Table of contents
The "Why"
Introducing cloud software like Microsoft 365 has a big impact on your users. With a tool like Microsoft Teams, users will find many different ways to use it. Setting rules for using Teams and SharePoint can improve user experience and data security. These rules include how to use Teams correctly, how to behave in Teams, and how to handle data, especially sensitive data. It's important to ensure users are aware of these rules.
Many companies in Germany likely have a Betriebsrat, which represents the employees. They often create a Betriebsvereinbarung for new software products. This document outlines
- specific working conditions
- operational requirements
- rules on how to use a software product
- what users need to do in order to protect data and privacy
- what IT has setup in order to protect data and the users privacy.
Users need to be aware of this document and may need to accept it regularly or when there are changes.
Terms of use
Microsoft Entra ID (formerly Azure Active Directory) has a feature called “Terms of use.” This feature allows you to present a document to your users when signing into Microsoft 365 apps, which they then need to acknowledge and accept either once or regularly. This is not limited to Microsoft 365 apps; it can be used with any application connected to Entra ID that uses Microsoft accounts to sign in.
You can compare this feature to the countless terms and conditions you accept when signing up for a service or installing new software on your computer. The picture below shows an example of how it looks to a user. In this example, the user signed into an app from the browser. If a user signs into a desktop app like Teams or Word, a pop-up window will be displayed.
Features
- Terms of use are always rolled out together with a Conditional Access policy. This means you can scope the Terms of use to users, groups (static or dynamic), guests, or when certain network or hardware conditions are met.
- Terms of use documents can be uploaded as PDFs in multiple languages. The language presented is based on the user or browser language used.
- Terms of use can be accepted once, only when changes are made, or regularly, such as every 6 months.
- You can have up to 40 different Terms of use, each with their own languages.
- For each Terms of use, you will be able to see who accepted or declined and when.
- If a user accepts, they will automatically be redirected to the app they were trying to sign in to or use. If a user declines, they will not be able to sign in at that time. They will be asked to sign in again, which will then show the Terms of use again.
Licensing
The feature requires a Microsoft Entra ID P1 license. The P1 license is included in Business Premium and all Microsoft 365 Enterprise licenses (from F1 to E5).
B2B guest accounts are already covered by the external identity licensing, which is included automatically for free for the first 50,000 currently signed-in guests.
How to set up
- Open the Entra ID portal (https://entra.microsoft.com)
- Navigate to Protection > Conditional Access > Terms of use
- Click on New terms. Below is an example configuration, a few words about it:
- "Require users to expand the Terms of use" can be a good way to at least have the user expand before clicking accept. This won’t force the users to read it, but the chances are a tiny bit higher that they will.
- "Require users to consent on every device" does not work with all applications. Additionally, there are not many use cases in which this will make sense. I usually keep this off.
- "Expire consents" is more often used than "Duration before re-acceptance required (days)". You can combine them, depending on your situation.
- You can either connected this to an existing conditional access policy or create your own later.
After you create a Terms of use and connect it to a conditional access policy (takes effect immediately) which includes administrators, the administrator used to create the policy should sign in again to satisfy the Terms of use. Otherwise, you might see some errors.
Updating existing Terms of use
The time will come when you need to update a Terms of use document or add new languages.
- Open the Entra ID portal (https://entra.microsoft.com)
- Navigate to Protection > Conditional Access > Terms of use
- Highlight the Terms of use by clicking into the row, but not on the name. Then, click Edit Terms at the top.
- You can only update the documents in it, add other languages, or change the display name (which is shown to the users and in Entra)
- When you update one or more languages, you can choose to force a re-consent, if necessary.
Checking Terms of use status
Administrators can see who and when a user has accepted specific terms.
As an administrator
- Open the Entra ID portal (https://entra.microsoft.com)
- Navigate to Protection > Conditional Access > Terms of use
- Click on the number displayed in the columns “Current Accepted” or “Current Declined” for the Terms of use you want to check explicitly
- User acceptance records are not deleted automatically
- If you delete the Terms of use, unassign the Entra ID license from the all users and the tenant or delete the tenant, the records will get deleted.
As a user
You can check and review the Terms of use in your account page https://myaccount.microsoft.com/ > Settings & Privacy > Privacy > Organizations notice. Clicking on view will reveal a list of every time you accepted a specific Terms of use in your company.
What to do next
If your company does not have a workers' council or a compliance department, you can find a few examples on Google. (e.g. http://www.tse.de/vereinbarungen/office/M365.php) Use these as a start and add your own flavor to it.
- Consider a regular re-acceptance policy. This is not legally mandatory for Betriebsvereinbarungen, though it makes sense to at least have all users accept once and re-accept when updated. For updates, put a change history at the top of the PDF. This way users can quickly see what changed.
- If you want to have a recurring acceptance policy, consider an interval like quarterly or bi-annually.
- Evaluate the following other use cases based on your needs:
- When using Information Protection to classify documents, you can have Terms of Use show when a user opens a protected document for the first time. Example: You only set up one label to classify confidential documents and you want to educate users about the document's sensitivity.
- Administrators hold incredible power inside companies. If they want, they can access a lot of sensitive data. All administrators should therefore sign an agreement for administrators' guidelines. I signed my first agreement on paper; my company could have used Terms of Use for that. Here, a recurring acceptance makes the most sense.
- Using Power Platform in your company is great for productivity but can also lead to a lot of compliance and security questions. What if users start processing personal information in an app? Terms of Use can help set guidelines for the usage of services like Power Automate and Power Apps.
- Some companies might want to allow BYOD devices and allow users to enroll their devices themselves. For this, you can connect Terms of Use with just the Intune Enrollment. Whenever a user registers a new device, these Terms of Use will show. You can use the terms to clarify what administrators can see, what they can't, what actions users have to take (software), and what actions administrators are taking (security guidelines).
Read more @ Microsoft
Thanks for reading! 💕