ThirdSpace ThirdSpace
ThirdSpace Contact Us
Close 0 Reset Search Run Search What are you looking for? Type at least three characters to search. Filter Search Results
  • All Content
  • Blog
  • Page
  • Case Studies
  • Event
  • Resources
  • News
  • Careers
  • Access Centre
  • Technologies
  • Workshops
  • Service
  • Solutions
  • People
Load more
21 August 2019

Leveraging terms of use and entitlements for greater gateway security

Profile shot of David Guest.
Written by David Guest

Make your terms of use more than just a tick-box exercise and gain real security through the use of entitlements.

I do solemnly swear that I am up to no good!

Not exactly a terms of use agreement, but all the same, these conditions must be accepted before being permitted to use the Marauders Map in the wizarding world of Harry Potter.

Similarly, users accessing an IT system will have to accept certain conditions before they can proceed as part of good identity governance.

Terms of Use: The path to acceptance

When we use services at work, we do so with the understanding that we will behave accordingly. With Windows workstations linked to an AD domain, an interactive message can be displayed on the screen before a user logs in.

Now, everybody knows that the user will, of course, read and understand this every day and pay close attention to the instruction.

Or perhaps not.

This sort of message is useful but doesn’t actually ensure that the user has read the message, nor does it identify the user and when they agreed to the terms.

Within the Azure environment we can use the ‘Terms of Use’ configuration to ensure that each user is shown the terms and has to agree to them before they can access the services. The date and time of the agreement is then stored so that the user can be asked to repeat the approval each year.

The ability to do this does require an Azure AD Premium 2 license (or any of the other suites that include it) but with that in place the configuration of the terms of use is very straightforward.

The terms need to be named and uploaded as a PDF and then a set of parameters need to be configured. These parameters decide if the user MUST expand the terms of use, and whether they have to do this on each different device and whether the consent expires.

The user will be asked to agree to the terms when they sign in and then again after a set number of days.

A custom conditional access policy can also be added to the terms of use to enforce that they are fully accepted before a user accesses any services.

A list of those users who have accepted or declined the terms is available from within the Azure portal.

Once a user has accessed the services, they may be eligible to apply for additional privileges or access to applications or roles.

These are served through entitlements and are part of the same identity governance.

Once an entitlement is configured by adding roles, applications or groups, then a user can request access by going to a specific web site.

The user will be asked to provide a justification for the request before it goes through any approval.

Once a request has been made, its progress can be monitored through the same web pages.

Once processed, the user is automatically added to the relevant applications, groups or roles that are included in the access package.

These entitlements can then allow a user to request additional access and for it to be granted in a straightforward manner with (or without) approval. These entitlements can then be automatically removed after a set period of time.

A good place to start

Governance within Azure AD is based on four pillars: privileged identity management, access reviews, entitlements and terms of use.

These governing foundations are important and, when appropriately configured with the right license, can be used to audit and report on user access.

While governance is a huge subject and the Microsoft pillars only cover a portion of what’s possible, they make for a great starting point to help you get control of your identities and their access, thereby improving your overall security posture.

Next, see how you score on identity and access management, or watch our webinar on-demand to discover advanced governance controls.

Subscribe to the ThirdSpace mailing list and get your free buyer’s guide to Microsoft Enterprise Security

Subscribe to the ThirdSpace mailing list and get your free buyer’s guide to Microsoft Enterprise Security

Submit your business email to join our mailing list and we'll send you 'A buyer’s guide to Microsoft Enterprise Security'.

Profile shot of David Guest.

About David Guest

Solution Architect and Technology Evangelist

As ThirdSpace’s Solution Architect and Technology Evangelist (yes, he knows it’s a long title), Dave has a background in IT that goes back to installing a piece of kit called a Microsoft Softcard in...


You may also like...


How the SolarWinds breach highlights the dangers of federated authentication – and what you can do to protect against it


What is Microsoft Identity Manager (MIM)? Everything you need to know


Uniting disparate directories: What is Azure AD Connect cloud provisioning?

Recent Blog Articles

View All
Related topics

Need some help?

Send us your questions or feedback.

Friendly folks are standing by!

Contact Us
Award-winning solutions Award-winning solutions

Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, and Security and Compliance.

ThirdSpace Please upgrade your browser

You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:

Windows Mac

Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.