Company Branding - Vanity or Security?
Within the Microsoft Cloud, there are multiple places that allow the configuration of company branding:
- Azure AD
- M365 Admin Center
- Teams Admin Center
- Intune
I often see customers who have configured their M365 corporate branding, seeing it as an important thing to reinforce to a user they're working for x company, ensuring the money they spent on design firms to create their logo, define the brand colours, typeface etc. wasn't a waste.
In reality, from a user perspective, it largely goes un-noticed, at least until they see what a different company have done and how "it doesn't look the same!"...
However, while the branding in M365, Teams, and Intune are largely cosmetic, the Azure AD branding can not only improve the user experience, but actually unknowingly improve your overall tenant security, giving users confidence in the login page they’re presented with does actually belong to their company. While it’s still possible for an attacker to spoof this, it adds another layer they must cover for a successful attack, and in a world of Defence in Depth, any additional layers you can add are worthwhile.
But the options are so limited...
The default AAD branding options have long frustrated me, especially when having to configure them for a client with... less than optimal access to branding images.
The file size and dimension constraints are difficult to work with, and have no consistency across the various places you can add branding. Banner logos need to be a <10KB, 280x60px PNG or JPG, square logos are <50KB but resizable to 240x240 from higher resolutions, which means they generally don't look as bad. Oh, and you can change the background colour or add a 1080p background image if you want.
M365 branding on the other hand is more flexible, allowing you to simply point to a URL of even a lossless SVG, and providing your ratio is good, provide a great looking image, the alternative to which is a sub 10KB 200x48 uploaded image. Make sure to define both light AND dark mode images for those of us who don't like having their retinas destroyed ;)
Intune branding decides it wants to beat them both by being able to use up to a whopping 750KB for your Company Portal branding, theme colours AND a "Brand Image" to display. As long as you're on iOS or Android, that is, as Windows is left high-and-dry.
A shiny contender approaches!
Roadmap ID 93320, or "Azure Active Directory: Customize Organizations’ Sign-In and Sign-Up Pages in Company Branding" which currently appears in the M365 Message Center under MC384784 is a significant enhancement to the Azure AD branding capabilities, offering much more possibilities, including layout template options header image, and most excitingly: Custom CSS Support!
Before getting too excited, there are some limitations on the CSS, namely:
Styles the layout of a web page. This CSS file replaces Microsoft default styling. The limited selectors are supported to manage color, font, size of the text how elements are positioned, different displays for different devices and screen sizes.
I'm not a web dev, and my design skills are, questionable, so I'll re-post the concept image Microsoft have on the Message Center entry to demonstrate the possibilities of these features:
I can't as yet find any actual documentation or guidance from MS on the CSS options, but this feature does seem to be HOT off the press, so I'll update as and when I find any.
Two-for-one!?
Hidden in this same preview is actually a second feature! Roadmap ID 88928/MC339117, "Enabling customization capabilities for SSPR, footer hyperlinks and favicon in Company Branding."
The keen amongst you may have noticed in the above Branding Options image the ability to configure a Favicon, but there's also configurable Footer options to apply links to Privacy and Terms of Use pages, and visibility and customisation of the Self-Service Password Reset (SSPR) feature!
So not just vanity, then?
Every company should have AAD branding configured, not only to provide a consistent end-user sign-in experience, but to subconsciously give users some assurance as to where they're inputting their credentials. These enhanced branding capabilities can not only enable better alignment with a "corporate image" but can improve access to important security and user experience options like SSPR, but make an attempt at spoofing an AAD login to phish credentials even more difficult.
While the limitations of file sizes, resolution and ratio, and the inconsistency of these limitations across the wider platform haven't changed, the overall level of customisation is definitely welcomed.
One thing that is ever important, is to properly communicate changes with users. An end-user is your first line of defence when it comes to security, so making sure they're familiar with what things are supposed to look like makes it more likely for them to report when something is... phishy.