In the good old days there were organizations who were fond of throwing a message up in front of users each time they logged in to their Windows computer on the domain. The messages were typical warnings about improper use of corporate PCs, the internet, and so on.

Configuring Terms of Use for User Logins to Office 365 and Azure Active Directory

The old approach had a few problems. First, users would largely ignore the message, and just became trained to hit the Enter key quickly to skip past it every day, because the message appears every time they log in. Also, there was no enforcement mechanism, other than saying that continuing to use the computer implied agreement with the terms of use. Nor is the agreement or disagreement with the terms of use audited in any way. Today, that’s just not good enough for organizations that truly care about ensuring that users are aware of the terms of use of their corporate computers, apps, and services.

Furthermore, in the modern cloud era users are able to login to all sorts of SaaS applications using their corporate credentials. Although some SaaS apps have their own method of displaying terms of use, a central point of management is best. Fortunately, Azure Active Directory provides that central point with Azure AD Terms of Use, which is a feature of conditional access.

Configuring terms of use in Azure AD requires you to be licensed for Azure AD Premium P1/P2, which are available as standalone licenses or bundled in the EM+S E3/E5 licenses.

You’ll find the terms of use in the conditional access section of the Azure AD portal.

Configuring Terms of Use for User Logins to Office 365 and Azure Active Directory

You can have multiple terms of use, which are assigned to users by conditional access policies (which I’ll show you in a moment). Creating terms of use is simple, with just a few fields to fill out. The terms of use themselves are supplied in a PDF document that you must create yourself (or have your legal department create).

Configuring Terms of Use for User Logins to Office 365 and Azure Active Directory

The option to require users to expand the terms of use means that they must display the full document before they are allowed to accept or decline it. If they don’t expand it, then they’ll receive a message similar to this.

Configuring Terms of Use for User Logins to Office 365 and Azure Active Directory

The conditional access option for the terms of use determines whether a new conditional access policy is created for these terms. If you choose “Access to cloud apps”, an entire policy is created for all users (even admins) and all apps, with no exceptions.

Configuring Terms of Use for User Logins to Office 365 and Azure Active Directory

Important! If you allow the terms of use to create a new conditional access policy automatically, the policy applies to all users. That includes the account that AAD Connect uses to authenticate during sync operations. This will cause AAD Connect directory synchronization to break. The solution is to add an exclusion to the conditional access policy for your Sync_* user account.

The other option is to “Create the conditional access policy later”.

Configuring Terms of Use for User Logins to Office 365 and Azure Active Directory

If you choose that option, the terms become available as an access control in conditional access policies. Note that any terms of use will become available as an access control now matter which of the conditional access policies you chose.

Configuring Terms of Use for User Logins to Office 365 and Azure Active Directory

It’s also possible to use the same terms of use for multiple policies, or to have multiple policies with their own unique terms of use. You can even “stack” terms of use policies such that a user will need to accept a general terms of use when they first log in to any application, and then have additional app-specific terms of use if there are additional policies that they must comply with for those apps.

For your end users the experience is mostly a good one. Logging in to any app through the browser, a desktop app, or a mobile app will present the terms of use to be accepted or declined.

Configuring Terms of Use for User Logins to Office 365 and Azure Active Directory

What I did find was that multiple apps could simultaneously present the terms of use. Logging in to a desktop, I opened a web browser to access Outlook, and as I was reviewing the terms of use both the Teams and OneDrive apps on the desktop also popped up a login dialog with the terms of use displayed.

Configuring Terms of Use for User Logins to Office 365 and Azure Active Directory

That could be an edge case though. Either way, once you’ve accepted the terms of use you are no longer presented with them at login. This is an improvement from the old days of the login messages that would show up every single time you logged in.

For admins or compliance staff the list of terms of use in the Azure AD portal will show the number of accept and decline results. There’s also an audit log showing a timeline of events, both administrative and end user.

Configuring Terms of Use for User Logins to Office 365 and Azure Active Directory

All up this is a decent feature, certainly an improvement over the old way of doing things. The additional license cost stings a little, but by now it seems we just need to get used to anything even remotely resembling a compliance feature being available through premium license tiers.

Photo by rawpixel on Unsplash

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. DavidS

    Very good article Paul!!! If I set the Terms of Use… What is the user experience for users that have no E3/E5 license?

  2. Aga

    Hi Paul.
    Thanks for useful article.
    Do you know what is retention policy of stored compliance data in Azure Terms of use?
    From your article: “For admins or compliance staff the list of terms of use in the Azure AD portal will show the number of accept and decline results. There’s also an audit log showing a timeline of events, both administrative and end user”.
    My question is: How long such data will be stored? What are the conditions? Can we manually withdraw such consent if user wishes to from admin panel?
    Thank you in advance for your help.
    Aga

    1. Laura Russell

      Hello Aga – Did you ever determine the answer to this question of yours?

      Thanks,
      Laura

  3. sean Abel

    Great article, but how do I download the terms of use .pdf document from Azure?

  4. Sergio

    Hi Paul,
    I have an issue with the Terms of Use on OneDrive application. If i set ToU (for OneDrive for Business) and go to the mobile application (android and IOs) i cant download the .pdf file to see correctly, i mean, the link of “Do you have problems with visualization? Click here.” dont work, did nothing (only in mobile app).

  5. David Mattox

    Can you set this up to repeat every year? Or set up a time frame for this policy to be in affect? Example, we want faculty and staff to do this every year at the beginning of the fall semester. Thanks!

    1. Paul Cunningham

      Good question. From Microsoft FAQ: “an administrator can change the terms of use terms and it requires reaccepting the new terms.”

Leave a Reply