Introducing enhanced company branding for sign-in experiences in Azure AD

Can you help me understand why you need Azure AD P1 to brand a tenant? one would suggest that it should be available to all as a way to enhance security rather than being restricted to requiring Azure AD P1 or P2.

Fantastic! Now please add AD group based customization for different branding per group of users. We have multiple departments thst act as separate entities and we’d like to customize per group!

Thank you!

This is awesome. It would be great to have a "Preview" option before submitting the changes.

Since when is Azure P1 or P2 required for company branding? It was always available for all tenants. And what does this means for existing company branding in tenants without an Azure P1 license?

Try and access branding in a tenant without Azure AD P1 or P2. It no longer works. I have tenants like this and I can no longer make changes. Something has changed since November.

What seems to work (as a workaround for now for tenants with existing branding), is open the Company branding page, then click on for example User Settings in the left toolbar, and then hit the back button in your browser. This way you are able to bypass the Azure AD P1 license requirement page.

Nice

@Robert Crane thanks a lot for the feedback! We would like to learn more about your experience.

Azure AD company branding is a paid feature since the day it was launched. It requires Premium 1, Premium 2 or Office 365 subscription to configure it. This information is included to the legacy feature documentation, MS Graph API docs, and Azure AD plans and pricing.

@TedLarsen, thank you for taking a minute and sharing your perspective. The good news is that branding per group of users is in our roadmap. We would like to learn more about your use cases to understand how sign-in experiences need to look different for group 1 vs group 2. 

Would you prefer to set company branding up using Azure portal or MS Graph API?

@Rmartinez1427, we appreciate your time and the feedback. Company branding "preview" functionality is in the roadmap. 

@LazyAdmin_nl, thanks so much for the feedback! We would like to hear more about your experience.

Azure AD company branding is a paid feature since the day it was launched. It requires Premium 1, Premium 2 or Office 365 subscription to configure it. This information is included to the legacy feature documentation, MS Graph API docs, and Azure AD plans and pricing.

@SashaMars The reality is that even though the docs said branding required an Azure AD P1 or P2 license, the reality was it never did. Using O365 only I could brand a tenant, that was until recently when I can no longer do that without Azure AD P1 or P2. Clearly things have changed since November and it would good to have documentation to refer to as to why this now being enforced. I would also suggest that branding is an important security capability and should be available to all tenants for free, as it used to be.

@SashaMars Thanks for rolling out these updates. We have been wanting to customize the forgot password link for our B2B login since we started using it, so that is a big win for us.

I am curious to what extent the Custom CSS file can be customized. Can only the pre-defined classes from the custom-style-template.css file be styled or can we add our own selectors? For example, I would like to show an extra paragraph in the "Sign-in page text" only on the "Enter password" view.

I tried using some css selectors that identified if I'm on the div[data-viewid="2"] to show/hide the extra paragraph, but it's not being applied. It works in the inspector, so I'm not sure if we can have that level of customization or not.

Thanks!

Thanks everyone so far for the great callouts and feedback!

@SashaMars   Great to hear this is on the roadmap!  Preferably, we'd select doing so through the portal over API at the moment, as we are a smaller company and most of our management is done directly through the portal.  Future API functionality would be nice, but priority would be portal for us. 

Thank you for this!

@ChrisButzkeStelter, thank you for the feedback! Yes, you're right - only the pre-defined classes listed in the custom-style-template.css file can be styled, and you can't use your own selectors yet. The good news is that we're hearing your requirements and eventually we will be there with fully customizable authentication experiences.

What would be your ideal 'branding' capabilities? Fully customizable e.g. HTML, JS, CSS hosted by you, integrated with own CMS + <div>authentication API</div> or something else? Thanks.

@SashaMars My use case is a React/NodeJS B2B app with external guest users for one tenant then an alternate login for users in our internal tenant. My last two years of developing/managing this app and supporting our clients would've been much better had there been a more customizable user experience for the external users, but I'm fine offloading the login pages to your team with the more customizable approach you are now taking.

Most of our clients (external guest users) are in other Azure AD home tenants, and redirecting to their tenant login forms is common, so a custom self-hosted experience with API calls is not a must-have.

However, I would be interested in testing that flow with an API because we could possibly eliminate one or two steps for some of our clients who fill in their email and are redirected to fill out their email one more time with their password. If we could handle the API call to check our tenant for the user, return that they are in another home tenant or a non-AD user, then present them with the password field for that tenant or the email one-time code in a single step, it would streamline the UX.

For now, the options you added this week are very helpful, though I'd like some additional CSS capabilities, such as allowing :before/:after pseudo elements or allowing custom selectors to slightly tweak the helper text depending on the step of the login process the user is on. This could also be accomplished by providing more options in the company branding settings for each login step.

Lastly, I do have a question about the custom css template you provide. I'm not finding the customizable classes in the html (like .ext-boilerplate-text). Do the classes only get applied to the html elements when styles are added in the file?

Thanks again.

Will the enhanced branding features announced in this article also be available for One-Time Passcode Authentication ?

Are there any plans to have these branding changes correlated/integrated with all of the other MS cloud products that have branding functionality, e.g. Defender for Cloud Apps, and Intune both have branding which can be configured independently. 

we have office365 license, our company logo has changed and at this moment I can't change it, not even remove the "old" one.

@Arturmsc  - Have you tried this method: LazyAdmin - 13 Dec

Hi @Robin Goldstein  @Robert Crane 

Very nice introduction to get closer to B2C world.

One point, though.   I am   NOT finding the "show option to remain signed in"   checkbox.

I know that  the  "Persistent Browser session control"   under  CA-policy used to override the  above setting on old branding page.

But now looks like you have completely taken it out from branding configuration.

What is the thought process around it ?

@LazyAdmin_nl Just perfect. Thanks

@testuser7 Disable the preview features in the branding console. Search Azure portal for preview features and disable the one for branding.

@Robert Crane   sorry I did not follow you.  My question is about  KMSI  gotten disappeared from the new branding.

@LazyAdmin_nl, @Robert Crane thanks one more time for letting us know about licensing issue. The fix was completely rolled out today morning. Now Azure AD company branding is accessible for Office 365 E3 and E5 licenses.

@SashaMars Thanks. Appreciate the fast response on getting this resolved. Can you also update the documentation to make it a little clearer about what licenses include company branding? The current "Office 365 (for Office apps)" is a little vague. Spelling the license requirements out more for people will help I suggest.

@testuser7 thanks for your feedback. KMSI toggle was permanently moved out of company branding to 'user settings' blade. 

@SashaMars Thanks for the update and resolving the issue so quickly!

Thanks @sashah_mars   Confirmed.  The KMSI is now in "user settings" blade.

Just to make sure,  the implication/interpretation is still  SAME.  Right ?

Meaning, CA-policy will override it and the KMSI screen will only be shown to the user if it is turned ON and persistence browser session is  not configured in CA-policy.

@testuser7 right, KMSI functionality remains the same.

I like to see a company branding option based on usergroup too.

when can we expect this?

Hi @rico_roodenburg, thanks for your interest in branding per user group. Unfortunately, we don't have a solid ETA yet. 
It would be great to hear from you scenarios which will be addressed with branding per user group.

@Wayno thanks for the question. A branding coverage of authentication experiences remains the same. So, the extended branding capabilities should apply to one-time passcode authentication.

@Dean Gross, thanks for the question. We're working with the mentioned teams to make customization as robust and consistent as possible. It would be great to hear from you - what would be ideal customization solution for you which spans multiple areas? Would you like to have one central place to customize everything or still multiple ones but with consistent approach? Would you like to have shared media assets which might be used by any isolated customization platform within your tenant boundaries?

@ChrisButzkeStelter Thanks for the provided details and question. '.ext-boilerplate-text' class will appear in the html only after sign-in page text feature configured.

HTML elements e.g. sign page text, header, footer, etc should be configured first via admin UX or MS Graph API. Then custom styles might be applied to them. 

@SashaMars I’m working for a shared service center. We have one tenant for multiple customers.

Our customers are complaining about the organization branding. They want their own branding (name, logo and background). I think this can easily done based on dynamic user groups.

They are also complaining about the tenant name within sharepoint / onedrive sharing urls. 

@rico_roodenburg @SashaMars This is our exact same scenario and desire.   Having multiple customers on one Tenant creates this scenario where having custom branding per group is imperative.  

Is this upgraded experience available for B2C tenants? I can see the full experience on our main company AAD, but we also have a B2C tenant and here I can only see the old (current?) branding experience. A banner across the top invites me: "Want to try out the new company branding experience improvements? Click here to turn on the preview and refresh the browser." but clicking the banner does nothing, and the Preview Features blade is not available in tenants without a subscription (our subscriptions are all under our main company tenant).

I feel like I must be missing something obvious!

@SashaMars we have some customers that are big users of M365 and Azure, and others that are primarily M365 with minimal Azure. 

Ideally there would be a "branding management center" in each cloud that was synchronized/shared resources. It would be good to be able to have a single branding asset, that was targeted at many different UX options. 
Clients also need to the ability to customize notifications/emails/mfa prompts, these need to be spoof proof and tamper resistant. 

I can imagine a wizard that walks me through some choices about where I want a logo to appear. ideally the same graphic would be processed appropriately to display correctly in different resolutions, screens, devices and themes, or we could have a collection of images that would be targeted accurately. We should not have to do trial and error testing :).

Let me know if this helps or you have any questions. 

I'd also like the option to customized based on computer group.  I would like to remove the prompt about staying signed in on the group of computers we define as public use computers. 

I find it very disappointing that "Hyperlinks that are added to the sign-in page text render as text in native environments, such as desktop and mobile applications."

It's not smart that the sign-in form displays the organization's contacts by URL.

Quickly implement it so that desktop and mobile applications can also display it as a hyperlink.

It should be resolved as soon as possible.

@TANIMURA_Noboru thank you for the provided feedback. There are two things which make it a bit complicated, and I'd like to hear your opinion.

1. The end-user should stay within authentication flow, meaning web-view can't be used.
2. Detecting a device preferred web browser, then launching it and opening a destination URL in a new tab may lead to a failure or unpredictable behavior.

Hi @SashaMars ,

Did you already read my answer on your question? What and when can we expect these requests? What are your thoughts about it?

Please, can you reply on it?

Hi @SashaMars ,

Thanks for picking up on my comment.

What is the link that an organization wants to show to end users, even if it interrupts the authentication flow?
It is a lead to a solution in case of authentication problems.

End-users want to be able to access the organization's service desk contact information, documentation, and FAQs to resolve issues in the device's default browser.

As evidence, you have placed "No account? Create one!", "Can't access your account?", and "Forgot my password" links in the default sign-in UI.

Failure or unpredictable behavior is not a problem!
Because the end user accessing the link has not been able to authenticate before then.

End users who can authenticate would not open such a link.

@rico_roodenburg Thanks for following up and sharing your scenarios. It will help us prioritize branding per user group in the future. Reiterating, it's already on the roadmap but branding per application and branding per username domain has higher priority.

What would be a desired behavior for following "They are also complaining about the tenant name within sharepoint / onedrive sharing urls."? Thank you.

Hello @SashaMars Is it possible to get any kind of update as to the company branding by user group roadmap?    Has the request moved at all up the priority chain?  Is it still being considered for implentation anytime soon?

This issue is the only reason we are unable to use this feature set.   Thank you for your feedback. 

@Teds I have the same question. Takes too long.