want to view previous consent events, you can chooseatof theactual conditiondrop-down list. Now you can see each user's events in detail about each version and what happened.
- Alternatively, you can select a specific version of theexecutionDrop-down menu to see who has accepted this particular version.
Add a ToU language
The following procedure describes how to add a ToU language.
Log inblue portalas a conditional access admin, security admin, or global admin.
navigate toAzure Active Directory>security>conditional access>Terms of Use.
Select the terms of use you want to edit.
Selectedit conditions
Selectadd languageat the end of the page.
In the Add language to the Terms of Use section, upload your localized PDF and select the language.
Selectadd language.
SelectSave on computer
SelectAdd toto add the language.
Terms of Use by Device
IsRequire user consent on any deviceSettings allow you to require end users to accept your terms of service on all devices they access it from. The end user must register their device in Azure AD. If the device is enrolled, the device ID is used to enforce the terms of service on each device.
Supported Platforms and Software.
| iOS | Android | window 10 | Others | |
|---|---|---|---|---|
| native App | And | And | And | |
| border from microsoft | And | And | And | |
| Internet Explorer | And | And | And | |
| Chrome (with extension) | And | And | And |
The terms of use per device have the following restrictions:
- A device can only be connected to one tenant.
- A user must have permissions to join your device.
- The Intune enrollment app is not supported. Make sure you're opted out of any conditional access policies that require a terms of service policy.
- Azure AD B2B users are not supported.
If the user's device is not connected, they will receive a message that they need to join their device. Your experience depends on the platform and software.
Connect to a Windows 10 device
When a user uses Windows 10 and Microsoft Edge, they receive a message similar to the followingjoin your device.
If you're using Chrome, you'll be prompted to install itWindows 10 account extension.
Register an iOS device
If a user is using an iOS device, they will be prompted to install theMicrosoft Authenticator-App.
Register an Android device
If a user is using an Android device, they will be prompted to install theMicrosoft Authenticator-App.
Browser
If a user is using an unsupported browser, they will be prompted to use a different browser.
Delete Terms of Use
You can remove previous Terms of Use using the following procedure.
Log inblue portalas a conditional access admin, security admin, or global admin.
navigate toAzure Active Directory>security>conditional access>Terms of Use.
Select the terms of use you want to delete.
Selectdelete terms.
In the message asking if you want to continue, chooseAnd.
You should no longer see your Terms of Service.
(Video) Azure Active Directory - The Ultimate Beginners Guide
Delete User Acceptance Record
User acceptance records are deleted:
- If the admin specifically removes the ToU. When this change occurs, all acceptance records associated with that particular Terms of Use will also be deleted.
- When the tenant loses their Azure Active Directory Premium license.
- When the tenant moves out.
policy changes
Conditional Access policies take effect immediately. In this case, the admin sees "sad clouds" or "Azure AD token problems". The admin must log out and log in to comply with the new policy.
Important
In the following cases, affected users must log out and log in to comply with a new policy:
- A Conditional Access policy is enabled in a Terms of Service policy
- or a second Terms of Service policy is created
B2B guests
Most organizations have a process for their employees to agree to their organization's terms of service, policies, and privacy statements. But how can you enforce the same consents for Azure AD Business-to-Business (B2B) guests when they're added through SharePoint or Teams? Conditional Access policies and Terms of Service allow you to apply a policy directly to B2B guest users. During the invitation redemption process, the user is presented with the Terms of Service.
Terms of Service are only displayed if the user has a guest account in Azure AD. SharePoint Online currently has oneAd hoc experience of external recipientsto share a document or folder that does not require the user to have a guest account. In this case, no terms of use will be displayed.
Support for cloud applications
Terms of use can be used for various cloud applications such as Azure Information Protection and Microsoft Intune. This support is currently in preview.
Azure Information Protection
You can configure a conditional access policy for your Azure Information Protection application and request a terms of use policy when a user accesses a protected document. This setting triggers a terms of use policy before a user accesses a protected document for the first time.
Microsoft Intune enrollment
You can configure a conditional access policy for the Microsoft Intune enrollment app and require a terms of use policy before enrolling a device in Intune. For more information, see ReadingHow to choose the right term solution for your organization's blog post.
Use
The Intune enrollment app is not compatible withTerms of Use by Device.
Frequently Asked Questions
Q: I can't sign in with PowerShell when Terms of Service are enabled.
A: The terms of use can only be accepted if you authenticate yourself interactively.
Q: How do I see if a user has accepted the Terms of Service?
A: On the Terms of Use sheet, select the following numberAccepted. You can also search for or view acceptance activity in the Azure AD audit logs. For more information, see Viewing the Report of Who Accepted and Declined andView Azure AD audit logs.
Q: How long is the information stored?
A: Users are counted in the Terms of Service report and those who have agreed/disagreed are saved for the duration of the Terms of Service. Azure AD audit logs are retained for 30 days.
Q: Why do I see a different number of consents in the Terms of Use Details summary than in the Azure AD audit logs?
A: General terms of use data is retained for the duration of these terms of use, while Azure AD audit logs are retained for 30 days.
Q: Why do I see a different number of consents in the Terms of Use Summary compared to the exported CSV report?
A: The Overview of Terms of Use Details reflects the aggregated assumptions of the current version of the Policy (updated once a day). When expiration is enabled or a TOU agreement is updated (re-acceptance required), the count in the details overview is reset as acceptances have expired, showing the current version count. All acceptance history is still captured in the CSV report.
Q: If the hyperlinks are in the Terms of Use PDF, can end users click them?
A: Yes, end users can select hyperlinks to other pages, but links to sections within the document are not supported. Also, the hyperlinks in the usage policy PDFs do not work when accessed through the Azure AD MyApps/MyAccount portal.
Q: Can Terms of Service support multiple languages?
A: Yes, currently there are 108 different languages that an admin can configure for a single Terms of Service policy. An administrator can upload multiple PDF documents and tag them with the appropriate language (up to 108). When end users log in, we look at their browser's language setting and display the appropriate document. If there is no match, we display the default document, which is the first document loaded.
Q: When do the Terms of Use take effect?
A: The terms of use are activated during the registration process.
Q: Which apps can I apply Terms of Service to?
A: You can create a conditional access policy for enterprise applications using modern authentication. For more information, seebusiness applications.
Q: Can I add multiple Terms of Service for a specific user or app?
A: Yes, by creating multiple Conditional Access policies targeting those groups or applications. If a user falls within the scope of multiple Terms of Use, they agree to only one of the Terms of Use at a time.
Q: What happens if a user rejects the Terms of Service?
A: User's access to the application will be blocked. The user would have to sign in again and agree to the terms to gain access.
Q: Is it possible to revoke the acceptance of a previously accepted Terms of Use?
A: you canCheck previously accepted terms of use, but there is currently no way to cancel acceptance.
Q: What if I also use the Intune Terms of Service?
A: If you have configured the Azure AD Terms of Service andIntune Terms of Service, the user must accept both. For more information, seeHow to choose the right term solution for your organization's blog post.
Q: Which terminals does the Terms of Service service use for authentication?
A: The Terms of Service uses the following endpoints for authentication:https://tokenprovider.termsofuse.identitygovernance.azure.com,https://micuenta.microsoft.comjhttps://cuenta.directorioactivo.windowsazure.com. If your organization has an allowlist of sign-in URLs, you must add those endpoints to your allowlist along with the Azure AD sign-in endpoints.
Next Steps
- Quickstart: Require agreement to terms of service before accessing cloud apps