- Article
- 18 minutes to read
The Azure AD Terms of Use provide an easy way for organizations to present information to end users. This presentation ensures that users see the disclaimers relevant to legal or compliance requirements. This article describes how to get started with Terms of Service (TOU) policies.
use
This article provides steps to remove personal data from your device or service and can be used to support your obligations under the GDPR. You can find general information about the GDPR atGDPR section of the Microsoft Trust Centerand theGDPR section of the Service Trust portal.
overview videos
The following video provides a quick overview of the ToU guidelines.
More videos can be found at:
- How to implement a terms of use policy in Azure Active Directory
- How to enter a terms of use policy in Azure Active Directory
What can I do with the Terms of Service?
The Azure AD Terms of Use have the following characteristics:
- Require employees or guests to agree to your terms of service before they are granted access.
- Require employees or guests to accept your terms of service on each device before access is granted.
- Ask employees or guests to agree to your terms of service on a regular basis.
- Require employees or guests to accept your terms of service before enrolling security credentials in Azure AD Multi-Factor Authentication (MFA).
- Require employees to accept your terms of service before registering security information with Azure AD Self-Service Password Reset (SSPR).
- Present the general terms of use to all users in your organization.
- Present specific terms of use based on user attributes (eg, doctors vs. nurses or local vs. international staff) by usagedynamic groups).
- Present specific terms of use when accessing business-critical applications like Salesforce.
- Present the terms of service in different languages.
- List who has or has not accepted your terms of service.
- Help comply with data protection regulations.
- View a log of Terms of Use policy activity for compliance and auditing.
- Create and manage Terms of Service withAPI de Microsoft Graph.
requirements
To use and configure the Azure AD Terms of Service, you need the following:
- Licencias de Azure AD Premium P1, P2, EMS E3 o EMS E5.
- If you don't have any of these subscriptions, you canGet Azure AD PremiumoActivate the Azure AD premium trial.
- One of the following administrator accounts for the directory you want to configure:
- global admin
- security administrator
- Conditional Access Manager
Terms of use of the document
The Azure AD Terms of Use uses the PDF format to present the content. The PDF file can have any content, e.g. B. from existing contract documents, so you can capture end-user agreements during user enrollment. To help mobile users, the recommended font size in the PDF is 24 points.
Add Terms of Service
Once you have completed your Terms of Service policy document, use the following procedure to add it.
accessAzure-Portalas conditional access administrator, security administrator or global administrator.
navigate toAzure Active Directory>Security>conditional access>Terms of use.
Choose,new terms.
SoyNameIn the Terms of Use field, enter a name for the policy used in the Azure portal.
ForTerms of use of the document, browse and select your final Terms of Service & Policies PDF.
Select the language for your Terms of Use document. The language option allows you to upload multiple terms of use, each with a different language. The version of the Terms of Service that an end user sees is based on their browser settings.
Soydisplay nameIn the field, enter a title that users will see when they log in.
To require end users to read the terms of service before accepting them, configureAsk users to extend the terms of serviceAAnd.
To require end users to accept your Terms of Service on any device they access from, configureRequire user consent on any deviceAAnd. Users may need to install other apps when this option is enabled. For more information, seeTerms of use by device.
If you want to expire terms of use consents on a schedule, setallow consents to expireAAnd. When enabled, two more schedule settings appear.
Use theexpire fromYfrequencySettings to set the expiration schedule for the Terms of Service. The following table shows the output of some sample configurations:
expire from frequency Result Date Monthly Starting today, users must accept the Terms of Service and then re-accept each month. date in the future Monthly Starting today, users must agree to the Terms of Service. If the date is in the future, the consents will expire and users will have to re-accept each month. For example, if you set the expiration date toJanuary 1and frequency tooMonthly, two users can experience expiration times:
user Date of first acceptance First expiration date Second expiration date Third due date Alicia January 1 February 1st March 1st April 1st Beto January 15 February 1st March 1st April 1st Use theDuration until renewal of acceptance is required (days)Settings to specify the number of days before the user must accept the terms of service again. This allows users to follow their own schedule. For example, if you set the duration to30days, two users can experience expiration times:
user Date of first acceptance First expiration date Second expiration date Third due date Alicia January 1 January 31 March 2 April 1st Beto January 15 February 14th March 16 April 15 Is it possible to use thatallow consents to expireYDuration until renewal of acceptance is required (days)settings together, but usually one or the other is used.
Lowconditional access, Use theApply with Conditional Access Policy TemplateList to select the template to enforce the terms of service.
Presentation Description custom policy Select the users, groups, and applications to which these Terms of Service apply. Create a conditional access policy later These terms of use appear in the grant control list when you create a conditional access policy. Important
Conditional access policy controls (including Terms of Service) do not support the enforcement of service accounts. We recommend excluding all service accounts from the Conditional Access policy.
(Video) Azure Active Directory | Azure Active Directory Tutorial | Azure Tutorial For Beginners |SimplilearnCustom Conditional Access policies allow for granular terms of use down to a specific cloud application or group of users. For more information, seeQuick start: Before accessing cloud applications, the terms of use must be accepted.
ChooseCreate.
If you selected a custom Conditional Access template, a new screen will appear where you can create your custom Conditional Access policy.
You should now see your new Terms of Service.
View the report of who accepted and rejected
The Terms of Use sheet shows the number of users who have accepted and rejected them. These counts and the acceptance/rejection are stored for the duration of the Terms of Use.
Sign in to Azure and go toTerms of useinhttps://aka.ms/catou.
For a Terms of Service policy, select the numbers belowAcceptedoI returnedto display the current status of users.
To view the history of a single user, select the ellipsis (...) and thensee story.
In the history display area, you can view a history of all acceptances, rejections, and expiration times.
View Azure AD audit logs
If you want to see more activity, the Azure AD Terms of Service includes audit logs. Each user consent triggers an event in the audit logs that is saved for30 take. You can view these logs in the portal or download them as a CSV file.
To get started with Azure AD audit logs, use the following procedure:
accessAzure-Portalas conditional access administrator, security administrator or global administrator.
navigate toAzure Active Directory>Security>conditional access>Terms of use.
Select a Terms of Use.
ChooseView audit logs.
On the Azure AD Audit Logs screen, you can use the provided lists to filter the information to target specific audit log information.
you can also chooseDescargarto download the information in a .csv file for local use.
When you select a record, a panel with more details of the activity is displayed.
How are the terms of service for users
Once a ToU policy is created and applied, in-scope users will see the following screen during login.
Users can view the terms of service and use the zoom in and out buttons if necessary.
The following screen shows what a ToU policy looks like on mobile devices.
Users only have to accept the Terms of Use once and will not see the Terms of Use on subsequent logins.
How users can review their Terms of Service
Users can review and view the Terms of Service they have accepted by following the procedure below.
- accesshttps://micuenta.microsoft.com/.
- ChooseSettings and privacy.
- Chooseprivacy.
- Loworganization note, choosevistanext to the Terms of Service you want to review.
Edit terms of use details
You can edit some details of the Terms of Service, but you can't change an existing document. The following procedure describes how to edit the details.
accessAzure-Portalas conditional access administrator, security administrator or global administrator.
navigate toAzure Active Directory>Security>conditional access>Terms of use.
Select the terms of use you want to edit.
Chooseedit conditions.
In the Edit Terms of Use section, you can change the following options:
- Name– the internal name of the terms of use, which is not shared with end users
- display name– the name that end users can see when viewing the Terms of Service
- Ask users to extend the terms of service– Set this option toAndobliges the end user to expand the terms of use document before accepting it.
- (Preview) You canupdate existing terms of usedocument
- You can add a language to the existing Terms of Service
If there are other settings you want to change, such as B. PDF document, require users to consent on any device, allow consents to expire, duration before re-accept, or conditional access policy, you need to create a new policy of terms of use.
When you are done, selectsave to computerto save your changes.
Update the version or PDF of an existing Terms of Use
accessAzure-Portalas conditional access administrator, security administrator or global administrator.
navigate toAzure Active Directory>Security>conditional access>Terms of use.
Select the terms of use you want to edit.
Chooseedit conditions.
Choose the language for which you want to update a new versionUpdatebelow action column
In the right pane, upload the PDF file for the new version
There is also a toggle option hereRe-accept requiredif you want your users to accept this new version when they log in the next time they run. If you don't require your users to reconsent, their previous consent will remain valid and only new users who have not previously consented or whose consent has expired will see the new version. Until session expiresRe-accept requiredUsers do not have to accept the new Terms of Service. If you want to make sure you agree to the terms of use again, delete and recreate them, or create new terms of use for that matter.
Once you've uploaded your new PDF and decided to accept it again, select Add at the bottom of the panel.
You will now see the latest version in the Document column.
View Previous Versions of Terms of Use
accessAzure-Portalas conditional access administrator, security administrator or global administrator.
navigate toAzure Active Directory>Security>conditional access>Terms of use.
Select the Terms of Service for which you want to see the version history.
ChooseLanguages and version history
ChooseSee previous versions.
You can select the name of the document to download this version
(Video) Azure Active Directory - The Ultimate Beginners Guide
See who accepted which version
- accessAzure-Portalas conditional access administrator, security administrator or global administrator.
- navigate toAzure Active Directory>Security>conditional access>Terms of use.
- To see who has currently accepted the Terms of Service, select the number belowAcceptedColumn for the desired terms of use.
- By default, the next page displays the current status of each user's acceptance of the Terms of Service.
- If you want to see previous consent events, you can selectinof theActual statethe drop down list. Now you can see each user's events in detail about each version and what happened.
- Alternatively, you can select a specific version of theexecutionDropdown menu to see who has accepted this particular version.
Add a ToU language
The following procedure describes how to add a ToU language.
accessAzure-Portalas conditional access administrator, security administrator or global administrator.
navigate toAzure Active Directory>Security>conditional access>Terms of use.
Select the terms of use you want to edit.
Chooseedit conditions
Chooseadd languageat the end of the page.
In the Add Language to Terms of Use section, upload your localized PDF and select the language.
Chooseadd language.
Choosesave to computer
Chooseaddto add the language.
Terms of use by device
HeRequire user consent on any deviceThis setting allows you to require end users to accept your terms of service on any device they access from. The end user must register their device in Azure AD. If the device is enrolled, the device ID is used to enforce the terms of service on each device.
Supported platforms and software.
| iOS | Android | windows 10 | Others | |
|---|---|---|---|---|
| native app | Y | Y | Y | |
| Borde de Microsoft | Y | Y | Y | |
| internet explorer | Y | Y | Y | |
| Chrome (with extension) | Y | Y | Y |
The Terms of Use per device are subject to the following limitations:
- A device can only be connected to one tenant.
- A user must have permissions to join your device.
- The Intune enrollment app is not supported. Make sure you are excluded from any conditional access policies that require Terms of Service.
- Azure AD B2B users are not supported.
If the user's device is not joined, they will receive a message that they need to join their device. Your experience depends on the platform and software.
Connect to a Windows 10 device
When a user is using Windows 10 and Microsoft Edge, they receive a message similar to the followingconnect to your device.
If you are using Chrome, you will be prompted to install it.Windows 10 account extension.
Register an iOS device
If a user is using an iOS device, they will be prompted to install theMicrosoft authenticator app.
Register an Android device
If a user is using an Android device, they will be prompted to install theMicrosoft authenticator app.
Browser
If a user is using an unsupported browser, they will be prompted to use a different browser.
Delete terms of use
You can delete the old Terms of Use by following the procedure below.
accessAzure-Portalas conditional access administrator, security administrator or global administrator.
navigate toAzure Active Directory>Security>conditional access>Terms of use.
Select the Terms of Service you want to remove.
Chooseremove terms.
In the message that asks if you want to continue, chooseY.
You should no longer see your Terms of Service.
(Video) What is Azure Active Directory B2C? | Azure Active Directory
Delete User Acceptance Record
User acceptance records are deleted:
- If the administrator removes the ToU explicitly. When this change occurs, all acceptance records associated with those particular Terms of Use will also be deleted.
- When the tenant loses their Azure Active Directory Premium license.
- If the tenant is deleted.
policy changes
Conditional Access policies take effect immediately. In this case, the administrator sees "sad clouds" or "Azure AD token issues". The administrator must sign out and sign in to comply with the new policy.
Important
Scoped users must opt-out and opt-in to a new policy if:
- A conditional access policy is enabled for a terms of service policy
- or a second Terms of Service policy is created
B2B guests
Most organizations have a process for their employees to agree to their organization's terms of service and privacy statements. But how can you enforce the same consents for Azure AD business-to-business (B2B) guests when they're added through SharePoint or Teams? Conditional Access and Terms of Service policies allow you to apply a policy directly to B2B guest users. During the invitation redemption process, the user is presented with the Terms of Service.
The terms of service are only displayed if the user has a guest account in Azure AD. SharePoint Online currently has oneAd hoc experience of external recipientsto share a document or folder that does not require the user to have a guest account. In this case, the terms of use will not be displayed.
Cloud application support
The terms of use can be used for various cloud applications, such as Azure Information Protection and Microsoft Intune. This support is currently in preview.
Azure Information Protection
You can configure a conditional access policy for the Azure Information Protection app and request a terms of use policy when a user accesses a protected document. This setting triggers a terms of use policy before a user accesses a protected document for the first time.
Microsoft Intune enrollment
You can set up a conditional access policy for the Microsoft Intune enrollment app and request a terms of use policy before enrolling a device in Intune. For more information, see ReadingChoosing the Right Term Solution for Your Organization's Blog Post.
use
The Intune enrollment app is not supportedTerms of use by device.
frequent questions
Q: I can't sign in with PowerShell when the Terms of Service is enabled.
A: The Terms of Service can only be accepted by authenticating interactively.
Q: How do I see if a user has accepted a Terms of Service?
A: On the Terms of Use sheet, select the number belowAccepted. You can also view or search for acceptance activity in the Azure AD audit logs. For more information, see Viewing the who accepted and rejected report andView Azure AD audit logs.
Q: How long is the information stored?
A: Users count in the Terms of Service report and those who accepted/declined are saved for the duration of the Terms of Service. Azure AD audit logs are retained for 30 days.
Q: Why do I see a different number of consents in the terms of use details summary than in the Azure AD audit logs?
A: Summary data on Terms of Use details is retained for the term of these Terms of Use, while Azure AD audit logs are retained for 30 days.
Q: Why do I see a different number of consents in the Terms of Use Details summary than in the exported CSV report?
A: The overview of the Terms of Service details reflects the aggregate agreement of the current version of the policy (updated once a day). When expiration is enabled or a TOU agreement is updated (requires new acceptance), the counter in the detailed summary resets as the acceptances have expired, showing the counter reading for the current version. All acceptance history is still captured in the CSV report.
Q: If there are hyperlinks in the Terms of Use PDF document, can end users click them?
A: Yes, end users can select hyperlinks to other pages, but links to sections within the document are not supported. Additionally, the hyperlinks in the Terms of Use PDFs do not work when accessed through the Azure AD MyApps/MyAccount portal.
Q: Can the Terms of Service support multiple languages?
A: Yes. There are currently 108 different languages that an administrator can configure for a single Terms of Service policy. An administrator can upload multiple PDF documents and tag these documents with the corresponding language (up to 108). When end users log in, we look at their browser's language preference and display the appropriate document. If there is no match, we display the default document, which is the first document loaded.
Q: When do the Terms of Service kick in?
A: The Terms of Service are activated during login.
Q: Which apps can I target a Terms of Service policy for?
A: You can create a Conditional Access policy for enterprise applications using modern authentication. For more information, seebusiness applications.
Q: Can I add multiple Terms of Service for a specific user or application?
A: Yes, by creating multiple Conditional Access policies that target those groups or applications. If a user falls within the scope of more than one Terms of Use, they agree to one of the Terms of Use at a time.
Q: What happens if a user rejects the Terms of Service?
A: The user will not be able to access the application. The user would have to log in again and agree to the terms to gain access.
Q: Is it possible to reject a previously accepted Terms of Service policy?
A: you canConsult previously accepted conditions of use, but there is currently no way to unaccept.
Q: What if I also use the Intune Terms of Service?
A: If you have the Azure AD Terms of Use andIntune Terms of Service, the user must accept both. For more information, seeChoosing the Right Term Solution for Your Organization's Blog Post.
Q: What endpoints does the Terms of Service service use for authentication?
A: The Terms of Service uses the following endpoints for authentication:https://tokenprovider.termsofuse.identitygovernance.azure.com,https://micuenta.microsoft.comYhttps://cuenta.directorioactivo.windowsazure.com. If your organization has an allowlist of login URLs, you must add those endpoints to your allowlist along with your Azure AD login endpoints.
Next steps
- Quick start: Before accessing cloud applications, the terms of use must be accepted