Quickstart: Require terms of use to be accepted before accessing cloud apps

Before accessing certain cloud apps in your environment, you might want to get consent from users in form of accepting your terms of use (ToU). Azure Active Directory (Azure AD) conditional access provides you with:

  • A simple method to configure ToU
  • The option to require accepting your terms of use through a conditional access policy

This quickstart shows how to configure an Azure AD conditional access policy that requires a ToU to be accepted for a selected cloud app in your environment.

Create policy

If you don't have an Azure subscription, create a free account before you begin.

Prerequisites

To complete the scenario in this quickstart, you need:

  • Access to an Azure AD Premium edition - Azure AD conditional access is an Azure AD Premium capability.

  • A test account called Isabella Simonsen - If you don't know how to create a test account, see Add cloud-based users.

Test your sign-in

The goal of this step is to get an impression of the sign-in experience without a conditional access policy.

To test your sign-in:

  1. Sign in to your Azure portal as Isabella Simonsen.

  2. Sign out.

Create your terms of use

This section provides you with the steps to create a sample ToU. When you create a ToU, you select a value for Enforce with conditional access policy templates. Selecting Custom policy opens the dialog to create a new conditional access policy as soon as your ToU has been created.

To create your terms of use:

  1. In Microsoft Word, create a new document.

  2. Type My terms of use, and then save the document on your computer as mytou.pdf.

  3. Sign in to your Azure portal as global administrator, security administrator, or a conditional access administrator.

  4. In the Azure portal, on the left navbar, click Azure Active Directory.

    Azure Active Directory

  5. On the Azure Active Directory page, in the Manage section, click Conditional access.

    Conditional access

  6. In the Manage section, click Terms of use.

    Terms of use

  7. In the menu on the top, click New terms.

    Terms of use

  8. On the New terms of use page:

    Terms of use

    a. In the Name textbox, type My TOU.

    b. In the Display name textbox, type My TOU.

    c. Upload your terms of use PDF file.

    d. As Language, select English.

    e. As Require users to expand the terms of use, select On.

    f. As Enforce with conditional access policy templates, select Custom policy.

    g. Click Create.

Create your conditional access policy

This section shows how to create the required conditional access policy. The scenario in this quickstart uses:

  • The Azure portal as placeholder for a cloud app that requires your ToU to be accepted.
  • Your sample user to test the conditional access policy.

In your policy, set:

Setting Value
Users and groups Isabella Simonsen
Cloud apps Microsoft Azure Management
Grant access My TOU

Create policy

To configure your conditional access policy:

  1. On the New page, in the Name textbox, type Require TOU for Isabella.

    Name

  2. In the Assignment section, click Users and groups.

    Users and groups

  3. On the Users and groups page:

    Users and groups

    a. Click Select users and groups, and then select Users and groups.

    b. Click Select.

    c. On the Select page, select Isabella Simonsen, and then click Select.

    d. On the Users and groups page, click Done.

  4. Click Cloud apps.

    Cloud apps

  5. On the Cloud apps page:

    Select cloud apps

    a. Click Select apps.

    b. Click Select.

    c. On the Select page, select Microsoft Azure Management, and then click Select.

    d. On the Cloud apps page, click Done.

  6. In the Access controls section, click Grant.

    Access controls

  7. On the Grant page:

    Grant

    a. Select Grant access.

    a. Select My TOU.

    b. Click Select.

  8. In the Enable policy section, click On.

    Enable policy

  9. Click Create.

Evaluate a simulated sign-in

Now that you have configured your conditional access policy, you probably want to know whether it works as expected. As a first step, use the conditional access what if policy tool to simulate a sign-in of your test user. The simulation estimates the impact this sign-in has on your policies and generates a simulation report.

To initialize the what if policy evaluation tool, set:

  • Isabella Simonsen as user
  • Microsoft Azure Management as cloud app

Clicking What If creates a simulation report that shows:

  • Require TOU for Isabella under Policies that will apply
  • My TOU as Grant Controls.

What if policy tool

To evaluate your conditional access policy:

  1. On the Conditional access - Policies page, in the menu on the top, click What If.

    What If

  2. Click Users, select Isabella Simonsen, and then click Select.

    User

  3. To select a cloud app:

    Cloud apps

    a. Click Cloud apps.

    b. On the Cloud apps page, click Select apps.

    c. Click Select.

    d. On the Select page, select Microsoft Azure Management, and then click Select.

    e. On the cloud apps page, click Done.

  4. Click What If.

Test your conditional access policy

In the previous section, you have learned how to evaluate a simulated sign-in. In addition to a simulation, you should also test your conditional access policy to ensure that it works as expected.

To test your policy, try to sign-in to your Azure portal using your Isabella Simonsen test account. You should see a dialog that requires you to accept your terms of use.

Terms of use

Clean up resources

When no longer needed, delete the test user and the conditional access policy:

  • If you don't know how to delete an Azure AD user, see Delete users from Azure AD.

  • To delete your policy, select your policy, and then click Delete in the quick access toolbar.

    Multi-factor authentication

  • To delete your terms of use, select it, and then click Delete terms in the toolbar on top.

    Multi-factor authentication

Next steps