This article provides steps about how to delete personal data from the device or service and can be used to support your obligations under the GDPR. For general information about GDPR, see the GDPR section of the Microsoft Trust Center and the GDPR section of the Service Trust portal.
The following video provides a quick overview of ToU policies.
For more videos, see:
- Assist in meeting privacy regulations.
- Azure AD Premium P1, P2, EMS E3, or EMS E5 subscription.
- One of the following administrator accounts for the directory you want to configure:
- Global Administrator
- Security Administrator
- Conditional Access Administrator
Sign in to Azure as a Global Administrator, Security Administrator, or Conditional Access Administrator.
Click New terms.
In the Display name box, enter a title that users see when they sign in.
For example, if you set the expire starting on date to Jan 1 and frequency to Monthly, here is how expirations might occur for two users:
User First accept date First expire date Second expire date Third expire date Alice Jan 1 Feb 1 Mar 1 Apr 1 Bob Jan 15 Feb 1 Mar 1 Apr 1
User First accept date First expire date Second expire date Third expire date Alice Jan 1 Jan 31 Mar 2 Apr 1 Bob Jan 15 Feb 14 Mar 16 Apr 15
It is possible to use the Expire consents and Duration before reacceptance requires (days) settings together, but typically you use one or the other.
If you selected a custom Conditional Access template, then a new screen appears that allows you to create the custom Conditional Access policy.
View report of who has accepted and declined
To view the history for an individual user, click the ellipsis (...) and then View History.
In the view history pane, you see a history of all the accepts, declines, and expirations.
View Azure AD audit logs
To get started with Azure AD audit logs, use the following procedure:
Click View audit logs.
On the Azure AD audit logs screen, you can filter the information using the provided lists to target specific audit log information.
You can also click Download to download the information in a .csv file for use locally.
If you click a log, a pane appears with additional activity details.
Once a ToU policy is created and enforced, users, who are in scope, will see the following screen during sign-in.
The following screen shows how a ToU policy looks on mobile devices.
- Sign in to https://myaccount.microsoft.com/.
- Select Settings & Privacy.
- Select Privacy.
Click Edit terms.
- Name – this is the internal name of the ToU that is not shared with end users
- Display name – this is the name that end users can see when viewing the ToU
- You can add a language to an existing ToU
If there are other settings you would like to change, such as PDF document, require users to consent on every device, expire consents, duration before reacceptance, or Conditional Access policy, you must create a new ToU policy.
Once you are done, click Save to save your changes.
Click Edit terms.
For the language that you would like to update a new version, click Update under the action column
In the pane on the right, upload the pdf for the new version
There is also a toggle option here Require reaccept if you want to require your users to accept this new version the next time they sign in. If you require your users to reaccept, next time they try to access the resource defined in your conditional access policy they will be prompted to accept this new version. If you don’t require your users to reaccept, their previous consent will stay current and only new users who have not consented before or whose consent expires will see the new version. Until the session expires, Require reaccept not require users to accept the new TOU. If you want to ensure reaccept delete and recreate or create a new TOU for this case.
Once you have uploaded your new pdf and decided on reaccept, click Add at the bottom of the pane.
You will now see the most recent version under the Document column.
View previous versions of a ToU
Click on Languages and version history
Click on See previous versions.
You can click on the name of the document to download that version
See who has accepted each version
- To see who has currently accepted the ToU click on the number under the Accepted column for the ToU you want.
- By default, the next page will show you the current state of each users acceptance to the ToU
- If you would like to see the previous consent events, you can select All from the Current State drop-down. Now you can see each users events in details about each version and what happened.
- Alternatively, you can select a specific version from the Version drop-down to see who has accepted that specific version.
Add a ToU language
The following procedure describes how to add a ToU language.
Click Edit Terms
Click Add language at the bottom of the page.
Click Add language.
Click Add to add the language.
Here is a list of the supported platforms and software.
|Chrome (with extension)||Yes||Yes||Yes|
- A device can only be joined to one tenant.
- A user must have permissions to join their device.
- Azure AD B2B users are not supported.
If the user's device is not joined, they will receive a message that they need to join their device. Their experience will be dependent on the platform and software.
Join a Windows 10 device
If a user is using Windows 10 and Microsoft Edge, they will receive a message similar to the following to join their device.
If they are using Chrome, they will be prompted to install the Windows 10 Accounts extension.
Register an iOS device
If a user is using an iOS device, they will be prompted to install the Microsoft Authenticator app.
Register an Android device
If a user is using an Android device, they will be prompted to install the Microsoft Authenticator app.
If a user is using browser that is not supported, they will be asked to use a different browser.
Click Delete terms.
In the message that appears asking if you want to continue, click Yes.
User acceptance record deletion
User acceptance records are deleted:
- When the admin explicitly deletes the ToU. When this happens all the acceptance records associated with that specific ToU are also deleted.
- When the tenant loses its Azure Active Directory Premium license.
- When the tenant is deleted.
Conditional Access policies take effect immediately. When this happens, the administrator will start to see “sad clouds” or "Azure AD token issues". The administrator must sign out and sign in again in order to satisfy the new policy.
Users in scope will need to sign-out and sign-in in order to satisfy a new policy if:
Support for cloud apps
Azure Information Protection
Microsoft Intune Enrollment
Frequently asked questions
Q: How long is information stored?
A: You can create a Conditional Access policy on the enterprise applications using modern authentication. For more information, see enterprise applications.
A: The user is blocked from getting access to the application. The user would have to sign in again and accept the terms in order to get access.
Q: What happens if I'm also using Intune terms and conditions?