Quickstart: Require terms of use to be accepted before accessing cloud apps

In this quickstart, you'll configure a Conditional Access policy in Azure Active Directory (Azure AD) to require users to accept terms of use.


To complete the scenario in this quickstart, you need:

  • An Azure account with an active subscription. Create an account for free.
  • Azure AD Premium P1 or P2 - Azure AD Conditional Access is an Azure AD Premium capability. You can sign up for a trial in the Azure portal.
  • A test account to sign-in with - If you don't know how to create a test account, see Add cloud-based users.

without terms of use

The goal of this step is to get an impression of the sign-in experience without a Conditional Access policy.

  1. Sign in to the Azure portal as your test user.
  2. Sign out.

Create your terms of use

This section provides you with the steps to create a sample ToU. When you create a ToU, you select a value for Enforce with Conditional Access policy templates. Selecting Custom policy opens the dialog to create a new Conditional Access policy as soon as your ToU has been created.

  1. In Microsoft Word, create a new document.

  2. Type My terms of use, and then save the document on your computer as mytou.pdf.

  3. Sign in to the Azure portal as a Conditional Access Administrator, Security Administrator, or a Global Administrator.

  4. Browse to Azure Active Directory > Security > Conditional Access > Terms of use.

    Screenshot of terms of use shown in the Azure portal highlighting the new terms button.

  5. In the menu on the top, select New terms.

    Screenshot that shows creating a new terms of use policy in the Azure portal.

  6. In the Name textbox, type My TOU.

  7. Upload your terms of use PDF file.

  8. Select your default language.

  9. In the Display name textbox, type My TOU.

  10. As Require users to expand the terms of use, select On.

  11. As Enforce with Conditional Access policy templates, select Custom policy.

  12. Select Create.

Create a Conditional Access policy

This section shows how to create the required Conditional Access policy.

The scenario in this quickstart uses:

  • The Azure portal as placeholder for a cloud app that requires your ToU to be accepted.
  • Your sample user to test the Conditional Access policy.

To configure your Conditional Access policy:

  1. On the New page, in the Name textbox, type Require Terms of Use.
  2. Under Assignments, select Users or workload identities.
    1. Under Include, choose Select users and groups > Users and groups.
    2. Choose your test user, and choose Select.
  3. Under Assignments, select Cloud apps or actions.
  4. Select Cloud apps or actions.
    1. Under Include, choose Select apps.
    2. Select Microsoft Azure Management, and then choose Select.
  5. Under Access controls, select Grant.
    1. Select Grant access.
    2. Select the terms of use you created previously called My TOU and choose Select.
  6. In the Enable policy section, select On.
  7. Select Create.

Test your Conditional Access policy

In the previous section, you created a Conditional Access policy requiring terms of use be accepted.

To test your policy, try to sign-in to your Azure portal using your test account. You should see a dialog that requires you to accept your terms of use.

Screenshot of a dialog box titled Identity Security Protection terms of use, with Decline and Accept buttons and a button labeled My TOU.

Clean up resources

When no longer needed, delete the test user and the Conditional Access policy:

  • If you don't know how to delete an Azure AD user, see Delete users from Azure AD.

  • To delete your policy, select the ellipsis (...) next to your policies name, then select Delete.

  • To delete your terms of use, select it, and then select Delete terms.

    Screenshot showing part of a table listing terms of use documents. The My T O U document is visible. In the menu, Delete terms is highlighted.

Next steps