Access Requests and Terms of Use in Identity Governance (SC-300)
Why Are Access Requests and Terms of Use Important?
In modern organizations, managing who has access to what resources is a critical security concern. Without a structured process, users may accumulate excessive permissions over time (known as privilege creep), or they may lack the access they need to be productive. Access Requests and Terms of Use are two key components of Microsoft Entra Identity Governance that help organizations strike the right balance between security and productivity.
Access Requests ensure that users follow a formal, auditable process to obtain access to resources, while Terms of Use (ToU) ensure that users acknowledge and agree to organizational policies before gaining access. Together, they form a governance framework that supports compliance, reduces risk, and provides accountability.
What Are Access Requests?
Access Requests are part of Entitlement Management in Microsoft Entra ID (formerly Azure AD). Entitlement Management allows administrators to create access packages — bundles of resources (such as group memberships, application assignments, and SharePoint Online sites) that users can request access to through a self-service portal called My Access (myaccess.microsoft.com).
Key concepts include:
• Access Packages: A collection of resources that a user can request. Each access package belongs to a catalog, which is a container for related resources and access packages.
• Policies: Each access package has one or more policies that define who can request access, who must approve it, and when access expires. Policies can target different audiences — for example, one policy for internal users and another for external (guest) users.
• Approval Workflows: Requests can be configured to require single-stage or multi-stage approval (up to three stages). Approvers can be specific users, managers of the requestor, or internal or external sponsors.
• Requestor Scope: You can configure who is allowed to request an access package: users in your directory, users from connected organizations, or all users (including external guests).
• Automatic Assignment: In addition to request-based access, access packages can be configured with automatic assignment policies based on user attributes (e.g., department = Marketing), ensuring users get access without needing to request it manually.
• Access Reviews: Access packages can include periodic access reviews to ensure that users still need the access they were granted.
• Expiration: Policies can define when access expires — on a specific date, after a number of days, or never. When access expires, the user is automatically removed from the resources in the package.
What Are Terms of Use?
Terms of Use (ToU) in Microsoft Entra ID allow organizations to present legal disclaimers, compliance requirements, or organizational policies to users before they access resources. Users must accept the terms before proceeding.
Key characteristics of Terms of Use:
• PDF-Based Documents: Terms of Use are uploaded as PDF documents. You can upload documents in multiple languages to support a global workforce.
• Conditional Access Integration: Terms of Use are enforced through Conditional Access policies. A Conditional Access policy can require users to accept specific Terms of Use before accessing an application or resource.
• Per-User Tracking: Microsoft Entra ID tracks which users have accepted or declined the Terms of Use, including timestamps. This audit trail is essential for compliance.
• Expiration and Re-acceptance: Terms of Use can be configured to expire, requiring users to re-accept them on a schedule (e.g., annually, quarterly, or monthly). You can also configure them to expire on a specific date.
• Expandable Terms: You can require users to expand the PDF before accepting, ensuring they at least open the document before agreeing.
• Multiple Terms of Use: Organizations can create different Terms of Use documents for different scenarios — for example, one for internal employees accessing sensitive applications and another for guest users.
• Reporting: Administrators can view acceptance and decline reports from the Microsoft Entra admin center under Identity Governance > Terms of Use.
How Do Access Requests and Terms of Use Work Together?
Access Requests and Terms of Use complement each other in a comprehensive governance strategy:
1. A user navigates to the My Access portal and requests an access package.
2. The access package policy may require the user to provide justification or answer requestor information questions.
3. If approval is configured, the request is routed to the designated approvers.
4. Once approved, the user gains access to the resources in the package.
5. When the user attempts to access a specific application included in the package, a Conditional Access policy may require them to accept Terms of Use before proceeding.
6. The user's acceptance is logged for compliance purposes.
7. Over time, access reviews and expiration policies ensure that access remains appropriate.
How to Configure Access Requests
1. Navigate to Microsoft Entra admin center > Identity Governance > Entitlement Management > Catalogs.
2. Create or select a catalog and add resources (groups, applications, SharePoint sites).
3. Create an access package within the catalog.
4. Define one or more policies specifying:
- Who can request (users in directory, specific connected organizations, or all users)
- Whether approval is required and who the approvers are
- Whether requestor justification is required
- Expiration settings
- Access review settings
5. Publish the access package so users can find it in My Access.
How to Configure Terms of Use
1. Navigate to Microsoft Entra admin center > Identity Governance > Terms of Use.
2. Click New terms.
3. Provide a name and display name.
4. Upload the PDF document (and optionally, localized versions).
5. Configure options such as:
- Require users to expand the terms
- Require re-acceptance on a recurring schedule
- Set expiration
6. Create a Conditional Access policy that references the Terms of Use.
7. In the Conditional Access policy, under Grant, select the Terms of Use that must be accepted.
Exam Tips: Answering Questions on Access Requests and Terms of Use
The SC-300 exam tests your understanding of how to plan, implement, and manage identity governance. Here are essential tips for answering questions on these topics:
• Know the difference between Entitlement Management and Terms of Use: Entitlement Management controls who can request access to what resources and under what conditions. Terms of Use controls what users must agree to before accessing resources. They are complementary but distinct features.
• Terms of Use require Conditional Access: Remember that Terms of Use are enforced through Conditional Access policies. You cannot enforce Terms of Use without a Conditional Access policy. If a question mentions requiring users to accept terms before accessing an app, the answer will involve both a ToU and a CA policy.
• Multi-stage approvals: Entitlement Management supports up to three stages of approval. Know that each stage can have different approvers, and if no approver acts within the configured timeout, the policy determines whether to auto-approve or auto-deny.
• Connected organizations: For questions about external or guest user access, remember that connected organizations allow you to define trusted external organizations whose users can request access packages. This is key for B2B collaboration governance.
• Separation of duties: Entitlement Management supports incompatible access packages and separation of duties checks. If a question asks how to prevent a user from holding two conflicting roles, look for answers involving incompatible access packages.
• Automatic assignment vs. request-based: Understand that access packages can use automatic assignment policies based on user attributes (using rules similar to dynamic groups). If the question says users should automatically receive access based on their department, the answer is automatic assignment — not a request-based policy.
• Expiration and access reviews: Questions may test whether you understand that access can expire automatically and that access reviews can be configured to remove users who no longer need access. Know that these are separate but related concepts — expiration is time-based, while access reviews involve human or automated decision-making.
• Re-acceptance of Terms of Use: If a scenario describes a compliance requirement to have users re-accept terms periodically, the answer involves configuring the expiration and re-acceptance schedule on the Terms of Use, not creating a new ToU each time.
• Requestor information: Access packages can require users to answer custom questions when making a request. Approvers can see these answers to make informed decisions. If the exam asks how to collect justification or additional information from requestors, this is the feature.
• My Access portal: Users request access packages through myaccess.microsoft.com. This is the self-service portal — not the Azure portal and not the Microsoft Entra admin center.
• Catalogs and delegation: Catalogs allow delegation of governance to non-administrators. Catalog owners and access package managers can manage access without needing Global Administrator or Identity Governance Administrator roles. Exam questions about least-privilege delegation often involve catalog roles.
• License requirements: Entitlement Management and Terms of Use require Microsoft Entra ID P2 (or Microsoft Entra ID Governance for advanced features). If a question mentions a licensing constraint, remember that P2 is the minimum for these governance features.
• Scenario-based questions: When facing scenario-based questions, carefully identify what needs to be achieved. If the goal is to control access provisioning and deprovisioning, think Entitlement Management. If the goal is to ensure users acknowledge a policy, think Terms of Use. If both are needed, the correct answer will reference both features integrated together.
By mastering these concepts and their interrelationships, you will be well-prepared to answer SC-300 exam questions on Access Requests and Terms of Use confidently and accurately.
