Hi There,

I’d like to walk you through the new series of articles regarding Azure AD Identity Governance (AIG)

This is the first article (out of 4) where I would like to show you the AIG, how to configure it and the use cases.

AIG Introduction

So let’s start with the topic introduction.

According to the Microsoft documentation:

Azure AD Identity Governance allows you to balance your organization’s need for security and employee productivity with the right processes and visibility.


In other words, using AIG you can govern three pillars:

  1. Identity Lifecycle
  2. Access Lifecycle
  3. Privileged access for admins


Like every tool, AIG is built based on components that used together can do magic 🙂

The picture below describes components of AIG (described more later in this article)

Azure AD Identity Governance

As you can see, there are four components:

  • Entitlement Management – this is the stuff that will help you with External and Internal user access to the groups, teams, applications, and SharePoint sites.
  • Access Reviews this will help you with timeboxed repeatable reviews (manual and automatic) for your user’s group membership.
  • Terms of Use This is a small tool but very useful when it comes to collaboration with external partners/contractors
  • Privileged Identity Management you can use Just-In-Time access for your high privileged directory roles and resources (yes, PIM is not only for Azure AD roles but also for resources roles!).

    But from my point of view,
    there are two more features that are somehow related to AIG:
  • Azure AD B2B – If you want to invite external users, you have to use Azure AD B2B – remember there is a licensing limitation – 5 guests per one user from your tenant (if you have 100 users, you can invite up to 500 external users)
  • Conditional Access – without CA policy, you cannot use Terms of Use for external users.


Azure AD Identity governance is a part of the Azure AD Premium P2 license level.

Configuring Terms of Use (ToU)

Today we will start from the very simple stuff, which is the Terms of Use

Terms Of Use overview

I assume that you have accepted any ToU during your life, so I will focus on why we have to do this and how it works.

Why to enable ToU?

It’s simple – we want to make sure that all guests/external users, who are accessing our environment will know what are the rules that are applied within the tenant.

How does it work?

Terms of Use itself will now change anything – it’s just a simple pdf file uploaded into the Azure.

The magic starts when we will connect it with Azure AD Conditional Access.

We all know that there are settings to target CA policy for guest/external users.

Configuration Process

Diagram above describes the steps required to create ToU and CA policy.

  1. You need to login in with an account that has access to the Identity Governance and Conditional Access (let’s assume Global Admin)
  2. Upload Company ToU into the Terms of Use
  3. Switch to the Conditional Access and create a policy that will be enforced for all guest/external users that are trying to access your environment. this policy will require you to accept ToU file when accessing the environment for the first time.

The diagram below describes the situation when a guest/external user is trying to access our environment.

Terms Of Use in use.
  1. Guest/External user is trying to access our application hosted under our Azure AD tenant.
  2. CA policy is triggered and the user is redirected to the Company ToU, and has to read it and accept it.
  3. When done access to the environment is granted, and the Guest/External user can access every application where he has access.

Environment configuration

TOU configuration

Let’s log in to the Azure Portal / Azure AD using the following link:

You should see the screen like below. From the left-side menu, please click on the Terms of Use:

Azure AD Identity governance

By default, there is no template/draft/sample file created, so you need to receive it from your Legal department as a pdf file.

On the Identity Governance | Terms of use screen, click on the New terms

Adding new terms of use

On the New terms of use screen, you will configure the behavior including:

Name: In my case, Azure Blog Terms of Use.

Display Name: In my case Azure Blog Terms of Use

Terms of use document: here, you can upload the pdf file and select its language. The good thing is that you can add multiple ToU files with different languages, and based on the OS language proper one will be delivered.

Require users to expand the terms of use: Yes – it will require “small” interaction from the guest/external user.

Leave the rest on default settings with one exception – Enforce with conditional access policy templates: change it to the Create conditional access policy later.

Configuring Terms of use
Configuring Terms of use

We are almost done. TOU has been created but let’s check what we can see from the portal point of view.

Click on our freshly made Terms of view to see document details.

Terms of use details

You may notice that there is information like Users accepted, Users declined, additionally, if you have enabled Azure AD diagnostics, you will be able to see audit logs as well.

Conditional Access configuration

Now we can switch to the Conditional Access configuration using the following link:

You might have some CA policies already configured, so click New policy

Conditional Access policies

On the New screen, we need to provide:

  • Name: Require ToU for all guests/external users
  • Assignments\Users and groups: Select users and groups\All guest and external users
  • Assignments\Cloud apps or actions: All cloud apps
  • Access controls\Grant: Grant Access\Require multi-factor authentications
  • Access controls\Grant: Grant Access\Azure Blog Terms of use
  • Access controls\Grant: Require all selected controls
  • Enable policy: ON (normally, I would suggest putting this into the Report-only mode first, but this policy will not harm anything)
Conditional access policy configuration
Conditional access policy configuration
Conditional access policy configuration

Configuration Test

The required continuation was configured, so no, it is the time for the test.

In order to do that, we need to invite an external user to our tenant (I will skip this) and then access the environment for the first time.

I will access the test environment using my private account (In fact, already a guest user of the test environment).

The first configuration setting that I will be affected by is the MFA requirement.

MFA request

Then after approving the MFA request, I would be moved to the Terms of Use.

Azure Blog Terms of Use

You can discover that there is an arrow next to the Azure Blog Terms of Use (after clicking it, ToU will be expanded)

Azure Blog Terms of Use

After reading the full TOU we can accept or decline it. I will accept it.

As you can see in the picture below Users accepted value changed to one.

Terms of use document details


Today I showed you how to configure the Terms of Use and Conditional Access policy to use it.

This was just a small part of the huge tool, which is Identity Governance.

Stay tuned for the next article in the series related to Entitlement Management.

Comments are closed.