Organizations will be able to use the following capabilities in Azure AD ToU.
- Help meeting privacy regulations.
- Azure AD Premium P1, P2, EMS E3, or EMS E5 licenses.
To start navigate to Azure Portal and click on Azure Active Directory >Security > Conditional Access.
- Click on + New Terms
- Specify your Language of choice
On the next section you will need to define the user actions
- Require users to consent on every device
- Expire consents
- Duration before re-acceptance required
For this demonstration I have selected that “Require users consent on ever device”
Once you select this option, you will notice a warning message saying, “Consent on every device will require users to register each device with Azure AD prior to getting access.”
Also, I have selected that users should be re-accept after 90 days.
Now that we have defined some of the basic configurations, we need to scroll down and create the associated “Conditional Access Policy”
On the Conditional Access policy section, click on the drop down and select “Create conditional access policy later” and then click on Create at the bottom of the page.
On Conditional Access, click on Policies
From the Policies page, click on + New Policy
On the new Conditional Access Policy blade, provide the following information.
Name: CA001: Enforce ToU for users
Assignments: All User / All guest and external users.
By selecting All external users and guest we force them to comply to the organizations policies.
Next, let on Cloud apps or actions and click on “select apps”
On the next blade select “Microsoft Azure Management” and then click on Select.
Lastly, select “on” to Enable the policy and then click on Create.
The newly created Conditional Access Policy will be listed with the rest of the policies.
How do you know if it works?
Since this policy applies to all users in the organization, we just need to sign-in to Azure Portal.
You will then be presented with the following screen after sign-in.
Once they have reviewed and click on Accept then they will be allowed to access the portal.
On the Azure Active Directory Portal navigate to Sign-in logs.
On the sign-in logs page, click on Filter and add Conditional Access >Success
Click on the user with the success sign-in log then click on Conditional Access on the Activity Details page.
As we can see from the image below the conditional access policy applied successfully for the end user.
If you click on “Users accepted” then a new blade will open showing you all the users who have accepted the terms.