In the good old days there were organizations who were fond of throwing a message up in front of users each time they logged in to their Windows computer on the domain. The messages were typical warnings about improper use of corporate PCs, the internet, and so on.
The old approach had a few problems. First, users would largely ignore the message, and just became trained to hit the Enter key quickly to skip past it every day, because the message appears every time they log in. Also, there was no enforcement mechanism, other than saying that continuing to use the computer implied agreement with the terms of use. Nor is the agreement or disagreement with the terms of use audited in any way. Today, that’s just not good enough for organizations that truly care about ensuring that users are aware of the terms of use of their corporate computers, apps, and services.
Furthermore, in the modern cloud era users are able to login to all sorts of SaaS applications using their corporate account credentials. Although some SaaS apps have their own method of displaying terms of use, a central point of management is best. Fortunately, Azure Active Directory provides that central point with Azure AD Terms of Use, which is a feature of conditional access.
Configuring terms of use in Azure AD requires you to be licensed for Azure AD Premium P1/P2, which are available as standalone licenses or bundled in the EM+S E3/E5 licenses.
You’ll find the terms of use in the conditional access section of the Azure AD portal.
You can have multiple terms of use, which are assigned to users by conditional access policies (which I’ll show you in a moment). Creating terms of use is simple, with just a few fields to fill out. The terms of use themselves are supplied in a PDF document that you must create yourself (or have your legal department create).
The option to require users to expand the terms of use means that they must display the full document before they are allowed to accept or decline it. If they don’t expand it, then they’ll receive a message similar to this.
The conditional access option for the terms of use determines whether a new conditional access policy is created for these terms. If you choose “Access to cloud apps”, an entire policy is created for all users (even admins) and all apps, with no exceptions.
Important! If you allow the terms of use to create a new conditional access policy automatically, the policy applies to all users. That includes the account that AAD Connect uses to authenticate during sync operations. This will cause AAD Connect directory synchronization to break. The solution is to add an exclusion to the conditional access policy for your Sync_* user account.
The other option is to “Create the conditional access policy later”.
If you choose that option, the terms become available as an access control in conditional access policies. Note that any terms of use will become available as an access control now matter which of the conditional access policies you chose.
It’s also possible to use the same terms of use for multiple policies, or to have multiple policies with their own unique terms of use. You can even “stack” terms of use policies such that a user will need to accept a general terms of use when they first log in to any application, and then have additional app-specific terms of use if there are additional policies that they must comply with for those apps.
For your end users the experience is mostly a good one. Logging in to any app through the browser, a desktop app, or a mobile app will present the terms of use to be accepted or declined.
What I did find was that multiple apps could simultaneously present the terms of use. Logging in to a desktop, I opened a web browser to access Outlook, and as I was reviewing the terms of use both the Teams and OneDrive apps on the desktop also popped up a login dialog with the terms of use displayed.
That could be an edge case though. Either way, once you’ve accepted the terms of use you are no longer presented with them at login. This is an improvement from the old days of the login messages that would show up every single time you logged in.
For admins or compliance staff the list of terms of use in the Azure AD portal will show the number of accept and decline results. There’s also an audit log showing a timeline of events, both administrative and end user.
All up this is a decent feature, certainly an improvement over the old way of doing things. The additional license cost stings a little, but by now it seems we just need to get used to anything even remotely resembling a compliance feature being available through premium license tiers.
Photo by rawpixel on Unsplash
Very good article Paul!!! If I set the Terms of Use… What is the user experience for users that have no E3/E5 license?
Hi Paul.
Thanks for useful article.
Do you know what is retention policy of stored compliance data in Azure Terms of use?
From your article: “For admins or compliance staff the list of terms of use in the Azure AD portal will show the number of accept and decline results. There’s also an audit log showing a timeline of events, both administrative and end user”.
My question is: How long such data will be stored? What are the conditions? Can we manually withdraw such consent if user wishes to from admin panel?
Thank you in advance for your help.
Aga
Hello Aga – Did you ever determine the answer to this question of yours?
Thanks,
Laura
Great article, but how do I download the terms of use .pdf document from Azure?
Hi Paul,
I have an issue with the Terms of Use on OneDrive application. If i set ToU (for OneDrive for Business) and go to the mobile application (android and IOs) i cant download the .pdf file to see correctly, i mean, the link of “Do you have problems with visualization? Click here.” dont work, did nothing (only in mobile app).
Can you set this up to repeat every year? Or set up a time frame for this policy to be in affect? Example, we want faculty and staff to do this every year at the beginning of the fall semester. Thanks!
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Good question. From Microsoft FAQ: “an administrator can change the terms of use terms and it requires reaccepting the new terms.”