Hello Friends,

Hope you all are doing good!!!

In our last post, we have discussed on Requestor Role and Approver Role of Entitlement Management and finished with our Entitlement Management journey. Today In this article, we will start with a new topic Terms Of Use in Azure Identity Governance.

If you have missed our previous articles on Azure Identity And Access Management (IAM), please check it in following links.

Part 1 – Azure Active Directory – Overview

Part 2 – Azure Active Directory – Enterprise Users

Part 3 – Azure Active Directory – Create Custom Directory Role & Assign Role using Power-Shell

• *
• *
• *

Part 18 – Azure Active Directory – Business-to-Business (B2B) And Guest User 6 – Bulk Invitation Of B2B Guest User Using Powershell

Part 19 – Azure Active Directory – Entitlement Management 1 – Overview

Part 20 – Azure Active Directory – Entitlement Management 2 – Entitlement Management Roles 1 – Administrator And Catalog Creator

Part 21 – Azure Active Directory – Entitlement Management 3 – Entitlement Management Roles 2 – Access Package Manager

Part 22 – Azure Active Directory – Entitlement Management 4 – Entitlement Management Roles 3 – Requestor And Approver

Next Article : Part 24 – Azure Active Directory – Access Reviews 2 – Group And Apps

Terms Of Use :

To present security information to end users, Azure AD terms of use provides a simple method that organizations can use. This presentation ensures users see relevant disclaimers for legal or compliance requirements. To present content, Azure AD Terms Of Use uses the PDF format and to support users on mobile devices, the recommended font size in the PDF is 24 point.

Benefits Of Using Terms Of Use :

In high level Azure AD Terms Of Use has the following capabilities:

1. General terms of use for all users in an organization.
2. Define specific terms of use based on user types and application sensitivity.
3. Assist in meeting GDPR and privacy regulations.
4. Compliance and audit.

In details, it works in the following places as described in MS document.

• Require employees or guests to accept your terms of use before getting access.
• Require employees or guests to accept your terms of use on every device before getting access.
• Require employees or guests to accept your terms of use on a recurring schedule.
• Require employees or guests to accept your terms of use prior to registering security information in Azure Multi-Factor Authentication (MFA).
• Require employees to accept your terms of use prior to registering security information in Azure AD self-service password reset (SSPR).
• Present general terms of use for all users in your organization.
• Present specific terms of use based on a user attributes (ex. doctors vs nurses or domestic vs international employees, by using dynamic groups).
• Present specific terms of use when accessing high business impact applications, like Salesforce.
• Present terms of use in different languages.
• List who has or hasn’t accepted to your terms of use.
• Assist in meeting privacy regulations.
• Display a log of terms of use activity for compliance and audit.
• Create and manage terms of use using Microsoft Graph APIs (currently in preview).

Required Licence :

To use and configure Azure AD terms of use, user must have one of the following subscription.

• Azure AD Premium P1
• Azure AD Premium P2
• Enterprise Mobility + Security E3
• Enterprise Mobility + Security E5

Required User Role :

User must have one of the following administrator accounts for the directory user want to configure

• Global Administrator
• Security Administrator
• Conditional Access Administrator

Terms Of Use PDF Document :

Azure AD terms of use uses a document to present content to user during sign-in. It can be content like existing contracts, end user agreements etc. The document should be in PDF format. The recommended font size in the PDF should be 24 point to support users on mobile devices. Following figure showing our sample Terms Of Use PDF document, which we are going to use in today’s lab exercise.

Configure Terms Of Use In Azure Active Directory :

Once we confirm that, we have all the above prerequisite, we can go-through the following steps, to complete our lab exercise.

Step 1 – Sign in to Azure portal > Azure Active Directory > Security > Conditional Access, or we can directly access https://aka.ms/catou to get in to the same page. From left menu select Terms of user under Manage section to go to the Terms of use page as showing in the following figure.

Step 2 – The Terms of use page, showing information like, report of all Terms, number of Accepted and Declined user for each terms, audit log etc. Admin can click + New Term button to create a new term as shown in the above figure.

Step 3 – In the New terms of use page page, provide required information to configure the term as shown in the following figure.

• After giving a Name and Description, upload our Terms Of Use PDF document and configure Terms of document property . Configure the Language as shown in the following figure.

• Here I have configure Require users to expand the terms of use property to On. When it is set to On, the user must need to read the terms of use document before Accept/Decline.

• We can set Require users to consent on every device to On to require end users to accept our terms of use on every device they are accessing from. We have configure it with its’ default value Off.

• We can configure Duration before re-acceptance required (days) to number of days. So that the user will re-accept the terms of use after the specified days.

• Under Conditional Access > Enforce with Conditional Access policy templates, we can see following two options,
  • Create Conditional Access policy later  – If we want to create the policy later to enforce the terms of use.
  • Custom Policy –  If we want to create custom policy immediately after the term creation as a single process.

• Set Expire consents to Off with it’s default value as no need to configure for our exercise. But we can set Expire consents to On, if we want to expire terms of use consents on a schedule. When set to On, two additional schedule settings are displayed.

• It is possible to use both Expire consents and Duration before re-acceptance requires (days) settings together, but generally we should use one of them.

• Click Create button to complete the term creation procedure. Following figure showing the newly created term.

Step 4 – As we have selected Custom Policy in Conditional Access section of create new term window, we will get a new window to create a custom conditional policy as shown in the following figure. We have another article, in which we have described Azure AD Conditional Access Policy in details. In this conditional access, I have included only following two users for our testing as shown in the following figure.

• Manas@knowledgejunction1.onmicrosoft.com
• Ganesh@knowledgejunction1.onmicrosoft.com

In Cloud apps or action section, I have selected All cloud apps, so that user has to accept the Terms of use, even when log-in to Azure portal.

In Grant section, we can see in the following figure, I have selected our newly created Term (MSTech Terms Of Use), which needs to be enforced on the above 2 selected users.

• Click Create button to create the conditional access policy. As we can see in the following figure, our new policy has created successfully.

Testing Terms Of Use :

We have now configured our Terms Of Use. Its time to test the configuration. Let’s login with our first user Ganesh and log-in to azure portal.

As we can see in the following figure, user Ganesh has forced to accept the MSTech Terms Of Use. Let’s click Accept button to proceed with the log-in.

As showing in the following figure, user has to read the terms of use document before accept the term.

Click MSTech Terms Of Use link to read the document. following figure showing the user visual of Terms Of Use document.

Once we read the terms of use document, click Accept button to proceed with log-in. As we can see in the following figure Ganesh is able to successfully login to the Azure portal.

Now let’s proceed with the 2nd user Manas and try to login to the Azure portal. Same as Ganesh, Manas also forced to accept the Terms of use. Let’s click on Decline button to decline the terms of use.

As we can see in the above figure, Manas got warning message to rethink the decision. Click yes to continue with our decision to decline the terms of use. As a result, we can see in the following figure, Manas has restricted to access the Azure porta.

Terms Of Use Reports :

The Terms of use page showing, the list of all Terms and a count of the users who have accepted and declined. These counts and who accepted/declined are stored for the life of the terms of use. As we can see in the following figure, We have one user who accepted and one user who has Decline the Term.

Let’s check the accepted user and click on the count of Accepted field. As we can see in the following figure Ganesh has accepted the term.

Same way, we can see for the Declined user. As in the following figure Manas has declined the term.

Audit Log :

If we want to view additional activity, Azure AD terms of use includes audit logs. Each user consent triggers an event in the audit logs that is stored for 30 days. To view, click View Audit log link from the ribbon of Terms of use page. Following figure showing the audit log of Terms Of Use.

I hope, this article helps you to get basic information and knowledge about Azure AD Terms Of Use.

Next Article : Part 24 – Azure Active Directory – Access Reviews 2 – Group And Apps

As I am exploring the Azure Identity and Access Management (IAM) in a deep level. Please let me know if I missed anything important or if my understanding is not up to mark.

Keep reading, share your thoughts, experiences. Feel free to contact us to discuss more.

Thanks for reading 🙂