Regarding Terms of Use in Azure AD conditional Access.

Subramanyam k 251 Reputation points
2020-12-23T12:46:55.76+00:00

We have created one Terms of use and attached it to a policy. The Policy has the below onfiguration settings;

  1. Users and Groups -- All Users
  2. Cloud Apps or action-- Selection a Particular Application(Which is a multitenant application).
  3. Enable Policy --ON

When we specified the /tenantid in Authorization URL, the Terms of Use window is shown for all users of the AD.

Question1:

When we specified the /common in Authorization URL , We observed that the Terms of Use Window is not displaying for any User(Tenant User,Other Tenant or external tenant users).
Is this working as expected or we missed any settings. Please suggest

Question2:

What is the usage of option under the section Users and Groups-->Select users and groups-->All guest and external users

Please refer the screenshot 1

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,414 questions
0 comments No comments
{count} votes

Accepted answer
  1. JamesTran-MSFT 36,361 Reputation points Microsoft Employee
    2020-12-23T19:17:34.243+00:00

    @Subramanyam k
    Thank you for your post! I'm glad to hear that everything is working as expected when you're using the "/tenant" endpoint within your Authorization URL. When it comes to the "/common" endpoint, it's working as expected. You aren't receiving your TOU because, it's not a tenant and is not an issuer, it’s just a multiplexer.

    For example:
    With a multi-tenant application, the application doesn’t know up front what tenant the user is from, so you can’t send requests to a tenant’s endpoint. Instead, requests are sent to an endpoint that multiplexes across all Azure AD tenants, i.e. "https://login.microsoftonline.com/common". When Microsoft identity platform receives a request on the /common endpoint, it signs the user in and, as a consequence, discovers which tenant the user is from. For more info.

    For All guest and external users, this selection includes any B2B guests and external users including any user with the user type attribute set to guest. This selection also applies to any external user signed-in from a different organization like a Cloud Solution Provider (CSP). For more info.

    For a complete breakdown of Conditional Access Policies.

    I hope this helps!
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    0 comments No comments

0 additional answers

Sort by: Most helpful