Azure Active Directory Terms of use feature

Azure AD Terms of use provides a simple method that organizations can use to present information to end users. This presentation ensures users see relevant disclaimers for legal or compliance requirements. This article describes how to get started with Azure AD Terms of use.

Note

This article provides steps for how to delete personal data from the device or service and can be used to support your obligations under the GDPR. If you’re looking for general info about GDPR, see the GDPR section of the Service Trust portal.

What can I do with Terms of use?

Azure AD Terms of use enables you to do the following:

  • Require employees or guests to agree to your Terms of use before getting access.
  • Present general Terms of use for all users in your organization.
  • Present specific Terms of use based on a user attributes (ex. doctors vs nurses or domestic vs international employees, by using dynamic groups).
  • Present specific Terms of use when accessing high business impact applications, like Salesforce.
  • Present Terms of use in different languages.
  • List who has or hasn't agreed to your Terms of use.
  • Display an audit log of Terms of use activity.

Prerequisites

To use and configure Azure AD Terms of use, you must have:

  • Azure AD Premium P1, P2, EMS E3, or EMS E5 subscription.
  • One of the following administrator accounts for the directory you want to configure:
    • Global administrator
    • Security administrator
    • Conditional access administrator

Terms of use document

Azure AD Terms of use uses the PDF format to present content. The PDF file can be any content, such as existing contract documents, allowing you to collect end-user agreements during user sign in. The recommended font size in the PDF is 24.

Add Terms of use

Once you have finalized your Terms of use document, use the following procedure to add it.

  1. Sign in to Azure as a Global administrator, Security administrator, or Conditional access administrator.

  2. Navigate to Terms of use at https://aka.ms/catou.

    Terms of use blade

  3. Click New terms.

    Add TOU

  4. Enter the Name for the Terms of use

  5. Enter Display name. This is the header that users see when they sign in.

  6. Browse to your finalized Terms of use PDF and select it.

  7. Select a language for the Terms of use. The language option allows you to upload multiple Terms of use, each with a different language. The version of the Terms of use that an end user will see will be based on their browser preferences.

  8. For Require users to expand the Terms of use, select On or Off. If this setting is set to On, end users will be required to view the Terms of use prior to accepting them.

  9. Under Conditional Access, you can Enforce the uploaded Terms of use by selecting a template from the drop-down list or a custom conditional access policy. Custom conditional access policies enable granular Terms of use, down to a specific cloud application or group of users. For more information, see configuring conditional access policies.

    Important

    Conditional access policy controls (including Terms of use) do not support enforcement on service accounts. We recommend excluding all service accounts from the conditional access policy.

  10. Click Create.

  11. If you selected a custom conditional access template, then a new screen appears which allows you to customize the conditional access policy.

    You should now see your new Terms of use.

    Add TOU

View report of who has accepted and declined

The Terms of use blade shows a count of the users who have accepted and declined. These counts and who accepted/declined are stored for the life of the Terms of use.

  1. Sign in to Azure and navigate to Terms of use at https://aka.ms/catou.

    Audit Event

  2. Click the numbers under Accepted or Declined to view the current state for users.

    Audit Event

View Azure AD audit logs

If you want to view additional activity, Azure AD Terms of use includes audit logs. Each user consent triggers an event in the audit logs that is stored for 30 days. You can view these logs in the portal or download as a .csv file.

To get started with Azure AD audit logs, use the following procedure:

  1. Sign in to Azure and navigate to Terms of use at https://aka.ms/catou.

  2. Click View audit logs.

    Audit Event

  3. On the Azure AD audit logs screen, you can filter the information using the provided drop-down lists to target specific audit log information.

    Audit Event

  4. You can also click Download to download the information in a .csv file for use locally.

What Terms of use looks like for users

Once a Terms of use is created and enforced, users, who are in scope, will see the following screen during sign in.

Audit Event

The following screen shows how Terms of use looks on mobile devices.

Audit Event

How users can review their Terms of use

Users can review and see the Terms of use that they have accepted by using the following procedure.

  1. Sign in to https://myapps.microsoft.com.

  2. In the upper right corner, click your name and select Profile from the drop-down.

    Profile

  3. On your Profile page, click Review terms of use.

    Audit Event

  4. From there, you can review the Terms of use you have accepted.

Delete Terms of use

You can delete old Terms of use using the following procedure.

  1. Sign in to Azure and navigate to Terms of use at https://aka.ms/catou.

  2. Select the Terms of use you want to remove.

  3. Click Delete terms.

  4. In the message that appears asking if you want to continue, click Yes.

    Add TOU

    You should no longer see your Terms of use.

Deleted users and active Terms of use

By default, a deleted user is in a deleted state in Azure AD for 30 days, during which time they can be restored by an administrator if necessary. After 30 days, that user is permanently deleted. In addition, using the Azure Active Directory portal, a Global administrator can explicitly permanently delete a recently deleted user before that time period is reached. One a user has been permanently deleted, subsequent data about that user will be removed from the active Terms of use. Audit information about deleted users remains in the audit log.

Policy changes

Conditional access policies take effect immediately. When this happens, the administrator will start to see “sad clouds” or "Azure AD token issues". The administrator must sign out and sign in again in order to satisfy the new policy.

Important

Users in scope will need to sign-out and sign-in in order to satisfy a new policy if:

  • a conditional access policy is enabled on a Terms of use
  • or a second Terms of use is created

Frequently asked questions

Q: How do I see when/if a user has accepted a Terms of use?
A: On the Terms of use blade, click the number under Accepted. You can also view or search the accept activity in the Azure AD audit logs. For more information, see View report of who has accepted and declined and View Azure AD audit logs.

Q: How long is information stored?
A: The user counts in the Terms of use report and who accepted/declined are stored for the life of the Terms of use. The Azure AD audit logs are stored for 30 days.

Q: Why do I see a different number of consents in the Terms of use report vs. the Azure AD audit logs?
A: The Terms of use report is stored for the lifetime of that Terms of use, while the Azure AD audit logs are stored for 30 days. Also, the Terms of use report only displays the users current consent state. For example, if a user declines and then accepts, the Terms of use report will only show that user's accept. If you need to see the history, you can use the Azure AD audit logs.

Q: If I change the Terms of use terms, does it require users to accept again?
A: Yes, an administrator can change the Terms of use terms and it requires users to reaccept the new terms.

Q: If hyperlinks are in the Terms of use PDF document, will end users be able to click them?
A: The PDF is rendered by default as a JPEG, so hyperlinks are not clickable. Users have the option to select Having trouble viewing? Click here, which renders the PDF natively where hyperlinks are supported.

Q: Can a Terms of use support multiple languages?
A: Yes. Currently there are 18 different languages an administrator can configure for a single Terms of use.

Q: When is the Terms of use triggered?
A: The Terms of use is triggered during the sign-in experience.

Q: What applications can I target a Terms of use to?
A: You can create a conditional access policy on the enterprise applications using modern authentication. For more information, see enterprise applications.

Q: Can I add multiple Terms of use to a given user or app?
A: Yes, by creating multiple conditional access policies targeting those groups or applications. If a user falls in scope of multiple Terms of use, they agree to one Terms of use at a time.

Q: What happens if a user declines the Terms of use?
A: The user is blocked from getting access to the application. The user would have to sign in again and agree to the terms in order to get access.

Q: Is it possible to unaccept Terms of use that were previously accepted?
A: You can review previously accepted Terms of use, but currently there isn't a way to unaccept.

Next steps