This chapter covers Terms of Use and Authentication Strengths, two critical Conditional Access controls in Microsoft Entra ID. These features allow organizations to enforce user consent and specify required authentication methods for accessing sensitive resources. On the SC-900 exam, this topic appears in roughly 5-10% of questions, typically as part of Conditional Access policies or identity protection scenarios. You will need to understand how to create, manage, and enforce Terms of Use, and how Authentication Strengths define the minimum level of authentication assurance required for a given resource.
Jump to a section
Think of authentication strengths as different levels of security at a nightclub. A bouncer (the authentication system) checks IDs at the door. A 'basic' check is just seeing if the ID looks valid—this is like a password-only login. A 'strong' check uses an ID scanner that verifies the hologram and checks against a database—this is like password + SMS code (MFA). An 'even stronger' check uses a biometric hand scanner after ID scan—this is like password + authenticator app + fingerprint (Phish-Resistant MFA). Now, Terms of Use are like the club's rules posted on the wall: 'No hats, no backpacks, no photos.' The bouncer makes you read and agree before entering. After you agree, you can enter—but if you cause trouble, the bouncer can kick you out and revoke your agreement. In Entra ID, Terms of Use are presented to users during sign-in, and they must accept before accessing resources. Administrators can require re-acceptance periodically or after policy changes. Authentication Strengths control which authentication methods are acceptable for a given resource—e.g., the CFO's financial app might require 'Phish-Resistant MFA' (like FIDO2 keys) while the cafeteria app allows just password. This is like having a VIP section that requires extra checks beyond the main entrance.
What are Terms of Use?
Terms of Use in Microsoft Entra ID are custom documents (PDF, text, or HTML) that organizations can present to users during sign-in. Users must accept the terms before accessing the application or resource. This is commonly used for legal compliance, such as requiring acknowledgment of privacy policies, acceptable use policies, or consent to data handling. Administrators can create multiple terms of use, each with its own display name, document, and requirements.
How Terms of Use Work Internally
When a user signs in and is directed to a Conditional Access policy that requires Terms of Use, the following sequence occurs:
The user authenticates (enters credentials).
Conditional Access evaluates the policy and determines that Terms of Use must be presented.
The user is redirected to the Terms of Use page, which displays the document.
The user must click 'Accept' to proceed. The acceptance is recorded in the user's audit log and stored as a consent grant.
If the user declines, access is denied.
Subsequent sign-ins check if the user has already accepted the specific version of the terms. If yes, the terms are not shown again unless the administrator requires re-acceptance.
Key properties of a Terms of Use object: - Name: A unique identifier for the terms. - Display name: Shown to users. - Document: The actual terms file (PDF, DOCX, or HTML). - Require re-acceptance: Can be set to expire after a specific number of days, or the user can be required to re-accept every time they sign in. - Require consent per user: When enabled, each user must accept individually. - Block access if declined: If enabled, users who decline are blocked from accessing the resource. - Conditional Access policy: The terms are assigned to one or more Conditional Access policies.
Creating Terms of Use via Portal and PowerShell
Portal:
Navigate to Microsoft Entra admin center > Protection > Conditional Access > Terms of use.
Click 'New terms'.
Upload the document, set name, display name, and configure expiration and re-acceptance settings.
Assign to a Conditional Access policy.
PowerShell: Use the Microsoft Graph PowerShell module. Example:
Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess"
$termsOfUse = New-MgIdentityConditionalAccessAuthenticationContextClassReference -DisplayName "My Terms" -Description "Acceptable Use Policy" -IsAvailable $trueWhat are Authentication Strengths?
Authentication Strengths (also called Authentication Context) allow administrators to define a minimum set of authentication methods required to access a resource. Instead of just requiring MFA, you can specify which types of MFA are acceptable. For example, you can require 'Phish-Resistant MFA' (FIDO2 keys or Windows Hello for Business) for highly sensitive apps, while allowing 'Password + SMS' for less sensitive ones.
Authentication Strengths are built-in or custom. Built-in strengths include: - MFA: Requires any combination of MFA methods (password + SMS, password + authenticator app, etc.). - Passwordless MFA: Requires passwordless methods like Windows Hello for Business, FIDO2, or Microsoft Authenticator. - Phish-Resistant MFA: Requires methods that are resistant to phishing, such as FIDO2 security keys or certificate-based authentication.
How Authentication Strengths Work
Authentication Strengths are evaluated during Conditional Access policy evaluation. The process:
User attempts to access a resource protected by a Conditional Access policy.
The policy specifies an Authentication Strength requirement (e.g., 'Phish-Resistant MFA').
Entra ID checks the user's current authentication session context. If the user has already authenticated with a method that meets the required strength, access is granted.
If the current authentication is insufficient, the user is prompted to provide additional authentication. The allowed methods are filtered to only those that meet the required strength.
The authentication strength is recorded in the sign-in logs.
Creating Custom Authentication Strengths
Administrators can create custom Authentication Strengths by combining allowed authentication methods. For example, you might create a custom strength called 'High Security' that requires FIDO2 or certificate-based authentication, but not SMS.
Portal:
Microsoft Entra admin center > Protection > Authentication methods > Authentication strengths.
Click 'New authentication strength'.
Provide a name and description.
Select the allowed authentication methods from the list (e.g., FIDO2 security key, Windows Hello for Business, Microsoft Authenticator).
Save.
PowerShell:
$params = @{
displayName = "High Security"
description = "Requires FIDO2 or WHfB"
allowedCombinations = @("fido2", "windowsHelloForBusiness")
}
New-MgPolicyAuthenticationStrengthPolicy -BodyParameter $paramsIntegration with Conditional Access
Both Terms of Use and Authentication Strengths are used within Conditional Access policies. A single policy can include both a Terms of Use requirement and an Authentication Strength requirement. For example, a policy might require:
Grant control: Require Terms of Use (accept the NDA) AND require Phish-Resistant MFA.
Default Values and Timers
Terms of Use re-acceptance: Can be set to expire after a specific number of days (e.g., 30, 90, 365). Default is no expiration.
Authentication Strength: No default; administrator must define.
Session token lifetime: When Authentication Strength is enforced, the session token's authentication context is valid for the session duration (default 8 hours for modern authentication).
Interaction with Related Technologies
Conditional Access: Both features are grant controls in Conditional Access policies.
Identity Protection: Risk-based policies can also require MFA, but Authentication Strengths provide finer granularity.
Entra ID External Identities: Terms of Use can be presented to guest users.
Microsoft Graph: Both can be managed via Graph API.
Verification and Monitoring
Sign-in logs: Check 'Authentication requirement' field to see which strength was applied.
Audit logs: Terms of Use acceptance events are logged.
PowerShell: Use Get-MgPolicyAuthenticationStrengthPolicy to list strengths.
Exam Notes
Terms of Use documents can be PDF, DOCX, or HTML. Maximum file size is 35 KB.
Authentication Strengths are evaluated after initial authentication, during the grant step.
Built-in strengths cannot be modified, but you can create custom ones.
When a user declines Terms of Use, access is blocked (if configured).
Authentication Strengths are not the same as MFA registration; they are requirements for access.
Common Configurations
Terms of Use for GDPR: Present privacy policy to all users in EU region.
Authentication Strength for Admin Roles: Require Phish-Resistant MFA for Global Administrators.
Combined: Vendor access to financial system requires accepting terms and using FIDO2 key.
Create Terms of Use Document
Administrator uploads a PDF, DOCX, or HTML file (max 35 KB) to Microsoft Entra ID. The document is stored in Azure storage and assigned a unique ID. The administrator sets display name, requires re-acceptance period (e.g., 90 days), and whether to block access if declined. This step is done in the Entra admin center under Conditional Access > Terms of use.
Assign to Conditional Access Policy
The Terms of Use object is selected as a grant control in a Conditional Access policy. The policy defines which users, groups, applications, and conditions trigger the terms. For example, all users accessing the HR portal must accept the 'Employee Handbook' terms. The policy is saved and enabled.
User Sign-In and Terms Presentation
When a user signs in to an application covered by the policy, Conditional Access evaluates the policy. If the user has not accepted the terms (or acceptance has expired), the user is redirected to the Terms of Use page. The document is displayed inline. The user must click 'Accept' or 'Decline'. If 'Accept', a consent record is created with timestamp and version hash.
Authentication Strength Evaluation
Separately, the Conditional Access policy may also require a specific Authentication Strength. During sign-in, Entra ID checks the user's current authentication methods. If the user has not yet authenticated with a method meeting the required strength, they are prompted to provide additional authentication. The allowed methods are filtered to those that satisfy the strength (e.g., only FIDO2 if 'Phish-Resistant' is required).
Access Granted or Denied
If both the Terms of Use acceptance and Authentication Strength requirements are met, the user is granted access to the resource. If either fails (e.g., user declines terms, or cannot provide required authentication method), access is denied. The sign-in log records the result, including which grant controls failed.
Enterprise Scenario 1: Healthcare Compliance
A hospital network must ensure that all employees accessing patient records have read and agreed to the HIPAA privacy policy annually. They create a Terms of Use document containing the policy and assign it to a Conditional Access policy targeting all users accessing the Electronic Health Records (EHR) application. The policy requires re-acceptance every 365 days. Additionally, to comply with security standards, they require Phish-Resistant MFA (FIDO2 keys) for EHR access. They create a custom Authentication Strength called 'HIPAA Access' that allows only FIDO2 and Windows Hello for Business. The Conditional Access policy uses both grant controls. In production, this works well but requires user training on FIDO2 keys. A common issue is users losing their security key, requiring a temporary exception policy. Performance is not impacted because terms are served from Azure's CDN.
Enterprise Scenario 2: Contractor Access
A large corporation onboards external contractors who need access to a limited set of internal tools. To ensure contractors agree to the company's acceptable use policy, they create a Terms of Use document specific to contractors. They assign it to a Conditional Access policy that applies only to guest users (external identities) accessing the contractor portal. They set the terms to require re-acceptance every 30 days. Additionally, they require MFA (any method) for these contractors. The Authentication Strength is set to 'MFA' (built-in). A misconfiguration scenario: if the Terms of Use is not assigned to the correct policy, contractors might bypass the consent step. Monitoring via sign-in logs helps detect such gaps.
Enterprise Scenario 3: Financial Services
A bank uses Authentication Strengths to enforce tiered access. For online banking customers, they require MFA (SMS or authenticator app). For internal employees accessing the core banking system, they require Phish-Resistant MFA. They create two Conditional Access policies: one for customers with built-in 'MFA' strength, and one for employees with custom 'Banking Internal' strength requiring FIDO2. Terms of Use are used for employees to accept a code of conduct annually. A common problem is that users with older phones cannot use FIDO2, so the bank issues hardware security keys. Misconfiguring the Authentication Strength could allow employees to use SMS, which is less secure. Regular audits of sign-in logs ensure compliance.
What SC-900 Tests
The SC-900 exam covers Terms of Use and Authentication Strengths under objective 'Describe the capabilities of Microsoft Entra ID' (part of Domain 2: Identity Access). Specifically, you need to know:
The purpose of Terms of Use (legal compliance, user consent).
How to create and assign Terms of Use via Conditional Access.
The concept of Authentication Strengths as a Conditional Access grant control.
The difference between built-in and custom Authentication Strengths.
Which authentication methods satisfy each built-in strength.
Common Wrong Answers
Confusing Terms of Use with Azure AD Identity Protection: Candidates often think Terms of Use are used for risk-based policies. Actually, Terms of Use are for consent, not risk. Identity Protection handles risky sign-ins.
Thinking Authentication Strengths replace MFA: They don't replace MFA; they specify which MFA methods are acceptable. A common wrong answer says 'Authentication Strengths require MFA' — they require a specific level, not just any MFA.
Believing Terms of Use can be enforced without Conditional Access: Terms of Use must be assigned to a Conditional Access policy. Without that, they are not presented to users.
Assuming built-in Authentication Strengths can be modified: They cannot. You must create custom strengths if you need different combinations.
Specific Numbers and Terms on the Exam
Terms of Use file size limit: 35 KB.
Supported file types: PDF, DOCX, HTML.
Built-in Authentication Strengths: 'MFA', 'Passwordless MFA', 'Phish-Resistant MFA'.
Authentication Strengths are a 'Grant' control in Conditional Access (not a condition).
Terms of Use are also a 'Grant' control.
Edge Cases and Exceptions
If a user has multiple active sessions, Terms of Use acceptance applies per session.
Authentication Strength is evaluated at sign-in, not continuously. If a user's session is still valid but the policy changes, they may not be prompted until re-authentication.
Guest users can also be required to accept Terms of Use.
If a user declines Terms of Use, they are blocked only if 'Block access if declined' is enabled. By default, they can decline and still access if the policy doesn't block.
How to Eliminate Wrong Answers
If a question mentions 'user consent' or 'legal agreement', the answer likely involves Terms of Use.
If a question asks about 'minimum authentication method strength', think Authentication Strengths.
If an option says 'Terms of Use can be used without Conditional Access', eliminate it — they require a policy.
If an option says 'Authentication Strengths can be assigned directly to users', eliminate — they are assigned via Conditional Access policies.
Terms of Use require a Conditional Access policy to be enforced.
Maximum file size for Terms of Use is 35 KB; supported formats are PDF, DOCX, HTML.
Built-in Authentication Strengths: MFA, Passwordless MFA, Phish-Resistant MFA.
Custom Authentication Strengths allow combining specific methods like FIDO2 and Windows Hello.
Authentication Strengths are grant controls in Conditional Access, not conditions.
Users must accept Terms of Use per session unless re-acceptance is configured.
Both features are managed in Microsoft Entra admin center under Protection > Conditional Access.
These come up on the exam all the time. Here's how to tell them apart.
Terms of Use
Used for legal consent and policy acknowledgment.
Presented as a document that users must accept.
Configured independently and assigned to Conditional Access policies.
Supports re-acceptance expiration (e.g., 90 days).
Block access if declined (optional).
Authentication Strengths
Used to enforce minimum authentication method requirements.
Defines which authentication methods are acceptable (e.g., FIDO2 only).
Built-in or custom, assigned via Conditional Access grant control.
No expiration; evaluated at each sign-in based on session context.
Cannot block access directly; access is denied if user cannot meet strength.
Mistake
Terms of Use are automatically presented to all users during sign-in.
Correct
Terms of Use are only presented when assigned to a Conditional Access policy that applies to the user and application. Without a policy, users never see them.
Mistake
Authentication Strengths are the same as MFA registration.
Correct
Authentication Strengths define the required authentication methods for access, not which methods a user has registered. Users must have registered at least one method that meets the strength.
Mistake
You can edit built-in Authentication Strengths like 'MFA'.
Correct
Built-in Authentication Strengths are read-only. You can only create custom strengths to specify different combinations.
Mistake
Terms of Use can be assigned directly to users without Conditional Access.
Correct
Terms of Use must be linked to a Conditional Access policy. There is no direct user assignment.
Mistake
Authentication Strengths only apply to first-factor authentication.
Correct
Authentication Strengths apply to the authentication context after initial sign-in. They are part of the grant step, not the initial credential check.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Yes. You can create a Conditional Access policy that targets external users (guest users) and assign a Terms of Use. This is common for B2B collaboration scenarios where guests must accept an acceptable use policy before accessing shared resources.
If the Terms of Use configuration has 'Block access if declined' enabled, the user is denied access to the resource. If not enabled, the user can decline and still proceed, but the decline is logged.
No. Authentication Strengths are only evaluated when assigned to a Conditional Access policy as a grant control. They are not standalone settings.
Check the sign-in logs in Microsoft Entra admin center. The 'Authentication requirement' field shows the strength applied (e.g., 'MFA', 'Phish-Resistant MFA').
No. SMS is considered a weaker method and is not available as a standalone option in custom strengths. You can combine it with other methods, but you cannot create a strength that requires only SMS.
There is no documented hard limit, but best practice is to keep the number manageable. Each Terms of Use object consumes storage for the document (max 35 KB each).
Yes. The strength is applied to all cloud apps selected in the Conditional Access policy. If you need different strengths for different apps, create separate policies.
You've just covered Terms of Use and Authentication Strengths — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?