Forgotten Features Series, Part 1: The Legal Gatekeeper You Aren’t Using – Conditional Access – Terms of Use

This blog post demonstrates how to securely enforce organizational compliance and gain explicit, auditable user consent before granting access to sensitive cloud applications. While powerful security controls like Multi-Factor Authentication (MFA) and Compliant Devices are standard, configurations often lack the legal foundation required to prove that a user has read and agreed to your policies. This guide will show you how to enhance security and compliance even further by leveraging Conditional Access Terms of Use.

Conditional Access Terms of Use is a grant control that requires users to view and explicitly accept a policy document (a PDF) as a condition of access to a resource. This feature provides an invaluable audit trail, proving when a user consented to specific organizational rules.

Here are some of the key features of Conditional Access Terms of Use:

• Explicit Consent: Requires the user to “Accept” to proceed, creating a digital signature of consent.
• Targeted Enforcement: Can be targeted to specific user groups (like Guest Users/Contractors) or specific applications (like Financial portals).
• Device Consent: Can be used to gain user acceptance for policies related to device management, such as the organization’s right to enable location tracking for asset recovery on lost devices.
• Time-Bound Consent: Allows administrators to assign an expiration date, requiring users to periodically re-accept the latest version of the terms (e.g., every 90 days).
• Audit Trail: Generates a robust, legally sound audit history of user consent, which is essential for compliance reporting.
• Multi-Language Support: Allows multiple PDF versions for different languages.

More information can be found here:
Set Up Microsoft Entra Terms of Use with Conditional Access – Microsoft Entra ID | Microsoft Learn

• Microsoft Entra ID P1 or P2 (Required for Conditional Access).
• Global Administrator or Conditional Access Administrator role for configuration.

This section will guide you through the process of configuring the Terms of Use and linking it to a Conditional Access policy to enforce mandatory acceptance. We’ll focus on a common scenario: requiring all external contractors to accept a data security policy.

The first step is uploading your policy document and defining its key properties, such as display name and recurrence.

• In the Microsoft Entra admin center, navigate to Protection > Conditional Access.
• In the left-hand navigation, click Terms of use.
• Click New terms of use.
• Fill in the required fields:
  • Name: New Joiners accept terms of use
  • Display name: <Name of your document>
  • Terms of use file: Click the folder icon and upload your PDF file.
• Require users to expand the terms of use: Set to On (Best practice to ensure they scroll through the document).
• Require users to consent on every device used to access the app: Set to On (Recommended for strict compliance).
• Expire consents: Set to On. Select Frequency as 90 days to mandate periodic re-acceptance.
• Click Create.

We will now create a Conditional Access policy that blocks access for our target users unless they have accepted the newly created Terms of Use.

• Navigate to the Microsoft Entra admin center and go to Protection > Conditional Access.
• Click Create new policy.
• Name: New Joiners Accepts Terms of Use
• Assignments:
  • Users: Under the Include tab, select Select users and groups. Search for and select your security group containing All Guest Users or External Contractors.
• Target resources:
  • Select Cloud apps.
  • Under the Include tab, choose Select apps, and then search for and select your sensitive application (e.g., “SharePoint Online” or all cloud apps).
• Access controls:
  • Click Grant.
  • Select Require terms of use.
  • In the dropdown, select the `Terms of Use for Organizational Devices`.
  • Ensure Require one of the selected controls is chosen.
• Set Enable policy to On and click Create.

It’s crucial to test the entire activation flow from a targeted user’s perspective (e.g., a contractor).

1. Initial Access Attempt: Log in as a user who is included in the target group.
2. Terms of Use Presentation: Attempt to access the protected application (e.g., SharePoint Online). The user will be immediately blocked and presented with the Terms of Use screen.
3. Review and Acceptance: The user must read the terms, click the box, and click Accept.
4. Access Granted: Upon clicking Accept, the user is immediately granted access to the application, as they have satisfied the mandatory grant control.
5. Audit Verification: As an administrator, verify the successful acceptance in the Microsoft Entra Sign-in logs or the Terms of use blade under View accepted users. The log should show a successful sign-in with the ToU as a satisfied control.
6. Re-acceptance Test: If you configured a 90-day expiration, check that the user is prompted to accept the terms again 90 days after their initial consent.

This blog post has illustrated how integrating Conditional Access Terms of Use into your Conditional Access framework fundamentally transforms your compliance and audit posture. By requiring explicit, auditable acceptance of policies, you transition from relying on generic legal disclaimers to having a rigorous, system-enforced proof of consent.

Terms of Use provides the essential legal guardrails to ensure that access to critical tools is based not just on identity verification but also on proven user acknowledgment of their responsibilities. Embracing this “advanced” security measure goes beyond mere technical security. It establishes a foundation of accountability that protects your organization’s most valuable digital assets from both internal and external misuse.

---

Next in the Series: Part 2 shines a spotlight on Administrative Units, highlighting an essential yet often overlooked capability that enables more granular and effective management.