- Article
- 18 minutes to read
Azure AD Terms of Use provide a simple way for organizations to present information to end users. This presentation ensures users see disclaimers relevant to legal or compliance needs. This article describes how to get started with the Terms of Service (ToU).
Use
This article provides steps to remove personal data from your device or service and can be used to support your obligations under the GDPR. General information on the GDPR can be found atGDPR section in the Microsoft Trust Centerit's himGDPR section of the Service Trust portal.
overview videos
The following video provides a quick overview of the ToU guidelines.
More videos can be found at:
- How to implement a terms of service policy in Azure Active Directory
- How to implement a terms of service policy in Azure Active Directory
What can I do with the Terms of Use?
Azure AD Terms of Use have the following features:
- Require employees or guests to agree to your terms of service before being granted access.
- Require employees or guests to accept your terms of service on each device before being granted access.
- Prompt employees or guests to agree to your terms of service on a regular basis.
- Require employees or guests to accept your terms of service before registering security credentials in Azure AD Multi-Factor Authentication (MFA).
- Require employees to accept your terms of service before registering security information in Azure AD Self-Service Password Reset (SSPR).
- Present general terms of use to all users in your organization.
- Present specific terms of use based on a user's attributes (e.g. doctors vs. nurses or national vs. international staff).dynamic groups).
- Establish specific terms of use when accessing high-business-value apps like Salesforce.
- Present the terms of service in different languages.
- List who has and has not accepted your terms of service.
- Help us comply with data protection regulations.
- View a log of Terms of Use policy activity for compliance and auditing.
- Create and manage Terms of Service withAPI for Microsoft Graph.
previous requirements
To use and configure the Azure AD Terms of Service, you need the following:
- Azure AD Premium P1, P2, EMS E3, or EMS E5 licenses.
- If you don't have any of these subscriptions, you canGet Azure AD PremiumÖActivate the Azure AD Premium Trial.
- One of the following administrator accounts for the directory you want to configure:
- global admin
- security administrator
- Conditional Access Manager
Document Terms of Use
Azure AD Terms of Use use PDF format to present content. The PDF file can have any content, e.g. B. Existing contract documents, so you can collect end user contracts during user login. To help mobile users, the recommended font size in PDF is 24 points.
Add Terms of Service
After completing the Terms of Service policy document, use the following procedure to add it.
login inblue portalas a conditional access admin, security admin, or global admin.
navigate toAzure Active Directory>security>conditional access>Terms of Use.
Choose,new terms.
noNameIn the field, enter a name for the terms of use to use in the Azure portal.
ForDocument Terms of Use, navigate to and select the PDF of the Final Terms of Use.
Select the language for your Terms of Use document. The language option allows you to load multiple terms of use, each with a different language. The version of the Terms of Service that an end user sees is based on their browser settings.
nodisplay nameIn the field, enter a title that users will see when they log in.
To require end users to read the terms of service before accepting them, configurePrompt users to expand the terms of servicea no.
To require end users to accept your terms of service on any device they access it from, configureRequire user consent on any devicea no. Users may need to install other apps when this option is enabled. For more information, seeTerms of Use by Device.
If you want the acceptance terms for usage policies to expire on a schedule, configureExpiration of Consentsa no. When enabled, two more schedule settings appear.
Use oExpires injfrequencySettings to set the schedule for the expiration of the Terms of Service. The following table shows the output of some sample configurations:
Expires in frequency Result meeting A month Starting today, users must agree to the Terms of Service and re-accept them each month. meetings in the future A month Starting today, users must agree to the Terms of Service. If the date is in the future, consents will expire and users will have to re-accept each month. For example, when you set the expiration date for1st of Januaryand frequency forA month, two users may experience timeouts:
from the user First acceptance date First expiry date Second expiration date Third Expiration Date Alice 1st of January February 1st 1st March 1. April be to 15 January February 1st 1st March 1. April Use oTime required to resume (days)to indicate the number of days before the user must accept the terms of use again. This allows users to follow their own schedule. For example, if you set the duration to30Days, this is what expiration times for two users might look like:
from the user First acceptance date First expiry date Second expiration date Third Expiration Date Alice 1st of January 31 January 2nd March 1. April be to 15 January 14th of February March 16th 15. April It is possible to use thatExpiration of ConsentsjTime required to resume (days)configurations together, but usually one or the other is used.
Underconditional access, benutze oApply with Conditional Access policy templateto select the model to enforce the Terms of Use.
model description custom policy Select the users, groups, and apps to which these Terms of Service apply. Create Conditional Access policy later These terms of use appear in the grant control list when creating a Conditional Access policy. Important
Conditional Access policy controls (including Terms of Service) do not support enforcement for service accounts. We recommend excluding all service accounts from the Conditional Access policy.
(Video) What is Terms of Use in Azure Active Directory?Custom Conditional Access policies enable granular terms of use down to a specific cloud application or user group. For more information, seeQuickstart: Require agreement to terms of service before accessing cloud apps.
SelectCreate.
If you selected a custom Conditional Access template, a new screen will appear where you can create the custom Conditional Access policy.
You should now see your new Terms of Service.
View the report of who accepted and declined
The Terms of Use blade shows the number of users who have accepted and rejected them. These counts and acceptance/rejection are stored in the Terms of Service.
Sign in to Azure and switch toTerms of Usea https://aka.ms/catou.
For a Terms of Service policy, select the numbers belowacceptedÖdeclinedto see the current status of users.
To view a single user's history, select the ellipsis (...) and thensee history.
In the View History section, you can see a history of all acceptances, rejections, and expiration times.
View Azure AD audit logs
If you want to see more activity, the Azure AD Terms of Service includes audit logs. Each user consent triggers an event in the audit logs that are saved for30 dia. You can view these logs in the portal or download them as a CSV file.
To get started with Azure AD audit logs, use the following procedure:
login inblue portalas a conditional access admin, security admin, or global admin.
navigate toAzure Active Directory>security>conditional access>Terms of Use.
Select a Terms of Use.
SelectView audit logs.
On the Azure AD Audit Logs screen, you can use the provided lists to filter the information to target specific audit log information.
You can also chooseGo downstairsto download the information to a .csv file for local use.
Selecting a record will bring up a dashboard with more activity details.
What are the terms of service for users?
Once a ToU policy is created and applied, users in scope will see the following screen upon login.
Users can view the terms of service and use zoom in and out buttons if needed.
The following screen shows what a ToU policy looks like on mobile devices.
Users only have to accept the Terms of Use once and will not see the Terms of Use on subsequent logins.
How users can review their Terms of Service
Users can review and view the Terms of Service they accept by following the procedure below.
- Registerhttps://micuenta.microsoft.com/.
- SelectSettings and Privacy.
- Selectprivacy.
- UnderOrganization note, SelectVistanext to the Terms of Service you want to review.
Edit Terms of Use details
You can edit some Terms of Service details, but you can't change an existing document. The following procedure describes how to edit the details.
login inblue portalas a conditional access admin, security admin, or global admin.
navigate toAzure Active Directory>security>conditional access>Terms of Use.
Select the terms of use you want to edit.
Selectedit conditions.
In the Edit Terms of Use section, you can change the following options:
- Name– the internal name of the terms of use, which is not shared with end users
- display name– the name that end users can see when viewing the Terms of Service
- Prompt users to expand the terms of service– Set this option to onnoforces the end user to expand the terms of use document before accepting it.
- (Preview) You canupdate existing terms of usedocument
- You can add a language to existing Terms of Service
If you want to change other settings, e.g. For example, PDF document, user consent on each device, consent expiration, length of time before re-acceptance, or Conditional Access policy, you need to create a new Terms of Service policy.
When you're done, selectSave on computerto save your changes.
Update a version or PDF of an existing Terms of Use
login inblue portalas a conditional access admin, security admin, or global admin.
navigate toAzure Active Directory>security>conditional access>Terms of Use.
Select the terms of use you want to edit.
Selectedit conditions.
Choose for the language in which you want to update a new versionTo updatebelow the action column
In the right pane, upload the new version in PDF format
There is also a toggle option hereAccept againif you want to prompt your users to accept this new version at next login. If you require your users to sign in again, they'll be prompted to sign in for that new version the next time they try to access the resource defined in your Conditional Access policy. If you don't prompt your users to sign in again, the previous consent will remain in effect and only new users who have not previously consented or whose consent has expired will see the new version. Until the end of the sessionAccept againdoes not require users to accept the new Terms of Service. If you want to accept again, delete and create a new Terms of Service for that case.
After you've uploaded your new PDF and decided to accept it again, select Add at the bottom of the panel.
You will now see the latest version in the Document column.
View previous versions of a Terms of Use
login inblue portalas a conditional access admin, security admin, or global admin.
navigate toAzure Active Directory>security>conditional access>Terms of Use.
Select the Terms of Service for which you want to view version history.
SelectLanguages and version history
SelectSee previous versions.
You can select the document name to download this version
(Video) What is conditional access? | Azure Active Directory
See who accepted which version
- login inblue portalas a conditional access admin, security admin, or global admin.
- navigate toAzure Active Directory>security>conditional access>Terms of Use.
- To see who has accepted the Terms of Service, select the number below theacceptedColumn for the desired terms of use.
- By default, the next page shows the current status of each user's acceptance of the ToU.
- If you want to view previous consent events, you can chooseatsincecurrent statesuspended. Now you can see each user's events in detail about each version and what happened.
- Alternatively, you can select a specific version of theexecutionDrop-down list to see who has accepted this particular version.
Add a ToU language
The following procedure describes how to add a ToU language.
login inblue portalas a conditional access admin, security admin, or global admin.
navigate toAzure Active Directory>security>conditional access>Terms of Use.
Select the terms of use you want to edit.
Selectedit conditions
Selectadd languageat the end of the page.
In the Add Terms of Use Language section, upload the localized PDF and select the language.
Selectadd language.
SelectSave on computer
SelectAdd toto add the language.
Terms of Use by Device
HimRequire user consent on any deviceSettings allow you to require end users to accept your Terms of Service on any device they access it from. The end user must register their device with Azure AD. If the device is enrolled, the device ID is used to enforce the terms of service on each device.
Supported Platforms and Software.
| iOS | Android | window 10 | From others | |
|---|---|---|---|---|
| native App | Sim | Sim | Sim | |
| Microsoft-Rand | Sim | Sim | Sim | |
| Internet Explorer | Sim | Sim | Sim | |
| Chrome (with extension) | Sim | Sim | Sim |
Per-device Terms of Use have the following limitations:
- A device can only be assigned to one tenant.
- A user must have permissions to sign in to your device.
- The Intune enrollment app is not supported. Make sure you're opted out of any conditional access policies that require a terms of service policy.
- B2B Azure AD users are not supported.
If the user's device isn't connected, they'll get a message that they need to connect to the device. Your experience depends on the platform and software.
Connect to a Windows 10 device
When a user is using Windows 10 and Microsoft Edge, they receive a message similar to the followingjoin your device.
If you're using Chrome, you'll be prompted to install itWindows 10 account extension.
Register an iOS device
If a user is using an iOS device, they will be prompted to install theMicrosoft Authenticator-App.
Register an Android device
If a user is using an Android device, they will be prompted to install theMicrosoft Authenticator-App.
Browser
If a user is using an unsupported browser, they will be prompted to use a different browser.
Delete Terms of Use
You can remove previous Terms of Use using the following procedure.
login inblue portalas a conditional access admin, security admin, or global admin.
navigate toAzure Active Directory>security>conditional access>Terms of Use.
Select the terms of use you want to delete.
Selectexclude terms.
In the message asking if you want to continue, chooseSim.
You should no longer see your Terms of Service.
(Video) How to create users account in Office 365 Azure Active Directory and assign license
Clearing the User Acceptance Log
User opt-in records will be deleted:
- When the admin explicitly removes the Terms of Service. When this change occurs, any opt-in records associated with those specific Terms of Use will also be deleted.
- When the tenant loses their Azure Active Directory Premium license.
- When the tenant moves out.
political changes
Conditional Access policies take effect immediately. In this case, the admin sees "sad clouds" or "Azure AD token problems". The admin must log out and log in to comply with the new policy.
Important
Scope users must log out and log in to enforce a new policy if:
- A Conditional Access policy is enabled in a Terms of Service policy
- or a second Terms of Service policy is created
B2B guests
Most organizations have a process for their employees to agree to their organization's terms of service, policies, and privacy statements. But how can you enforce the same consents for business-to-business (B2B) Azure AD guests when they're added via SharePoint or Teams? Conditional Access policies and Terms of Service allow you to apply a policy directly to B2B guest users. During the invitation redemption process, the User will receive the Terms of Service.
Terms of Service are only displayed if the user has a guest account in Azure AD. Currently, SharePoint Online has aAd hoc experience of external share recipientsto share a document or folder that does not require the user to have a guest account. In this case, no terms of use will be displayed.
Cloud application support
Terms of use can be used for various cloud applications such as Azure Information Protection and Microsoft Intune. This support is currently in preview.
Azure Information Protection
You can configure a conditional access policy for your Azure Information Protection application and request a terms of use policy when a user accesses a protected document. This setting triggers a terms of use policy before a user accesses a protected document for the first time.
Registration for Microsoft Intune
You can configure a conditional access policy for the Microsoft Intune enrollment app and require a terms of use policy before enrolling a device in Intune. For more information, see ReadingHow to choose the right term solution for your organization's blog post.
Use
The Intune enrollment app is not supportedTerms of Use by Device.
Frequently Asked Questions
Q: I can't sign in with PowerShell when Terms of Service are enabled.
A: Terms of Service can only be accepted if you authenticate interactively.
Q: How do I see if a user has accepted the Terms of Service?
A: On the Terms of Use sheet, select the following numberaccepted. You can also view or search opt-in activity in the Azure AD audit logs. For more information, see View Report Who Accepted and Rejected andView Azure AD audit logs.
Q: How long is the information stored?
A: Users are counted in the Terms of Service report and those who have accepted/rejected the Terms of Service are saved for the duration of the Terms of Service. Azure AD audit logs are retained for 30 days.
Q: Why am I seeing a different number of consents in the Terms of Service overview compared to the Azure AD audit logs?
A: Terms of Service data is retained for the duration of these Terms of Service, while Azure AD audit logs are retained for 30 days.
Q: Why do I see a different number of consents in the Terms of Use Summary compared to the exported CSV report?
A: The overview of the Terms of Use Details reflects the aggregated assumptions of the current version of the Policy (updated once a day). When expiration is enabled or a TOU contract is updated (requiring a new acceptance), the count in the detail overview is reset as the acceptances have expired, showing the current version count. All acceptance history is still captured in the CSV report.
Q: If the hyperlinks are in the Terms of Use PDF, can end users click them?
A: Yes, end users can select hyperlinks to other pages, but links to sections within the document are not supported. Also, the hyperlinks in the usage policy PDFs do not work when accessed through the Azure AD MyApps/MyAccount portal.
Q: Can Terms of Service support multiple languages?
A: Yes. There are currently 108 different languages that an administrator can configure for a single Terms of Service policy. An administrator can upload multiple PDF documents and tag them with the appropriate language (up to 108). When end users log in, we check their browser's language setting and display the appropriate document. If there is no match, we display the default document, which is the first document loaded.
Q: When do the Terms of Service take effect?
A: The terms of use are activated during the registration process.
Q: Which apps can I apply Terms of Service to?
A: You can create a conditional access policy for enterprise apps using modern authentication. For more information, seeBusiness-Apps.
Q: Can I add multiple Terms of Service for a specific user or app?
A: Yes, by creating multiple Conditional Access policies targeting those groups or apps. If a user falls within the scope of multiple Terms of Use, they agree to only one of the Terms of Use at a time.
Q: What happens if a user rejects the Terms of Service?
A: User's access to the application will be blocked. The user would have to sign in again and agree to the terms to gain access.
Q: Is it possible to unsubscribe from a previously accepted Terms of Service?
A: you canRead previously accepted terms of use, but there is currently no way to opt out.
Q: What if I also use the Intune Terms of Service?
A: If you have read the Azure AD Terms of Service andIntune Terms of Service, the user must accept both. For more information, seeHow to choose the right term solution for your organization's blog post.
Q: What endpoints does the Terms of Service service use for authentication?
A: The Terms of Service uses the following endpoints for authentication:https://tokenprovider.termsofuse.identitygovernance.azure.com,https://micuenta.microsoft.comjhttps://cuenta.directorioactivo.windowsazure.com. If your organization has a whitelist of login URLs, you must add these endpoints to your whitelist along with the Azure AD login endpoints.
Next Steps
- Quickstart: Require agreement to terms of service before accessing cloud apps