In the world of compliance, there are differing categories of controls to help get the job done. Given a specific requirement, all may be needed to satisfy your requirements, including:
- Technical controls (e.g., auto-apply sensitivity labels based on content or location)
- Operational/Process controls (e.g., review guest access on a regular basis)
- Manual controls (e.g., end users manually agreeing to adhere to supplied guidance)
If you’re an IT administrator in charge of Microsoft Teams, your day-to-day focus is likely on the technical bits you have control over. That is to say, the backend configuration controlling how the service works for end users.
But as good as technology is, there’s often a human element to be considered. Sometimes you need to combine a technical control with an end-user manual control. This post describes a practical example of this with something you may want to consider for Microsoft Teams, particularly those of you in a regulated organization.
Microsoft Teams Terms of Use
A practical use case for a Terms of Use (ToU) is compliance and audits. Every organization wanting to regulate what is being talked about and shared in Microsoft Teams should have both technical controls in place to monitor for this (Microsoft Purview tools such as: Communication Compliance, Teams DLP, File/email and container sensitivity), but also a ToU to be read and acknowledged on a recurring basis by all users, including staff and guests, who are using Teams at their organization.
Anecdotally, many records managers often tell me, “We aren’t supposed to make business decisions in a Teams conversation” or “We shouldn’t be sharing confidential documents in Teams chats.” The technical controls I mentioned above can certainly be put in place to help mitigate the risk of it happening; however, we must ensure Microsoft Teams’ users are also aware of your guidance. Without this, your Teams users are the Achilles’ heel of your compliance strategy.
A chain is only as strong as its weakest link.
-Thomas Reid
A great way of strengthening that link is with a ToU targeted specifically for Microsoft Teams.
Disclaimer: I’m not a lawyer. Although I don’t believe a Terms of Use is necessarily legally binding, you may refer to an end-user’s acknowledgement of the Terms of Use in a court case, internal investigation, or regulatory audit as supporting evidence.
I’ve seen many methods used to communicate this type of “Teams guidance” including:
- In an org-wide email (however, this may get lost in the noise of an end-user’s inbox)
- As a news item on your intranet (however, this may get missed by those not paying attention to that communication channel)
- An attestation form built using Microsoft Forms and sent/tracked to end-users (however, it’s up to you to build the form and track who has/hasn’t responded)
- A custom solution using the Power Platform (however, it’s up to you to build and support the custom solution, which will in turn incur technical debt)
Let’s go over how to provide your Teams users with guidance by using the Terms of Use Azure Active Directory feature built into the Microsoft 365 service.
Prerequisites
License requirements for end-users accepting the ToU include Azure AD Premium P1, P2, EMS E3, EMS E5. To configure a Terms of Use policy, you must be either a Global Administrator, Security Administrator, or Conditional Access Administrator.
The ToU feature has several helpful options built-in:
- Can apply to employees and/or guests
- Can decide how often a user must re-accept a ToU
- Can be purpose-built for a specific app (e.g., Teams, SharePoint, OneDrive) or apply to all
- Can list who has/hasn’t accepted the ToU
- Can support multilingual users
Let’s dig in.
The first thing to do is create your ToU. For the purposes of this post I’ll create a Microsoft Teams ToU, but you could create a common one to address all your communication channels, multiple ToUs to target different groups of users (employees or guests), or a separate one for each app. In all cases, engage your legal, risk, and compliance teams for the right wording of your ToU. Here’s the sample Teams ToU:
Step 1: Create Your Terms of Use
I want acceptance of this Teams ToU to be required for employees and guests before gaining access to Teams. I also want it to be displayed to users on a recurring schedule – once every quarter.
Adding the above ToU into a tenant is done in the Azure portal. Navigate to Azure Active Directory -> Security -> Conditional Access -> Terms of Use. For this example, I uploaded the above PDF and configured these settings:
- Language of English
- Display name of “NexNovus Teams Terms of Use” for end users to see
- Require users to expand the ToU so they are encouraged to read it
- Expire the ToU consent by starting immediately and re-accepting every quarter (i.e. 90 days)
Step 2: Create a Conditional Access Policy
To enforce your ToU, a conditional access policy is required. For our ToU, I want it to apply to internal users and guests when they access Microsoft Teams, so I’ll select the Custom policy option.
This will take you to the Conditional Access screen shown below to create a new Conditional Access policy. Alternatively, you can use one of the built-in templates; however, for this example, I want to target only Microsoft Teams, so I’ll create a custom one:
I give the conditional access policy a name and then make the following assignments:
- User or workload identities the policy applies to (internal users, external users, guests)
- Cloud apps or actions the policy applies to (Teams)
- Access controls (associate our Teams ToU here)
Users or Workload Identities
I want this ToU to apply to guests, external users, and to the two users on my tenant:
Cloud Apps or Actions
I want this ToU to apply to Microsoft Teams only; however, this is how you could have different ToUs for each type of cloud app if desired (Exchange, SharePoint, OneDrive) as a reminder to staff of the compliance controls you’re wanting to enforce:
Grant Access Controls
This is where I associate the NexNovus Microsoft Teams Terms of Use to the Conditional Access policy. Access to Microsoft Teams will only be granted once the ToU has been accepted.
Last, but not least, enable the policy:
What does the end-user see?
The next time I sign into Teams, this is what I’ll see:
When you expand the Terms of Use, you will see the PDF you uploaded:
I now can access Microsoft Teams and will be prompted with the ToU again after 90 days. Brilliant!
Monitoring Your Microsoft Teams Terms of Use
Administrators and compliance roles in your organization may want to monitor who has/hasn’t accepted the ToU. This can be done in the Terms of Use section of Conditional Access by selecting the ToU. Below is an audit of when the ToU was accepted and when it will expire. You can also see exactly which version of the ToU was accepted if that was ever called into question:
Closing Thoughts
Terms of Use is a fantastic tool for compliance because it’s integrated into the flow of work and is a recurring reminder to end users of your expectations on what they should and shouldn’t be doing in the app.
Looking for more extensive Microsoft Teams management solutions? Request a demo for AvePoint’s Microsoft Teams Admin & Management solutions today!
