Sign In
In this module

AD7.3 Writing the Acceptable Use Policy

5-6 hours · Module 7 · Free
Operational Objective
The acceptable use policy (AUP) is the broadest security policy — it defines what users can and can't do with corporate systems. Unlike the authentication and classification policies (which cover specific technical domains), the AUP covers everything from device usage to email conduct to monitoring expectations. Critically, the AUP authorizes your security monitoring: without a policy stating that corporate systems are monitored, monitoring user activity may violate privacy expectations. This subsection provides a complete AUP template covering device usage, email conduct, internet access, monitoring disclosure, remote working, and BYOD — adapted for an M365 environment with the controls you've deployed.
Deliverable: A complete acceptable use policy template covering all aspects of M365 usage, monitoring disclosure, and user responsibilities — ready for management approval and employee acknowledgment.
Estimated completion: 25 minutes
ACCEPTABLE USE POLICY — KEY SECTIONS AUTHORISES Device compliance requirements Security monitoring of activity DLP and data protection controls Remote access restrictions Management sign-off required SETS EXPECTATIONS MFA is required (no exceptions) Report suspicious emails Use approved devices only Classify data appropriately Employee acknowledgment THE MONITORING DISCLOSURE — ESSENTIAL "[Organization] monitors the use of corporate systems for security purposes. This includes email content, sign-in activity, file access, and internet usage. Monitoring is conducted to protect the organization and its data." Without this, monitoring may violate privacy expectations

Figure AD7.3 — The acceptable use policy authorizes your security controls, sets user expectations, and critically includes the monitoring disclosure that legitimises your AD5 security monitoring. Without the monitoring disclosure, reviewing sign-in logs and DLP matches may violate employee privacy expectations.

The complete Acceptable Use Policy template

ACCEPTABLE USE POLICY
[Organization Name]
Version 1.0 | Effective: [Date] | Approved by: [Name, Title]

1. PURPOSE
This policy defines acceptable use of [Organization Name]'s
information systems, including Microsoft 365, email, internet
access, and corporate devices.

2. SCOPE
All employees, contractors, and third parties who use
[Organization Name]'s information systems.

3. GENERAL USE
3.1 Corporate systems are provided for business purposes.
    Limited personal use is permitted provided it does not
    interfere with work duties or violate this policy.
3.2 Users are responsible for all activity on their accounts.
    Do not share credentials or allow others to use your account.
3.3 Users must lock their devices when leaving them unattended.

4. DEVICE USAGE
4.1 Corporate devices must meet the organization's security
    standards: current operating system, encryption enabled,
    antivirus active, and firewall on.
4.2 Personal devices may access corporate email and files through
    approved mobile apps with app protection policies. Full access
    to M365 requires a compliant, managed device.
4.3 Do not install unauthorized software on corporate devices.
4.4 Report lost or stolen devices to IT immediately.

5. EMAIL AND COMMUNICATION
5.1 Email is for business communication. Do not use corporate
    email for personal commercial activity, political campaigning,
    or distribution of offensive material.
5.2 Report suspicious emails using the "Report Message" button
    in Outlook. Do not forward suspicious emails to colleagues.
5.3 Do not create inbox rules that forward corporate email to
    personal or external email accounts.
5.4 Email may be scanned by security tools for phishing, malware,
    and data loss prevention. See Section 8.

6. DATA HANDLING
6.1 All documents and emails must be classified using sensitivity
    labels. Refer to the Data Classification Policy for guidance.
6.2 Do not share Confidential or Highly Confidential information
    externally without encryption and business justification.
6.3 Do not store corporate data on personal cloud storage services
    (personal Dropbox, Google Drive, iCloud).
6.4 Do not copy bulk corporate data to USB drives without
    authorisation from your manager.

7. INTERNET ACCESS
7.1 Internet access through corporate devices and networks is
    filtered for security purposes. Malicious and inappropriate
    websites are blocked.
7.2 Do not attempt to bypass security controls, including VPN
    restrictions, web filters, or proxy settings.

8. MONITORING
8.1 [Organization Name] monitors the use of corporate information
    systems for security, compliance, and operational purposes.
8.2 Monitoring includes: email content and metadata, sign-in
    activity (location, device, time), file access and sharing,
    internet usage, and security alert investigation.
8.3 Monitoring data is accessed only by authorized IT and security
    staff, and only for legitimate security and compliance purposes.
8.4 Monitoring is conducted in accordance with UK data protection
    legislation (UK GDPR and Data Protection Act 2018).

9. ENFORCEMENT
9.1 Violations of this policy may result in disciplinary action,
    up to and including termination of employment.
9.2 Suspected criminal activity will be reported to law enforcement.
9.3 Technical controls enforce many provisions of this policy
    automatically (MFA, device compliance, DLP, web filtering).

10. ACKNOWLEDGEMENT
By using [Organization Name]'s information systems, you
acknowledge that you have read, understood, and agree to comply
with this policy.

Employee name: ___________________
Signature: _______________________ Date: __________

Why Section 8 (Monitoring) is critical

Without the monitoring disclosure, your AD5 Monday review — checking sign-in logs, reviewing DLP matches, reading email threat reports — may violate employee privacy expectations under UK GDPR. The monitoring disclosure informs employees that their activity is monitored, explains why (security and compliance), and states who has access to monitoring data (authorized IT staff only).

This disclosure is a legal requirement under the UK Information Commissioner's Employment Practices Code. It doesn't give you unlimited monitoring rights — you must still be proportionate (don't read personal emails), purpose-limited (security and compliance only), and transparent (this policy IS the transparency).

Include the monitoring disclosure in the employee onboarding process: new employees read and sign the AUP before receiving M365 access. For existing employees, distribute the AUP, require acknowledgment (electronic or physical signature), and retain the acknowledgments. The signed acknowledgments prove that employees were informed about monitoring — essential if monitoring data is ever used in a disciplinary or legal proceeding.

Integrating the AUP into employee onboarding

Add the AUP acknowledgment to your IT onboarding checklist — the same checklist that includes account creation, device provisioning, and MFA enrollment:

IT ONBOARDING CHECKLIST — SECURITY ITEMS
[ ] 1. Employee reads Acceptable Use Policy
[ ] 2. Employee signs AUP acknowledgment (physical or electronic)
[ ] 3. AUP acknowledgment filed in SecurityGovernance/Policies/Acknowledgements/
[ ] 4. M365 account created (AFTER AUP signed)
[ ] 5. MFA enrollment completed (Authenticator app)
[ ] 6. Device provisioned and enrolled in Intune
[ ] 7. Sensitivity label training: "Here are the four labels, here's when to use each"
[ ] 8. Phishing awareness: "Use the Report Message button for suspicious emails"

The sequence matters: AUP acknowledgment (steps 1-3) before account creation (step 4). The employee agrees to the monitoring disclosure before any monitoring data is collected.

For existing employees who haven't signed the AUP, distribute it with a company-wide email: "We've formalized our information security policies. Please read the attached Acceptable Use Policy and return the signed acknowledgment to IT by [date — 2 weeks from distribution]. This policy documents the security practices already in place and sets expectations for everyone using our M365 environment."

Follow up with anyone who hasn't returned the acknowledgment by the deadline. For persistent non-returns, escalate to their manager: "Employee [name] hasn't returned their AUP acknowledgment. This is required for our security program compliance. Please ask them to return it by [new date]."

Annual AUP re-acknowledgment

Require annual re-acknowledgment of the AUP — either on the policy anniversary or at a consistent date each year (January is common). This serves two purposes: it refreshes employees' awareness of the policy contents (they have to read it again), and it ensures new provisions from the annual review are acknowledged by all employees.

For electronic acknowledgment, use a simple Microsoft Form:

Title: "Annual Acceptable Use Policy Acknowledgement — 2026" Content: Link to the current AUP document + statement: "I confirm that I have read and understood the Acceptable Use Policy version [X], effective [date]. I agree to comply with all provisions of this policy." Fields: Name, Department, Date, Checkbox: "I acknowledge and agree."

Send the Form link to all employees with a 2-week deadline. Track responses in the Form results. Follow up with non-responders. File the response export in the governance document library alongside the policy.

Handling policy exceptions

Some employees or teams may need exceptions to specific AUP provisions. Common examples: the CEO needs to access M365 from unmanaged devices while traveling (exception to Section 4.2), a research team needs to access blocked website categories (exception to Section 7.1), or a contractor needs to forward corporate email to their company's system (exception to Section 5.3).

Handle exceptions formally: the employee requests the exception in writing, their manager approves, you assess the security impact, and the exception is documented in the compliance exception register (AD3.7). Every exception has an expiration date and a quarterly review. This process — request, approve, document, expire, review — demonstrates that exceptions are controlled, not arbitrary.

AUP enforcement in practice

The AUP states requirements. Technical controls enforce most of them automatically (MFA, device compliance, DLP, web filtering). But some provisions require human enforcement:

Section 3.2 — "Do not share credentials." Technical controls can't detect verbal credential sharing. But if you discover shared credentials during an incident (two users signing in from the same session, or a user admitting they gave their password to a colleague), reference the AUP. The policy provides the authority for the corrective conversation.

Section 5.3 — "Do not create forwarding rules to external addresses." Technical controls CAN enforce this: in Exchange admin, you can block auto-forwarding rules to external domains. Navigate to Exchange admin → Mail flow → Rules → create a rule that blocks external forwarding. Or in PowerShell:

New-TransportRule -Name "Block External Auto-Forwarding" `
    -SentToScope NotInOrganization `
    -MessageTypeMatches AutoForward `
    -RejectMessageReasonText "External email forwarding is blocked per the Acceptable Use Policy. Contact IT if you need to forward to an external address."

This transport rule enforces Section 5.3 technically — users who try to create external forwarding rules receive a rejection message referencing the policy. The AUP sets the expectation; the transport rule enforces it.

Section 6.4 — "Do not copy bulk data to USB." On E3 without Endpoint DLP, you can't technically prevent USB copies. The AUP makes it a policy violation — if discovered during an incident investigation or audit, you have the policy authority to address it. If this is a significant risk for your organization, it strengthens the case for E5 Endpoint DLP (AD7.9).

Remote and hybrid worker considerations

If your organization has remote workers, the AUP should address their specific situation. Section 4 (Device Usage) already covers managed vs personal devices. Add considerations for home working environments:

Home network security. "Users working from home should ensure their home WiFi network uses WPA2 or WPA3 encryption with a strong password. Open or public WiFi networks should not be used for corporate work without a VPN." This can't be technically enforced, but the policy sets the expectation.

Physical security. "Lock your device when stepping away, even at home. Do not leave corporate devices in vehicles or public places." The same physical security expectation as the office, extended to the home environment.

Shared devices. "Do not access corporate systems from shared or public computers (hotel business centres, library computers, family shared devices). Use only your assigned corporate device or your personal device with app protection policies." This IS enforceable via conditional access — CA003 blocks unmanaged devices from full access.

Compliance Myth: "We don't need to tell employees we're monitoring them"
UK law requires employers to inform employees about workplace monitoring. The ICO's Employment Practices Code and UK GDPR Article 13 require transparency about what data is collected and why. An AUP with a monitoring disclosure satisfies this requirement. Without it, your security monitoring (sign-in log review, DLP Activity Explorer, email threat reports) may be challenged as disproportionate or undisclosed processing of personal data. The monitoring disclosure isn't optional — it's the legal foundation for your entire security monitoring program.
Decision point

An employee objects to the monitoring disclosure: "You're reading my emails? That's an invasion of privacy." How do you respond?

Option A: "We don't read your personal emails — monitoring is automated and focuses on security threats like phishing and data loss."

Option B: "Monitoring is conducted for security purposes — to detect phishing attacks, prevent data breaches, and protect everyone's accounts. Automated tools scan for threats (phishing URLs, malware, sensitive data leaving the organization). Human review occurs only when a security alert is triggered — we don't browse through emails looking for personal content. This is standard practice for organizations that take information security seriously, and it's the same approach used by our clients and partners. The policy explains what we monitor, why, and who has access — it's designed to be transparent, not intrusive."

The correct answer is Option B. Acknowledge the concern, explain the proportionality (automated scanning, human review only on alerts), reference the business purpose, and normalise the practice. The monitoring disclosure in the AUP provides transparency — which is the ICO's primary requirement.

Try it: Draft your Acceptable Use Policy

Copy the AUP template into a Word document. Adapt all bracketed sections. Review each section against your deployed controls:

- Section 4 (Devices): matches AD3 compliance policies? - Section 5 (Email): matches AD2 email protection? - Section 6 (Data): matches AD4 data classification? - Section 8 (Monitoring): covers AD5 monitoring activities?

If any section doesn't match your controls, either update the policy or update the controls. The policy and the technology must be aligned — a policy that requires something your technology doesn't enforce (or vice versa) creates governance gaps.

Send the draft to your manager with: "This policy authorizes the security controls we've deployed over the last 12 weeks. It requires management approval and employee acknowledgment. Review time: 10 minutes."

A new employee joins the company. When should they receive and acknowledge the Acceptable Use Policy?
Within their first month — they need time to settle in — A month of unacknowledged access creates a compliance gap.
On their first day — as part of onboarding — Close, but ideally before they access any systems.
Before they receive M365 access — the AUP acknowledgment is a prerequisite for account activation. No signed AUP = no corporate system access — Correct. The acknowledgment must precede access. This ensures the monitoring disclosure is communicated before any monitoring data is collected. Include AUP acknowledgment in the IT onboarding checklist alongside account creation and device provisioning.
Only when there's a security incident involving them — Reactive acknowledgment has no legal weight. The employee can argue they weren't informed about monitoring when the data was collected.
Operational Artifact — Acceptable Use Policy
Complete AUP template: 10 sections covering general use, device usage, email conduct, data handling, internet access, monitoring disclosure, enforcement, and employee acknowledgment. Section 8 (Monitoring) is the legal foundation for AD5 security monitoring — without it, reviewing sign-in logs and DLP data may violate privacy expectations. Require employee acknowledgment before M365 access. Retain signed acknowledgments. Review annually. This policy plus the Password/Authentication, Data Classification, and Incident Response policies complete the four essential governance documents.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of M365 Security: From Admin to Defender

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts.

View Pricing See Full Syllabus
← Previous Next →