Mark Brezicky / / Categories: Cloud Security, Security, Azure Active Directory

Azure AD Identity Governance – Terms of Use

Most organizations have some form of Acceptable use policy when logging into a domain-joined PC or server.  However, when moving to the cloud, you have access and exposure to a vast array of data and resources.  To supplement what has been available for PC logins for decades, Microsoft has created Terms of Use.  This allows organizations to display important information for legal or compliance requirements.  

There are many different use cases that organizations can use Terms of use.  Terms of use uses PDF format documents to present content to users and can contain any content a PDF can have.  Before implementing Terms of use, there are a couple prerequisites:  

  • Azure AD Premium P1, P2, EMS E3, or EMS E5 subscription. 
  • One of the following administrator accounts for the directory you want to configure: 
    • Global Administrator 
    • Security Administrator 
    • Conditional Access Administrator  

Microsoft Endpoint Manager, or Intune, also has a feature called Terms and Conditions.  These are not to be confused with Terms of use and are entirely are separate. If a user is scoped out for both Terms of Use and Terms and Conditions, they will have to accept both before access is granted to the Intune Company Portal app.  

Terms of Use Policy Options 

Terms of Use Policy Options

Terms of Use Policy Creation 

To begin creating a Terms of Use policy, you need to first ensure you have a finalized copy of the PDF file you intend to use.  Once you have that, as well as an understanding of how you want to enforce the policy, go to the Azure Active Directory portal and Select Identity Governance > Term of use > + New terms.  This will bring you to the New terms of use creation page.  Fill out the options as required and upload your PDF file. 

Enabling recommends setting Conditional Access setting to Create conditional access policy later.  This is to ensure you are not prematurely creating a policy that will lock out your users.  It also allows you to selectivity add and choose which conditional access policy to apply the Terms of Use grant condition to, whether new or existing conditional access policy. 

creating terms of use policy

Conditional Access 

As previously mentioned, Terms of Use policy is enforced via Conditional Access.  So, you will need to either create a new policy or apply the Grant Control to an existing policy.  All Terms of Use policies within your environment will be displayed as a Grant Access Control.  You can use this control independently or combined with other controls, such as MFA or device compliance. 

Conditional access

End user experience 

Once the conditional access policy is enabled, any user in scope of the policy will be prompted to accept the Terms of Use prior to granting access.  Below shows what an end user would see when accessing an in-scope application (OneDrive in my example), and will be prompted to Review and either Accept or Decline the policy.  If they accept, access will be granted, assuming no other required controls, else they would also have to satisfy all other requirements.  If a user declines, access will not be granted, and they will be blocked via Conditional Access. 

End User experience

A user can allows go to their Microsoft 365 account to review the Terms of Use policies they have accepted.  Go to https://myaccount.microsoft.com/ and select Settings & Privacy. Select the Privacy tab at the top and click View next to Your Organization Name terms of use.  You can then view or download a copy of any terms of use policies you have accepted. 

terms of use settings

 

Review and Audit Terms of Use Policy 

Once implemented and enforced, administrators can review and audit acceptance of the policy.  There are minimal changes that can be made to a policy once implemented.    You can only change the name, add additional language options, or disable require users to expand the terms of use option. 

Review terms of use policy

 

You can view who accepted and declined by clicking on the number links to the right.  This will show you a list of each user that either accepted or declined. 

 Terms of use consents

In the list of terms of use policies, you can select View Audit logs, or View selected audit logs if you have a single term of use selected.  In the Audit logs, you can only see the past 30 days’ worth of history.  Azure AD does not store these logs longer than that.   

Audit Logs

This concludes our series on Azure AD Identity Governance.  You should now have an understanding on how to fully control user and privileged access to meet security, compliance, and legal obligations of your organization.  However, as Microsoft constantly provides feature and functionality updates to Azure, management of you Identity and Access Solution, or Azure AD, will only become more refine and granular.    

And if not…Enabling Technologies can help you properly prepare for moving to the cloud based on Microsoft Best Practices and utilizing a secure and productive environment.  You can check out more in the Security section of our website. 

Work with our team of Cloud Computing Consultants who have done this so many times they know all of the “minefields” to prevent missteps.

Subscribe to Email Updates

Refine by

To expand the list, please click on the double arrows.

 

Search by Category or Author:

ref:_00D80KtFf._5000y1WwWQD:ref