Office 365

Configuring Terms of Use for User Logins to Office 365 and Azure Active Directory


In the good old days there were organizations who were fond of throwing a message up in front of users each time they logged in to their Windows computer on the domain. The messages were typical warnings about improper use of corporate PCs, the internet, and so on.

The old approach had a few problems. First, users would largely ignore the message, and just became trained to hit the Enter key quickly to skip past it every day, because the message appears every time they log in. Also, there was no enforcement mechanism, other than saying that continuing to use the computer implied agreement with the terms of use. Nor is the agreement or disagreement with the terms of use audited in any way. Today, that’s just not good enough for organizations that truly care about ensuring that users are aware of the terms of use of their corporate computers, apps, and services.

Furthermore, in the modern cloud era users are able to login to all sorts of SaaS applications using their corporate credentials. Although some SaaS apps have their own method of displaying terms of use, a central point of management is best. Fortunately, Azure Active Directory provides that central point with Azure AD Terms of Use, which is a feature of conditional access.

Configuring terms of use in Azure AD requires you to be licensed for Azure AD Premium P1/P2, which are available as standalone licenses or bundled in the EM+S E3/E5 licenses.

You’ll find the terms of use in the conditional access section of the Azure AD portal.

You can have multiple terms of use, which are assigned to users by conditional access policies (which I’ll show you in a moment). Creating terms of use is simple, with just a few fields to fill out. The terms of use themselves are supplied in a PDF document that you must create yourself (or have your legal department create).

The option to require users to expand the terms of use means that they must display the full document before they are allowed to accept or decline it. If they don’t expand it, then they’ll receive a message similar to this.

The conditional access option for the terms of use determines whether a new conditional access policy is created for these terms. If you choose “Access to cloud apps”, an entire policy is created for all users (even admins) and all apps, with no exceptions.

Important! If you allow the terms of use to create a new conditional access policy automatically, the policy applies to all users. That includes the account that AAD Connect uses to authenticate during sync operations. This will cause AAD Connect directory synchronization to break. The solution is to add an exclusion to the conditional access policy for your Sync_* user account.

The other option is to “Create the conditional access policy later”.

If you choose that option, the terms become available as an access control in conditional access policies. Note that any terms of use will become available as an access control now matter which of the conditional access policies you chose.

It’s also possible to use the same terms of use for multiple policies, or to have multiple policies with their own unique terms of use. You can even “stack” terms of use policies such that a user will need to accept a general terms of use when they first log in to any application, and then have additional app-specific terms of use if there are additional policies that they must comply with for those apps.

For your end users the experience is mostly a good one. Logging in to any app through the browser, a desktop app, or a mobile app will present the terms of use to be accepted or declined.

What I did find was that multiple apps could simultaneously present the terms of use. Logging in to a desktop, I opened a web browser to access Outlook, and as I was reviewing the terms of use both the Teams and OneDrive apps on the desktop also popped up a login dialog with the terms of use displayed.

That could be an edge case though. Either way, once you’ve accepted the terms of use you are no longer presented with them at login. This is an improvement from the old days of the login messages that would show up every single time you logged in.

For admins or compliance staff the list of terms of use in the Azure AD portal will show the number of accept and decline results. There’s also an audit log showing a timeline of events, both administrative and end user.

All up this is a decent feature, certainly an improvement over the old way of doing things. The additional license cost stings a little, but by now it seems we just need to get used to anything even remotely resembling a compliance feature being available through premium license tiers.

Abdulsalam Garba

The author Abdulsalam Garba

Leave a Response