Tilbakemeldinger Rediger

Quickstart: Require terms of use to be accepted before accessing cloud apps

  • Artikkel
  • 4 minutter å lese

Before accessing certain cloud apps in your environment, you might want to get consent from users in form of accepting your terms of use (ToU). Azure Active Directory (Azure AD) Conditional Access provides you with:

  • A simple method to configure ToU
  • The option to require accepting your terms of use through a Conditional Access policy

This quickstart shows how to configure an Azure AD Conditional Access policy that requires a ToU to be accepted for a selected cloud app in your environment.

Screenshot of the Azure portal. A pane that defines a policy named Require T O U for Isabella is visible.

If you don't have an Azure subscription, create a free account before you begin.

Prerequisites

To complete the scenario in this quickstart, you need:

  • Access to an Azure AD Premium edition - Azure AD Conditional Access is an Azure AD Premium capability.
  • A test account called Isabella Simonsen - If you don't know how to create a test account, see Add cloud-based users.

Test your sign-in

The goal of this step is to get an impression of the sign-in experience without a Conditional Access policy.

To test your sign-in:

  1. Sign in to your Azure portal as Isabella Simonsen.
  2. Sign out.

Create your terms of use

This section provides you with the steps to create a sample ToU. When you create a ToU, you select a value for Enforce with Conditional Access policy templates. Selecting Custom policy opens the dialog to create a new Conditional Access policy as soon as your ToU has been created.

To create your terms of use:

  1. In Microsoft Word, create a new document.

  2. Type My terms of use, and then save the document on your computer as mytou.pdf.

  3. Sign in to your Azure portal as global administrator, security administrator, or a Conditional Access administrator.

  4. In the Azure portal, on the left navbar, click Azure Active Directory.

    Azure Active Directory

  5. On the Azure Active Directory page, in the Security section, click Conditional Access.

    Conditional Access

  6. In the Manage section, click Terms of use.

    Screenshot of the Manage section of the Azure Active Directory page. The Terms of use item is highlighted.

  7. In the menu on the top, click New terms.

    Screenshot of a menu in the Azure Active Directory page. The New terms item is highlighted.

  8. On the New terms of use page:

    Screenshot of the New terms of use page, with the name, display name, document, language, conditional access, and expanding terms toggle highlighted.

    1. In the Name textbox, type My TOU.
    2. In the Display name textbox, type My TOU.
    3. Upload your terms of use PDF file.
    4. As Language, select English.
    5. As Require users to expand the terms of use, select On.
    6. As Enforce with Conditional Access policy templates, select Custom policy.
    7. Click Create.

Create your Conditional Access policy

This section shows how to create the required Conditional Access policy. The scenario in this quickstart uses:

  • The Azure portal as placeholder for a cloud app that requires your ToU to be accepted.
  • Your sample user to test the Conditional Access policy.

In your policy, set:

Setting Value
Users and groups Isabella Simonsen
Cloud apps Microsoft Azure Management
Grant access My TOU

Screenshot of an Azure portal pane that defines a policy. Arrows indicate that the policy grants access to My T O U and includes one user and app.

To configure your Conditional Access policy:

  1. On the New page, in the Name textbox, type Require TOU for Isabella.

    Name

  2. In the Assignment section, click Users and groups.

    Screenshot of the Assignments section of an Azure portal pane that defines a policy. The Users and groups item is visible, with none selected.

  3. On the Users and groups page:

    Screenshot of the Include tab of the Users and groups page. Select users and groups is selected, as is Users and groups. Select is highlighted.

    1. Click Select users and groups, and then select Users and groups.
    2. Click Select.
    3. On the Select page, select Isabella Simonsen, and then click Select.
    4. On the Users and groups page, click Done.

  4. Click Cloud apps.

    Screenshot of the Assignments section of an Azure portal pane that defines a policy. The Cloud apps item is visible, with none selected.

  5. On the Cloud apps page:

    Select cloud apps

    1. Click Select apps.
    2. Click Select.
    3. On the Select page, select Microsoft Azure Management, and then click Select.
    4. On the Cloud apps page, click Done.

  6. In the Access controls section, click Grant.

    Access controls

  7. On the Grant page:

    Grant

    1. Select Grant access.
    2. Select My TOU.
    3. Click Select.

  8. In the Enable policy section, click On.

    Enable policy

  9. Click Create.

Evaluate a simulated sign-in

Now that you have configured your Conditional Access policy, you probably want to know whether it works as expected. As a first step, use the Conditional Access what if policy tool to simulate a sign-in of your test user. The simulation estimates the impact this sign-in has on your policies and generates a simulation report.

To initialize the What If policy evaluation tool, set:

  • Isabella Simonsen as user
  • Microsoft Azure Management as cloud app

Clicking What If creates a simulation report that shows:

  • Require TOU for Isabella under Policies that will apply
  • My TOU as Grant Controls.

What if policy tool

To evaluate your Conditional Access policy:

  1. On the Conditional Access - Policies page, in the menu on the top, click What If.

    What If

  2. Click Users, select Isabella Simonsen, and then click Select.

    User

  3. To select a cloud app:

    Screenshot of the Cloud apps section. Text indicates that one app is selected.

    1. Click Cloud apps.
    2. On the Cloud apps page, click Select apps.
    3. Click Select.
    4. On the Select page, select Microsoft Azure Management, and then click Select.
    5. On the cloud apps page, click Done.

  4. Click What If.

Test your Conditional Access policy

In the previous section, you have learned how to evaluate a simulated sign-in. In addition to a simulation, you should also test your Conditional Access policy to ensure that it works as expected.

To test your policy, try to sign-in to your Azure portal using your Isabella Simonsen test account. You should see a dialog that requires you to accept your terms of use.

Screenshot of a dialog box titled Identity Security Protection terms of use, with Decline and Accept buttons and a button labeled My T O U.

Clean up resources

When no longer needed, delete the test user and the Conditional Access policy:

  • If you don't know how to delete an Azure AD user, see Delete users from Azure AD.

  • To delete your policy, select your policy, and then click Delete in the quick access toolbar.

    Screenshot showing a policy named Require M F A for Azure portal users. The shortcut menu is visible, with Delete highlighted.

  • To delete your terms of use, select it, and then click Delete terms in the toolbar on top.

    Screenshot showing part of a table listing terms of use documents. The My T O U document is visible. In the menu, Delete terms is highlighted.

Next steps

Require MFA for specific apps