L17. Terms of Use and Conditional Access Integration
Video generating
Check back soon for the video lesson on Terms of Use and Conditional Access Integration
Configure terms of use policies for the SC-300: create and manage terms of use documents, integrate them with Conditional Access policies, track user acceptance, configure re-acceptance schedules, and implement per-device consent for compliance requirements.
What Are Terms of Use?
Terms of use (ToU) policies present legal or compliance documents that users must accept before accessing resources. They are typically used for acceptable use policies, privacy statements, NDAs, and regulatory compliance acknowledgments. Licensing: Entra ID P1 is required for terms of use policies.
Creating Terms of Use
Key configuration options when creating a ToU:
| Setting | Description |
|---|---|
| Name | Display name for the policy |
| PDF document | The terms document (must be PDF format) |
| Language | Multi-language support (add multiple PDFs) |
| Require users to expand | Forces users to view the full document before accepting |
| Expire consents | Set a date when all consents expire and must be renewed |
| Consent duration | Re-accept on a schedule (e.g., every 365 days) |
| Per-device consent | Requires acceptance on each device separately |
Integrating with Conditional Access
Terms of use are enforced through Conditional Access policies. Without a CA policy referencing the ToU, users will never be prompted to accept. Configuration steps:
- Create the terms of use document
- Create a Conditional Access policy
- Under Grant controls, select "Require terms of use" and choose the specific ToU
- Assign the policy to the appropriate users, apps, and conditions
Multi-Language Support
A single ToU policy can contain multiple language versions of the document. Each language version is a separate PDF uploaded to the policy. Entra ID detects the user's browser language preference and displays the appropriate version. If no matching language is found, the default language version is shown.
Tracking Acceptance
You can monitor ToU acceptance through several methods:
- Audit logs: Entra ID logs all accept/decline events
- ToU report: Shows acceptance status per user
- Microsoft Graph API: Programmatic access to agreement acceptance data
Navigate to: Entra admin center > Identity governance > Terms of use > [Select ToU] > View report
Re-Acceptance and Expiration
Two mechanisms force users to re-accept terms:
- Expire consents on a specific date: All existing acceptances become invalid on a set date. Every user must re-accept.
- Consent duration (recurring): Each user's acceptance expires after a set number of days from their acceptance date. They must re-accept when their individual consent expires.
Per-Device Consent
When per-device consent is enabled, users must accept the terms on each device they use to access resources. This is useful for organizations that need to track compliance acknowledgment per device, such as BYOD scenarios where personal devices access corporate data.
Decline Behavior
If a user declines the terms of use, they are blocked from accessing the resource controlled by the Conditional Access policy. The decline is logged. Users can re-attempt access and choose to accept at any time.
- ✓Terms of use require Entra ID P1 licensing and are enforced through Conditional Access policies
- ✓The "Require users to expand" setting forces users to view the full document before the Accept button activates
- ✓Terms of use appear as a grant control in Conditional Access, combinable with MFA and device compliance
- ✓Use "Expire consents" for simultaneous re-acceptance; use "Consent duration" for rolling individual re-acceptance
- ✓Per-device consent requires acceptance on each device separately, useful for BYOD scenarios
1. How are terms of use policies enforced in Entra ID?
2. An organization updated its acceptable use policy and needs all users to re-accept immediately. What setting should they use?
3. What happens when a user declines a terms of use policy?