Introducing enhanced company branding for sign-in experiences in Azure AD
Published Dec 12 2022 08:00 PM 218K Views
Microsoft

Hello friends,  

 

I'm thrilled to announce that we have redesigned the company branding functionality to allow more flexible and user-centric customization of the built-in identity flows for Azure AD and Microsoft 365 apps. The new experience controls apply to sign-in for users in the directory and for external users, including use cases for B2B, B2E and first-party applications running on Azure AD. You can try the public preview today. 

 

Your users, your experience 

We added these customization options based on your feedback that you wanted more control over the experience for your users. For those building customer facing apps, we know from our experience on the B2C platform that a beautifully branded experience is critical in building a trusted relationship.  

 

With enhanced Company Branding, you’ll be able to create a custom look and feel for the default sign in pages, as well as pages targeting specific browser languages. In addition, you can now customize self-service password reset (SSPR), footer hyperlinks, and browser icon, style sign-in experiences using cascading style sheets (CSS) and enable header and footer using one of the pre-defined templates. 

  

Configure the sign in experience 

Enhanced customization can be configured using the company branding blade in the Azure portal for your tenant. There, you can configure settings that automatically display customizations to your users when they land on your organization’s sign in pages, as well as pages targeting specific browser languages.  

 

The following are all new settings available on the company branding blades. 

   

  • Configure layout – This allows you to specify the placement of web page elements on the sign-in page. 

 

SHDriggers_0-1670621874983.png

 

 

  • Set up custom self-service password reset hyperlink – This provides the ability to show, hide, or customize the self-service password reset link on the sign-in page. 

 

SHDriggers_1-1670621893304.png

 

 

  • Customize footer hyperlinks - the URLs and link text for privacy and terms of use hyperlinks that appear in the footer of the sign-in page:   

 

SHDriggers_2-1670621904119.png

 

 

  • Set up ‘Favicon’ - the icon that displays in the web browser tab:

 

SHDriggers_3-1670621911120.png

 

  • Customize header - a custom logo to display in the header of the sign-in page: 

 

Once your settings are uploaded, you can view the resulting end user experience. 

 

SHDriggers_4-1670621923136.png

 

Get started using company branding by setting up Azure AD Premium or Office 365.  

 

Learn more about company branding. 

 

As always, we love hearing from you, so please share your feedback on these updates through the links below. 

 
Robin Goldstein  

Director of Product Management, Microsoft identity 

LinkedIn: Robin Goldstein | LinkedIn 

 

 

Learn more about Microsoft identity: 

 

55 Comments

Can you help me understand why you need Azure AD P1 to brand a tenant? one would suggest that it should be available to all as a way to enhance security rather than being restricted to requiring Azure AD P1 or P2.

Brass Contributor

Fantastic! Now please add AD group based customization for different branding per group of users. We have multiple departments thst act as separate entities and we’d like to customize per group!

 

Thank you!

Brass Contributor

This is awesome. It would be great to have a "Preview" option before submitting the changes.

Copper Contributor

Since when is Azure P1 or P2 required for company branding? It was always available for all tenants. And what does this means for existing company branding in tenants without an Azure P1 license?

Try and access branding in a tenant without Azure AD P1 or P2. It no longer works. I have tenants like this and I can no longer make changes. Something has changed since November.

Copper Contributor

What seems to work (as a workaround for now for tenants with existing branding), is open the Company branding page, then click on for example User Settings in the left toolbar, and then hit the back button in your browser. This way you are able to bypass the Azure AD P1 license requirement page.

Nice

Microsoft

@RobertCrane thanks a lot for the feedback! We would like to learn more about your experience.

Azure AD company branding is a paid feature since the day it was launched. It requires Premium 1, Premium 2 or Office 365 subscription to configure it. This information is included to the legacy feature documentation, MS Graph API docs, and Azure AD plans and pricing.

Microsoft

@TedLarsen, thank you for taking a minute and sharing your perspective. The good news is that branding per group of users is in our roadmap. We would like to learn more about your use cases to understand how sign-in experiences need to look different for group 1 vs group 2. 

Would you prefer to set company branding up using Azure portal or MS Graph API?

Microsoft

@Rmartinez1427, we appreciate your time and the feedback. Company branding "preview" functionality is in the roadmap. 

Microsoft

@LazyAdmin_nl, thanks so much for the feedback! We would like to hear more about your experience.

Azure AD company branding is a paid feature since the day it was launched. It requires Premium 1, Premium 2 or Office 365 subscription to configure it. This information is included to the legacy feature documentation, MS Graph API docs, and Azure AD plans and pricing.

@SashaMars The reality is that even though the docs said branding required an Azure AD P1 or P2 license, the reality was it never did. Using O365 only I could brand a tenant, that was until recently when I can no longer do that without Azure AD P1 or P2. Clearly things have changed since November and it would good to have documentation to refer to as to why this now being enforced. I would also suggest that branding is an important security capability and should be available to all tenants for free, as it used to be.

Copper Contributor

@SashaMars Thanks for rolling out these updates. We have been wanting to customize the forgot password link for our B2B login since we started using it, so that is a big win for us.

I am curious to what extent the Custom CSS file can be customized. Can only the pre-defined classes from the custom-style-template.css file be styled or can we add our own selectors? For example, I would like to show an extra paragraph in the "Sign-in page text" only on the "Enter password" view.

I tried using some css selectors that identified if I'm on the div[data-viewid="2"] to show/hide the extra paragraph, but it's not being applied. It works in the inspector, so I'm not sure if we can have that level of customization or not.

Thanks!

Microsoft

Thanks everyone so far for the great callouts and feedback!

Brass Contributor

@SashaMars   Great to hear this is on the roadmap!  Preferably, we'd select doing so through the portal over API at the moment, as we are a smaller company and most of our management is done directly through the portal.  Future API functionality would be nice, but priority would be portal for us. 

Thank you for this!

Microsoft

@ChrisButzkeStelter, thank you for the feedback! Yes, you're right - only the pre-defined classes listed in the custom-style-template.css file can be styled, and you can't use your own selectors yet. The good news is that we're hearing your requirements and eventually we will be there with fully customizable authentication experiences.

 

What would be your ideal 'branding' capabilities? Fully customizable e.g. HTML, JS, CSS hosted by you, integrated with own CMS + <div>authentication API</div> or something else? Thanks.

Copper Contributor

@SashaMars My use case is a React/NodeJS B2B app with external guest users for one tenant then an alternate login for users in our internal tenant. My last two years of developing/managing this app and supporting our clients would've been much better had there been a more customizable user experience for the external users, but I'm fine offloading the login pages to your team with the more customizable approach you are now taking.

 

Most of our clients (external guest users) are in other Azure AD home tenants, and redirecting to their tenant login forms is common, so a custom self-hosted experience with API calls is not a must-have.

 

However, I would be interested in testing that flow with an API because we could possibly eliminate one or two steps for some of our clients who fill in their email and are redirected to fill out their email one more time with their password. If we could handle the API call to check our tenant for the user, return that they are in another home tenant or a non-AD user, then present them with the password field for that tenant or the email one-time code in a single step, it would streamline the UX.

For now, the options you added this week are very helpful, though I'd like some additional CSS capabilities, such as allowing :before/:after pseudo elements or allowing custom selectors to slightly tweak the helper text depending on the step of the login process the user is on. This could also be accomplished by providing more options in the company branding settings for each login step.

Lastly, I do have a question about the custom css template you provide. I'm not finding the customizable classes in the html (like .ext-boilerplate-text). Do the classes only get applied to the html elements when styles are added in the file?


Thanks again.

Brass Contributor

Will the enhanced branding features announced in this article also be available for One-Time Passcode Authentication ?

Silver Contributor

Are there any plans to have these branding changes correlated/integrated with all of the other MS cloud products that have branding functionality, e.g. Defender for Cloud Apps, and Intune both have branding which can be configured independently. 

Copper Contributor

we have office365 license, our company logo has changed and at this moment I can't change it, not even remove the "old" one.

Copper Contributor

@Arturmsc  - Have you tried this method: LazyAdmin - 13 Dec

Brass Contributor

Hi @Robin Goldstein  @RobertCrane 

 

Very nice introduction to get closer to B2C world.

One point, though.   I am   NOT finding the "show option to remain signed in"   checkbox.

I know that  the  "Persistent Browser session control"   under  CA-policy used to override the  above setting on old branding page.

 

But now looks like you have completely taken it out from branding configuration.

What is the thought process around it ?

 

 

Copper Contributor

@LazyAdmin_nl Just perfect. Thanks

@testuser7 Disable the preview features in the branding console. Search Azure portal for preview features and disable the one for branding.

Brass Contributor

@RobertCrane   sorry I did not follow you.  My question is about  KMSI  gotten disappeared from the new branding.

Microsoft

@LazyAdmin_nl@RobertCrane thanks one more time for letting us know about licensing issue. The fix was completely rolled out today morning. Now Azure AD company branding is accessible for Office 365 E3 and E5 licenses.

@SashaMars Thanks. Appreciate the fast response on getting this resolved. Can you also update the documentation to make it a little clearer about what licenses include company branding? The current "Office 365 (for Office apps)" is a little vague. Spelling the license requirements out more for people will help I suggest.

Microsoft

@testuser7 thanks for your feedback. KMSI toggle was permanently moved out of company branding to 'user settings' blade. 

Copper Contributor

@SashaMars Thanks for the update and resolving the issue so quickly!

Brass Contributor

Thanks @sashah_mars   Confirmed.  The KMSI is now in "user settings" blade.

Just to make sure,  the implication/interpretation is still  SAME.  Right ?

Meaning, CA-policy will override it and the KMSI screen will only be shown to the user if it is turned ON and persistence browser session is  not configured in CA-policy.

 

Microsoft

@testuser7 right, KMSI functionality remains the same.

Brass Contributor

I like to see a company branding option based on usergroup too.

 

when can we expect this?

Microsoft

Hi @rico_roodenburg, thanks for your interest in branding per user group. Unfortunately, we don't have a solid ETA yet. 
It would be great to hear from you scenarios which will be addressed with branding per user group.

Microsoft

@Wayno thanks for the question. A branding coverage of authentication experiences remains the same. So, the extended branding capabilities should apply to one-time passcode authentication.

Microsoft

@Dean_Gross, thanks for the question. We're working with the mentioned teams to make customization as robust and consistent as possible. It would be great to hear from you - what would be ideal customization solution for you which spans multiple areas? Would you like to have one central place to customize everything or still multiple ones but with consistent approach? Would you like to have shared media assets which might be used by any isolated customization platform within your tenant boundaries?

Microsoft

@ChrisButzkeStelter Thanks for the provided details and question. '.ext-boilerplate-text' class will appear in the html only after sign-in page text feature configured.

HTML elements e.g. sign page text, header, footer, etc should be configured first via admin UX or MS Graph API. Then custom styles might be applied to them. 

Brass Contributor

@SashaMars I’m working for a shared service center. We have one tenant for multiple customers.

Our customers are complaining about the organization branding. They want their own branding (name, logo and background). I think this can easily done based on dynamic user groups.

 

They are also complaining about the tenant name within sharepoint / onedrive sharing urls. 

Brass Contributor

@rico_roodenburg @SashaMars This is our exact same scenario and desire.   Having multiple customers on one Tenant creates this scenario where having custom branding per group is imperative.  

Copper Contributor

Is this upgraded experience available for B2C tenants? I can see the full experience on our main company AAD, but we also have a B2C tenant and here I can only see the old (current?) branding experience. A banner across the top invites me: "Want to try out the new company branding experience improvements? Click here to turn on the preview and refresh the browser." but clicking the banner does nothing, and the Preview Features blade is not available in tenants without a subscription (our subscriptions are all under our main company tenant).

I feel like I must be missing something obvious!

Silver Contributor

@SashaMars we have some customers that are big users of M365 and Azure, and others that are primarily M365 with minimal Azure. 

Ideally there would be a "branding management center" in each cloud that was synchronized/shared resources. It would be good to be able to have a single branding asset, that was targeted at many different UX options. 
Clients also need to the ability to customize notifications/emails/mfa prompts, these need to be spoof proof and tamper resistant. 

I can imagine a wizard that walks me through some choices about where I want a logo to appear. ideally the same graphic would be processed appropriately to display correctly in different resolutions, screens, devices and themes, or we could have a collection of images that would be targeted accurately. We should not have to do trial and error testing :).

Let me know if this helps or you have any questions. 

Brass Contributor
Azure Custom Roles allow you to create custom roles with specific permissions in Azure Active Directory. The names of the custom roles that you create will depend on the specific needs of your organization and the tasks that you want the role to be able to perform. Here are a few examples of custom role names you might use: Database Administrator Virtual Machine Manager Security Analyst Backup Operator Network Administrator Keep in mind that these are just examples and you'll want to choose role names that are specific and meaningful for your organization. It would be good practice that you should involve your IT Security department and Security governance in the process of creating custom roles.
Copper Contributor

I'd also like the option to customized based on computer group.  I would like to remove the prompt about staying signed in on the group of computers we define as public use computers. 

Brass Contributor

I find it very disappointing that "Hyperlinks that are added to the sign-in page text render as text in native environments, such as desktop and mobile applications."

 

It's not smart that the sign-in form displays the organization's contacts by URL.

Quickly implement it so that desktop and mobile applications can also display it as a hyperlink.

Copper Contributor

It should be resolved as soon as possible.

Microsoft

@TANIMURA_Noboru thank you for the provided feedback. There are two things which make it a bit complicated, and I'd like to hear your opinion.

 

  1. The end-user should stay within authentication flow, meaning web-view can't be used.
  2. Detecting a device preferred web browser, then launching it and opening a destination URL in a new tab may lead to a failure or unpredictable behavior.
Brass Contributor

Hi @SashaMars ,

 

Did you already read my answer on your question? What and when can we expect these requests? What are your thoughts about it?

 

Please, can you reply on it?

Brass Contributor

Hi @SashaMars ,

 

Thanks for picking up on my comment.

 

What is the link that an organization wants to show to end users, even if it interrupts the authentication flow?
It is a lead to a solution in case of authentication problems.

 

End-users want to be able to access the organization's service desk contact information, documentation, and FAQs to resolve issues in the device's default browser.

As evidence, you have placed "No account? Create one!", "Can't access your account?", and "Forgot my password" links in the default sign-in UI.

 

Failure or unpredictable behavior is not a problem!
Because the end user accessing the link has not been able to authenticate before then.

End users who can authenticate would not open such a link.

Microsoft

@rico_roodenburg Thanks for following up and sharing your scenarios. It will help us prioritize branding per user group in the future. Reiterating, it's already on the roadmap but branding per application and branding per username domain has higher priority.

 

What would be a desired behavior for following "They are also complaining about the tenant name within sharepoint / onedrive sharing urls."? Thank you.

Brass Contributor

Hello @SashaMars Is it possible to get any kind of update as to the company branding by user group roadmap?    Has the request moved at all up the priority chain?  Is it still being considered for implentation anytime soon?

This issue is the only reason we are unable to use this feature set.   Thank you for your feedback. 

Brass Contributor

@Teds I have the same question. Takes too long.

Co-Authors
Version history
Last update:
‎Feb 02 2023 01:39 PM
Updated by: