Definitive guide: Configuring enrollment branding for Azure Active Directory joined, Intune managed and Autopilot devices
In our last post, discussing locking down Autopilot devices, you may have noticed the branding shown during the out-of-box login screen. Let’s go over how to configure all the user enrollment aspects of branding – so that your users can be confident that they’re enrolling into the right place!
Interested in desktop branding for end users? Such as desktop wallpaper, lock screen, start menu layout etc? Check out our post next week where we will cover all of those! This post is strictly about enrollment branding.
Before we begin, two prerequisites: branding (or formally, “company branding”) is an Azure Active Directory Premium feature, so you’ll need a license. You will also need to be a tenant admin to configure these settings.
Let’s start by gathering all the assets we’ll need:
- Logo – 240 x 240px png or jpg (10KB or smaller)
- We recommend a transparent logo. Otherwise, you’ll need two for both light and dark backgrounds.
- Background image – 1920 x 1080px png or jpg (300KB or smaller)
- Banner logo – 280 x 60px png or jpg (10KB or smaller)
- Accent color hex
Log into the Azure portal. On the left hand side, click Azure Active Directory. Scroll down in the Azure AD pane to find Company Branding.
Click on the Default locale to edit the branding for all of your users. You can also use the page to configure branding for another language.
In the first group of settings, you’ll input the sign-in page background image, banner logo, username hint, and sign-in page text.
For our purposes, here’s where these settings will affect us:
- Sign-in page background image: shown when users log into any application that uses Azure AD for authentication (Office 365 for example). If you’ve enabled MFA for your users, they will see this image during the Windows Hello setup portion of the out-of-box experience.
- Banner logo: shown above the password input screen when a user is logging in to an Azure AD application.
- Username hint: if a user accesses a non-redirected page, they will see this hint text (not shown during Autopilot).
- Sign-in page text: shown under the password input screen. Some organizations use this for providing a help-desk number.
To view the username hint, navigate to a non-redirected site, such as: https://outlook.com/tenanturl (i.e. https://outlook.com/test.onmicrosoft.com). You’ll see the username hint in the username input field:
Scrolling a little further on the default branding pane:
- Square logo image: shown during Autopilot next to the Welcome text.
We will see this logo image (as well as the sign-in page text) during the Autopilot login screen:
And as mentioned before, if you have MFA enabled there will be a branded prompt during the Windows Hello out-of-box experience:
In your tenant, you may have noticed the “onmicrosoft.com” name whenever you log in. This isn’t a “company branding” setting, but a property of Azure AD. To configure this, go to the main Azure Active Directory pane and click Properties.
The Name here will be used in every sign-in location, including during Autopilot (“Welcome to directory name“).
But wait, there’s more!
For application management and mobile enrollment, we’ll need to configure Intune Company Portal branding. In the Azure portal, search for the Intune pane and click Client Apps > Branding and Customization.
Here we can fill out company and support information:
And then on to the fun stuff, where we’ll find colors and logo inputs. For our tenant we used the same banner logo (now company logo) and background image (now brand image):
Once we click Save, we can then click Preview to be redirected to the portal.manage.microsoft.com page with out company portal branding configured:
We will also view this branding on mobile devices or PCs using the Company Portal app:
There you have it! If you configured all of these settings, you can be confident users will be viewing your company branding at every turn.