Garage: Azure AD Terms of Use for B2B and AIP

As already mentioned, this blog will have detailed (long) posts and also shorter ones that have a “garage-character” that documents features and solutions I evaluate. This is the first post of this ‘garage’ category.

To be honest, I believe this whole “terms of use” thing was triggered by this guy here. Oliver and myself were in a project at a customer that wanted this functionality that users would have to accept some sort of terms of use before proceeding with a service. (of course we were not the only one requesting this feature, but he was the first chatting about this with the Intune product group). You can like this feature or not and you can also doubt it’s value in a modern IT world, but sometimes it makes things easier (especially in bureaucratic Germany) and you don’t want to fight each fight.

Anyway: Microsoft has started to expand this functionality. You can now set to have users to accept terms of use (TOU) on each device and you can even expire this setting so that they have to re-accept it after a certain period of time.

Then it also gets expanded to other services (currently in public preview):

  • Intune Enrollment
  • B2B Users
  • AIP Documents

Let’s take a closer look on these use cases:

In all cases, you would create a conditional access policy that requests from the given users to accept the terms of use of your company. In this policy, we will combine the requirements for B2B users, Intune enrollment and for AIP users. So we need to select “all guest users” for the B2B scenario and then specific users (Hedi) for the AIP and Intune demo (in real world, you would probably select ‘all users’ here):


Next, you select the AIP cloud app and the Intune enrollment cloud app to indicate that those apps should bring up the terms of use when accessed:


Here you go: on the access controls you then have the control “all users terms of use” (which is the name of the terms of use I created). Select it and enable the policy:


If you now share a document with a guest user via email …


… this guest user gets a prompt to accept the terms of use, when opening the document you shared (as you can see it is adopting to your language :-)):


If you send someone a AIP protected document (you don’t have to send it by mail, the ‘terms of use’ is triggerd when you authenticate against AAD, since the conditional access policy fires then) …


… the recipient then also has to accept the terms of conditions, when opening the document:



The more granular it gets the better. So you prompt your users only to accept the terms of use if it is absolutly necessary without annoying them.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.