- Article
- 18 minutes to read
The Azure AD Terms of Use provide an easy way for organizations to present information to end users. This presentation ensures that users see the disclaimers relevant to legal or compliance requirements. This article describes how to get started with the Terms of Service (ToU).
supervision
This article provides steps to remove personal data from your device or service and can be used to support your obligations under the GDPR. You can find general information about the GDPR atGDPR section in the Microsoft Trust Centeris inGDPR section of the Service Trust portal.
overview videos
The following video provides a quick overview of the ToU guidelines.
More videos can be found at:
- How to implement a terms of use policy in Azure Active Directory
- How to implement a terms of use policy in Azure Active Directory
What can I do with the Terms of Use?
The Azure AD Terms of Use have the following characteristics:
- Require employees or guests to agree to your terms of service before they are granted access.
- Require employees or guests to accept your terms of service on all devices before access is granted.
- Ask employees or guests to agree to your terms of service on a regular basis.
- Require employees or guests to accept your terms of service before enrolling security credentials in Azure AD Multi-Factor Authentication (MFA).
- Require employees to accept your terms of service before registering security information with Azure AD Self-Service Password Reset (SSPR).
- Present the general terms of use to all users in your organization.
- Present specific terms of service based on a user's attributes (for example, doctors vs. nurses, or local vs. international staff).dynamic groups).
- Set specific terms of use when accessing applications with high business value like Salesforce.
- Present the terms of service in different languages.
- List who has and who has not accepted your terms of service.
- Help us comply with data protection regulations.
- View a log of Terms of Use policy activity for compliance and auditing.
- Create and manage Terms of Service withAPIs use Microsoft Graph.
requirements
To use and configure the Azure AD Terms of Service, you need the following:
- Licencias de Azure AD Premium P1, P2, EMS E3 o EMS E5.
- If you don't have any of these subscriptions, you canGet Azure AD PremiumoActivate the Azure AD premium trial.
- One of the following administrator accounts for the directory you want to configure:
- global admin
- security administrator
- Conditional Access Manager
Document of conditions of use
The Azure AD Terms of Use uses the PDF format to present the content. The PDF file can contain any content, such as existing contract documents, allowing you to collect end-user contracts during user enrollment. To help mobile users, the recommended font size in the PDF is 24 points.
Add terms of use
After completing the Terms of Service policy document, use the following procedure to add it.
login inportal to azureas conditional access administrator, security administrator or global administrator.
navigate toAzure Active Directory>security>conditional access>Terms of use.
Choose,new terms.
noNameIn the Terms of Use field, enter a name for the policy used in the Azure portal.
ForDocument of conditions of use, browse and select the Final Terms of Use PDF.
Select the language for your Terms of Use document. The language option allows you to upload multiple terms of use, each with a different language. The version of the Terms of Service that an end user sees is based on their browser settings.
nodisplay nameIn the field, enter a title that users will see when they log in.
To require end users to read the terms of service before accepting them, configureAsk users to extend the terms of serviceProem.
To require end users to accept your Terms of Service on any device they access, configureRequire user consent on all devicesProem. Users may be forced to install other apps when this option is enabled. For more information, seeTerms of use by device.
If you want the Acceptable Use Policy terms of consent to expire on a schedule, setExpiration of ConsentsProem. When enabled, two more schedule settings appear.
use theexpires frommifrequencySettings to specify the schedule of usage policy expiration conditions. The following table shows the output of some sample configurations:
expires from frequency Result Date A mes Starting today, users must agree to the Terms of Service and re-accept each month. date without future A mes Starting today, users must agree to the Terms of Service. If the date is in the future, the consents expire and users will have to re-accept them every month. For example, if you set the expiration start date toJanuary 1and frequency forA mes, two users may experience timeouts:
of the user First acceptance date First expiration date Second expiration date Third due date Alicia January 1 February 1st March 1st April 1st Beto January 15 February 1st March 1st April 1st use theDuration until new acceptance required (days)Settings to specify the number of days before the user must accept the terms of service again. This allows users to follow their own schedule. For example, if you set the duration to30Days, this is what the expiration times would look like for two users:
of the user First acceptance date First expiration date Second expiration date Third due date Alicia January 1 January 31 March 2 April 1st Beto January 15 February 14th March 16 April 15 Is it possible to use thatExpiration of ConsentsmiDuration until new acceptance required (days)settings together, but usually one or the other is used.
Underconditional access, benutze oApply with Conditional Access Policy TemplateList to select the template to enforce the terms of service.
model description custom policy Select the users, groups, and applications to which these Terms of Service apply. Create a conditional access policy later These terms of use appear in the grant control list when you create a conditional access policy. Important
Conditional access policy controls (including Terms of Service) do not support the enforcement of service accounts. We recommend excluding all service accounts from the Conditional Access policy.
(Video) How to use Microsoft Identity (Azure AD) to Authenticate Your UsersCustom Conditional Access policies allow for granular terms of use down to a specific cloud application or group of users. For more information, seeQuick start: Before accessing cloud applications, the terms of use must be accepted.
selectMourn.
If you selected a custom Conditional Access template, a new screen will appear where you can create your custom Conditional Access policy.
You should now see your new Terms of Service.
View the report of who accepted and rejected
The Terms of Use sheet shows the number of users who accepted and rejected. These counts and the acceptance/rejection are stored for the duration of the Terms of Use.
Sign in to Azure and go toTerms of usenohttps://aka.ms/catou.
For a Terms of Service policy, select the numbers belowacceptedorefusedto see the current status of users.
To view the history of a single user, select the ellipsis (...) and sosee story.
In the history view, you can see a history of all acceptances, rejections, and expiration times.
View Azure AD audit logs
If you want to see more activity, the Azure AD Terms of Service includes audit logs. Each user consent triggers an event in the audit logs that are kept for30 diameter. You can view these logs in the portal or download them as a CSV file.
To get started with Azure AD audit logs, use the following procedure:
login inportal to azureas conditional access administrator, security administrator or global administrator.
navigate toAzure Active Directory>security>conditional access>Terms of use.
Select a Terms of Use.
selectView audit logs.
On the Azure AD Audit Logs screen, you can use the provided lists to filter the information to target specific audit log information.
you can also chooseDescargarto download the information to a .csv file for local use.
Selecting a record will bring up a dashboard with more details of the activity.
What are the terms of service for users?
Once a ToU policy is created and applied, users who are in scope will see the following screen upon login.
Users can view the terms of service and use the zoom in and out buttons if necessary.
The following screen shows what a ToU policy looks like on mobile devices.
Users only have to accept the Terms of Use once and will not see the Terms of Use on subsequent logins.
How users can review their Terms of Service
Users can review and view the Terms of Service they have accepted by following the procedure below.
- get intohttps://micuenta.microsoft.com/.
- selectSettings and Privacy.
- selectprivacy.
- Underorganization note, selectVernext to the Terms of Service you want to review.
Edit terms of use details
You can edit some details of the Terms of Service, but you can't change an existing document. The following procedure describes how to edit the details.
login inportal to azureas conditional access administrator, security administrator or global administrator.
navigate toAzure Active Directory>security>conditional access>Terms of use.
Select the terms of use you want to edit.
selectedit conditions.
In the Edit Terms of Use section, you can change the following options:
- Name– the internal name of the terms of use, which is not shared with end users
- display name– the name that end users can see when viewing the Terms of Service
- Ask users to extend the terms of service– Activate this optionemobliges the end user to expand the terms of use document before accepting it.
- (Preview) You canupdate existing terms of usedocument
- You can add a language to the existing Terms of Service
If there are other settings you want to change, such as B. PDF document, users must accept all devices, allow consents to expire, duration before re-accept, or conditional access policy, you need to create a new ToU policy.
When you are done, selectointment to save your changes.
Update a version or PDF of an existing Terms of Use
login inportal to azureas conditional access administrator, security administrator or global administrator.
navigate toAzure Active Directory>security>conditional access>Terms of use.
Select the terms of use you want to edit.
selectedit conditions.
Choose the language for which you want to update a new versionTo updatebelow action column
In the right pane, upload the PDF file to the new version
There is also a toggle option hereask for additional oilif you want your users to accept this new version the next time they log in. If you require your users to sign in again, they will be prompted to sign in for that new version the next time they try to access the resource defined in your Conditional Access policy. If you don't prompt your users to opt out again, the previous consent will remain valid and only new users who have not previously consented or whose consent has expired will see the new version. Until the end of the session.ask for additional oilUsers do not have to accept the new Terms of Service. If you want to ensure reacceptance, please delete and create new Terms of Service for that case.
Once you've uploaded your new PDF and decided to accept it again, select "Add" at the bottom of the panel.
You will now see the latest version in the Document column.
View Previous Versions of Terms of Use
login inportal to azureas conditional access administrator, security administrator or global administrator.
navigate toAzure Active Directory>security>conditional access>Terms of use.
Select the Terms of Service for which you want to see the version history.
selectLanguages and version history
selectSee previous versions.
You can select the name of the document to download this version
(Video) Azure AD Authentication Methods and Policies
See who accepted which version
- login inportal to azureas conditional access administrator, security administrator or global administrator.
- navigate toAzure Active Directory>security>conditional access>Terms of use.
- To see who has currently accepted the Terms of Service, select the number belowacceptedColumn for the desired terms of use.
- By default, the next page shows the current approval status of the ToU by each user
- If you want to see past consent events, you can chooseaVonActual statediscontinued. Now you can see each user's events in detail about each version and what happened.
- Alternatively, you can select a specific version ofperformanceDropdown menu to see who has accepted this particular version.
Add a ToU language
The following procedure describes how to add a ToU language.
login inportal to azureas conditional access administrator, security administrator or global administrator.
navigate toAzure Active Directory>security>conditional access>Terms of use.
Select the terms of use you want to edit.
selectedit conditions
selectadd languageat the end of the page.
In the Add Language to Terms of Use section, upload your localized PDF and select your language.
selectadd language.
selectointment
selectAddto add the language.
Terms of use by device
oRequire user consent on all devicesThis setting allows you to require end users to accept your terms of service on any device they access from. The end user must register their device with Azure AD. If the device is enrolled, the device ID is used to enforce the terms of service on each device.
Supported platforms and software.
| iOS | Android | windows 10 | Of others | |
|---|---|---|---|---|
| native app | Sim | Sim | Sim | |
| Microsoft-Rand | Sim | Sim | Sim | |
| internet explorer | Sim | Sim | Sim | |
| Chrome (with extension) | Sim | Sim | Sim |
The Terms of Use per device have the following limitations:
- A device can only be assigned to one tenant.
- A user must have permissions to join your device.
- The Intune enrollment app is not supported. Make sure you do not participate in any conditional access policies that are required by the Terms of Service.
- Azure AD B2B users are not supported.
If the user's device isn't enrolled, you'll see a message that you need to join the device. Your experience depends on the platform and software.
Connect to a Windows 10 device
When a user is using Windows 10 and Microsoft Edge, they receive a message similar to the followingsign in to your device.
If they are using Chrome, they will be prompted to install it.Windows 10 account extension.
Register an iOS device
If a user is using an iOS device, they will be prompted to install theMicrosoft Authenticator Application.
Register an Android device
If a user is using an Android device, they will be prompted to install theMicrosoft Authenticator Application.
Browser
If a user is using an unsupported browser, they will be prompted to use a different browser.
Delete terms of use
You can delete the old Terms of Use by following the procedure below.
login inportal to azureas conditional access administrator, security administrator or global administrator.
navigate toAzure Active Directory>security>conditional access>Terms of use.
Select the Terms of Service you want to remove.
selectremove terms.
In the message that asks if you want to continue, chooseSim.
You should no longer see your Terms of Service.
(Video) Microsoft Entra - Permission Management
Delete User Acceptance Record
User subscription records will be deleted:
- If the administrator removes the ToU explicitly. When this change occurs, any subscription records associated with those specific Terms of Use will also be deleted.
- When the tenant loses their Azure Active Directory Premium license.
- If the tenant is deleted.
Political changes
Conditional Access policies take effect immediately. In this case, the administrator sees "sad clouds" or "Azure AD token issues". The administrator must sign out and sign in to comply with the new policy.
Important
In-scope users must opt-out and opt-in to a new policy if:
- A Conditional Access policy is enabled in a Terms of Service policy
- or a second Terms of Service policy is created
B2B guests
Most organizations have a process for their employees to agree to their organization's terms of service and privacy statements. But how can you enforce the same consents for business-to-business (B2B) Azure AD guests when they're added via SharePoint or Teams? Conditional Access and Terms of Service policies allow you to directly apply a policy to B2B guest users. During the invitation redemption process, the User will receive the Terms of Service.
The terms of service are only displayed if the user has a guest account in Azure AD. Currently, SharePoint Online has aAd hoc experience of external share recipientsto share a document or folder that does not require the user to have a guest account. In this case, the terms of use will not be displayed.
Cloud application support
The terms of use can be used for various cloud applications, such as Azure Information Protection and Microsoft Intune. This support is currently in preview.
Azure Information Protection
You can configure a conditional access policy for the Azure Information Protection app and request a terms of use policy when a user accesses a protected document. This setting activates a terms of use policy before a user accesses a protected document for the first time.
Microsoft Intune enrollment
You can configure a conditional access policy for the Microsoft Intune enrollment app and require a terms of use policy before enrolling a device in Intune. For more information, see ReadingChoosing the Right Term Solution for Your Organization's Blog Post.
supervision
The Intune enrollment app is not supportedTerms of use by device.
Frequent questions
Q: I can't sign in with PowerShell when the Terms of Service is enabled.
A: The Terms of Service can only be accepted during interactive authentication.
Q: How do I see if a user has accepted the Terms of Service?
A: On the Terms of Use sheet, select the following numberaccepted. You can also view or search for subscription activity in the Azure AD audit logs. For more information, see See who accepted and rejected the report andView Azure AD audit logs.
Q: How long is the information stored?
A: The number of users in the Terms of Service report and who accepted/declined them is stored for the duration of the Terms of Service. Azure AD audit logs are retained for 30 days.
Q: Why do I see a different number of consents in the Usage Details Summary than in the Azure AD audit logs?
A: Summary data from the Terms of Use is retained for the term of these Terms of Use, while Azure AD audit logs are retained for 30 days.
Q: Why do I see a different number of consents in the Terms of Use overview compared to the exported CSV report?
A: The overview of the Terms of Use Details reflects the assumptions added to the current version of the policy (updated once a day). When expiration is enabled or a TOU agreement is updated (needing a new acknowledgment), the count in the details summary resets as acknowledgments expire, displaying the count for the current version. All acceptance history is still captured in the CSV report.
Q: If the hyperlinks are in the Acceptable Use Policy PDF, can end users click them?
A: Yes, end users can select hyperlinks to other pages, but links to sections within the document are not supported. Also, the hyperlinks related to the usage policy PDFs do not work when accessed through the MyApps/MyAccount portal in Azure AD.
Q: Can the Terms of Service support multiple languages?
A: Yes. There are currently 108 different languages that an administrator can configure for a single Terms of Service policy. An administrator can upload multiple PDF documents and tag these documents with the corresponding language (up to 108). When end users log in, we check their browser's language settings and display the corresponding document. If there is no match, we display the default document, which is the first document loaded.
Q: When does the Terms of Service policy kick in?
A: The Terms of Service are activated during login.
Q: Which apps can I target a terms of service policy for?
A: You can create a Conditional Access policy for enterprise apps using modern authentication. For more information, seebusiness applications.
Q: Can I add multiple Terms of Service for a specific user or application?
A: Yes, by creating multiple Conditional Access policies that target those groups or applications. If multiple terms of use apply to a user, the user agrees to one of the terms of use in each case.
Q: What happens if a user rejects the Terms of Service?
A: The user will not be able to access the application. The user would have to log in again and agree to the terms to gain access.
Q: Is it possible to opt out of a previously accepted Terms of Service?
A: you canRead the terms of use accepted above, but there is currently no way to opt out.
Q: What if I also use the Intune Terms of Service?
A: If you have read the Azure AD Terms of Service andIntune Terms of Service, the user must accept both. For more information, seeChoosing the Right Term Solution for Your Organization's Blog Post.
Q: What endpoints does the Terms of Service service use for authentication?
A: The Terms of Service uses the following endpoints for authentication:https://tokenprovider.termsofuse.identitygovernance.azure.com,https://micuenta.microsoft.commihttps://cuenta.directorioactivo.windowsazure.com. If your organization whitelists login URLs, you must add these endpoints to your whitelist along with your Azure AD login endpoints.
Next steps
- Quick start: Before accessing cloud applications, the terms of use must be accepted