- A simple method to configure ToU
This quickstart shows how to configure an Azure AD conditional access policy that requires a ToU to be accepted for a selected cloud app in your environment.
If you don't have an Azure subscription, create a free account before you begin.
To complete the scenario in this quickstart, you need:
Access to an Azure AD Premium edition - Azure AD conditional access is an Azure AD Premium capability.
A test account called Isabella Simonsen - If you don't know how to create a test account, see Add cloud-based users.
Test your sign-in
The goal of this step is to get an impression of the sign-in experience without a conditional access policy.
To test your sign-in:
Sign in to your Azure portal as Isabella Simonsen.
This section provides you with the steps to create a sample ToU. When you create a ToU, you select a value for Enforce with conditional access policy templates. Selecting Custom policy opens the dialog to create a new conditional access policy as soon as your ToU has been created.
In Microsoft Word, create a new document.
Sign in to your Azure portal as global administrator, security administrator, or a conditional access administrator.
In the Azure portal, on the left navbar, click Azure Active Directory.
On the Azure Active Directory page, in the Manage section, click Conditional access.
In the menu on the top, click New terms.
a. In the Name textbox, type My TOU.
b. In the Display name textbox, type My TOU.
d. As Language, select English.
f. As Enforce with conditional access policy templates, select Custom policy.
g. Click Create.
Create your conditional access policy
This section shows how to create the required conditional access policy. The scenario in this quickstart uses:
- The Azure portal as placeholder for a cloud app that requires your ToU to be accepted.
- Your sample user to test the conditional access policy.
In your policy, set:
|Users and groups||Isabella Simonsen|
|Cloud apps||Microsoft Azure Management|
|Grant access||My TOU|
To configure your conditional access policy:
On the New page, in the Name textbox, type Require TOU for Isabella.
In the Assignment section, click Users and groups.
On the Users and groups page:
a. Click Select users and groups, and then select Users and groups.
b. Click Select.
c. On the Select page, select Isabella Simonsen, and then click Select.
d. On the Users and groups page, click Done.
Click Cloud apps.
On the Cloud apps page:
a. Click Select apps.
b. Click Select.
c. On the Select page, select Microsoft Azure Management, and then click Select.
d. On the Cloud apps page, click Done.
In the Access controls section, click Grant.
On the Grant page:
a. Select Grant access.
a. Select My TOU.
b. Click Select.
In the Enable policy section, click On.
Evaluate a simulated sign-in
Now that you have configured your conditional access policy, you probably want to know whether it works as expected. As a first step, use the conditional access what if policy tool to simulate a sign-in of your test user. The simulation estimates the impact this sign-in has on your policies and generates a simulation report.
To initialize the what if policy evaluation tool, set:
- Isabella Simonsen as user
- Microsoft Azure Management as cloud app
Clicking What If creates a simulation report that shows:
- Require TOU for Isabella under Policies that will apply
- My TOU as Grant Controls.
To evaluate your conditional access policy:
On the Conditional access - Policies page, in the menu on the top, click What If.
Click Users, select Isabella Simonsen, and then click Select.
To select a cloud app:
a. Click Cloud apps.
b. On the Cloud apps page, click Select apps.
c. Click Select.
d. On the Select page, select Microsoft Azure Management, and then click Select.
e. On the cloud apps page, click Done.
Click What If.
Test your conditional access policy
In the previous section, you have learned how to evaluate a simulated sign-in. In addition to a simulation, you should also test your conditional access policy to ensure that it works as expected.
Clean up resources
When no longer needed, delete the test user and the conditional access policy:
If you don't know how to delete an Azure AD user, see Delete users from Azure AD.
To delete your policy, select your policy, and then click Delete in the quick access toolbar.