Thursday, September 29, 2022

Branding your tenant and managed endpoints

A clear brand builds identity and affiliation. Microsoft 365 and Endpoint Manager has a rich set of tools for customizing your brand into the products. This will look nice and integrated, and it will help the end users detect security attacks. Let's take a deep dive into the possibilities associated with branding your tenant and endpoints!


A brand is a name, term, design, symbol or any other feature that distinguishes one company's good or service from those of other companies. Brands are used for recognition, creating values and identification. A brand is the sum of all expressions by which an entity (person, organization, company, business unit, city, nation, etc.) intends to be recognized.

With a workforce spread all over the modern hybrid workplace, it is more important than ever to spread the love of the company's brand. This blogpost will focus on how your brand can be incorporated to Microsoft 365 and all endpoints by Microsoft Endpoint Manager.


Add company branding to Microsoft 365

Microsoft has added features for branding your Microsoft 365 tenant in several ways, both with text, colors and graphics. This will give a consistent experience when users sign in with their user identity from your organizations Azure Active Directory (AAD). The branding can define and strengthen the experience of working in your company, even if the work is performed outside of the office locations. This will all be small but important steps for the identity of the company. At the same time, we can relate this to the security work, as users can distinguish a legal login from a falsified one with a quick glance on the branding.

I have searched for ways of doing these brandings through GraphAPI and PowerShell, but unfortunately I have not achieved this - yet. The most concrete I have found is the Microsoft reference for updating the organizationalBranding which Kevin Telgelaar also has made a small routine from. Until I have this all covered in one scripted routine, I will walk you through the branding process inside the portals.

It's worth mentioning that a custom branding requires Azure AD Premium 1 or higher. 

Branding the sign-in experience

The sign-in experience is a typical location to start branding your tenant. It can be customized with both text and graphics. All these elements of branding are optional. If you leave some unchanged, the default settings will remain. Regarding the images, all files must meet the file size requirements as described in the portal. Personally I use Adobe PhotoShop to customize the graphics for the best quality given by the requirements.
  1. Sign in to https://portal.azure.com and navigate to Azure Active Directory - Company Branding.
  2. Configure your policy with your branding. 

    1. The first policy is based on your default local and can't be changed. Once the default sign-in experience is created, you can add language specific customized brandings.

    2. Create the sign-in page background image at size of 1920x1080. In order to keep under the 300kb limit, I often use JPG.

    3. The Banner Logo is created as a transparent PNG at size 280x60 with a file size less than 10KB.


    4. The Username hint will be the text appearing to users if they forget their username.

    5. Sign-in page text is the text appearing at the bottom of the sign-in page. I often add information about helpdesk to this field. New paragraphs can be inserted with the enter key twice. Bold can be created with **text**, italics with *text*, underline with ++text++ and hyperlinks with [text](link).
       
    6. The Square Logos are also saved as transparent PNGs at size 240x240 and file sizes less than 50KB.

    7. I like to remove the check mark for Show option to remain signed in since this gives less questions for the users at each sign in.

  3. This should now give a new branded sign-in experience for the users signing in with their identities from this tenant.
This branded sign-in page is easy recognizable compared to the standard logins, and should thus help protect the end users from phishing attacks. 

Branding Office 365

Office 365 can be branded with a logo and color scheme from the company's branding profile.
  1. Sign in to https://admin.microsoft.com as a Global Administrator and navigate to Settings - Settings - Organization Profile - Custom Themes.

  2. The General tab has options to prevent the users to override your official theme. You can also set to display the users display name on the navigation bar when signed in.

  3. The Logos tab allow you to upload a theme logo and specify an URL linked from the logo.

  4. The Colors tab allows you to defined the color elements for your profile. If you don't have access to the official branding profile, the color codes can often be found on the company's official web pages. The Color Picker utility from PowerToys is a handy tool for carving these codes out of the webpage. Pay attention to the warnings if your colors don't meet the recommended color contrast ratios.

  5. Saving the theme and refreshing the page gives you the result of your creation.
     

Branding Helpdesk information

Next up is yet another branding opportunity which is found in the Organization profile. You can add your help desk contact information which will streamline user support. This option gets available a while after the first licenses is added to the tenant.
  1. Navigate to Help desk information found under Organization profile in the Org settings. Add information about you helpdesk services.

  2. This will be available for the users under the Office 365 help pane.

Branding helpdesk information for SSPR

It is also several places where we are allowed to add custom information. One such location is a customized helpdesk email or URL for Self Service Password Reset (SSPR):

If you try to do a Self Service Password Reset from passwordreset.microsoftonline.com and get into trouble, the link to contact your administrator will be the address defined above.


Add company branding to Microsoft Endpoint Manager

By adding branding to Microsoft Endpoint Manager, we can reach far out the users endpoints. The aim will be to make the users feel a sense of belonging to the company while at the same time ensuring them to be on the right track when onboarding their devices. The branding will consist of both text and graphics.

Branding the Company Portal

The Company Portal branding will be visible on all endpoints targeted by Microsoft Endpoint Manager (MEM).
  1. Sign in to https://endpoint.microsoft.com and navigate to Tenant Administration - Customization. Click Edit to start configure the branding.

  2. You can use the same color codes as earlier to create a unified branded experience. If the logos from earlier has the correct dimensions, you can also reuse these at this point.

  3. Next you will add support information. Use the same information as provided for Helpdesk on the tenant.
If necessary, you can create and assign customized policies to selected groups within your organization. There is a max limit of 10 policies. An assigned policy will override the default policy. If multiple policies are assigned a user, the first assigned policy will have precedence. 

The result will be a branded Company Portal on all platforms. Here is example results from Company Portal on a Windows computer with the assigned color scheme, logos and helpdesk information.

Branding Windows endpoints

There are several ways to expand the company branding all the way to the Windows endpoint, all the way from the onboarding process to the experience on the desktop.

Branding AutoPilot onboarding

By using the Autopilot Deployment profile, we can brand the computer name with a naming template. This gives uniform and recognizable names for all devices onboarded to the tenant.
  1. Navigate to the policy and set your naming policy accordingly.
  2. After getting a computer up and running, the computer name can be verified.


If you have missed this point on a bunch of devices and feel the need to change existing computer names, you should take a look at my earlier blog post regarding renaming existing enrolled endpoints: Simon does...: Rename computers with countrycode in Intune (skotheimsvik.blogspot.com)

The AutoPilot process used to onboard new devices will be branded by the settings already performed at the tenant level. The logos and texts provided back then will leave its mark on the process of onboarding endpoints through AutoPilot. 

This branding will verify that you are on the right track immediately after unboxing and booting a new device.

Branding Autopilot Enrollment notifications

You can also brand the new Enrollment Notifications which currently are in preview. This will give email and push notifications to users upon enrollment of devices with their accounts. 

This configuration is found in https://endpoint.microsoft.com - Devices - Windows - Windows enrollment - Enrollment notifications. Create a new notification setting and configure for your liking:



When a device is onboarded, an enrollment notification is sent to the end user.

Deliver branded organizational messages to Windows 11

The new organizational messages feature announced by Microsoft at Ignite 2022 is designed to better involve, connect and engage users. This will make it easy to send taskbar messages, taskbar area notifications and "get started" app messages to the end users regardless of location.

Here is an example of how you can add your branding to these messages.


A public preview of this functionality will be available starting in November 2022. Read more information about this feature here: Deliver organizational messages with Windows 11 and Microsoft Intune - Microsoft Community Hub

Personal Portraits

I made a blogpost in 2017 addressing the importance of corporate headshots building the virtual personal brand for the employees and the company. Each user account in Microsoft 365 can be enriched with a portrait of the employee which will be visible around in the Office applications. My previous blog post from 2017 used a PowerShell routine to upload the images to Azure AD. Today I often use CodeTwo User Photos for Office 365 which is a free desktop app that lets me quickly upload multiple users' photos to the Microsoft 365 tenant and easily map them to the correct user account.

The portraits applied to the users accounts will eventually also be distributed to the Azure AD Joined Windows endpoints and take place as part of the total branding at the endpoint.

Branding the wallpaper, lock screen and color scheme

The most visible branding on the windows desktop is the wallpaper and the lock screen images. Both of these can easily be configured in Microsoft Endpoint Manager for implementation on Enterprise versions of Microsoft Windows. In this case you can create an Azure Storage Account holding the pictures for you and refer to these in the device configuration profile:

If you don't have Microsoft Windows Enterprise, you need to use PowerShell scripts in Microsoft Endpoint Manager to set the wallpaper and lock screen image. There are several routines available for solving this, but I prefer a routine based on the ideas from Oliver Kieselbach. His blogpost describes a nice routine for calculating the aspect ratio of the monitor used to download a customized wallpaper image for the detected resolution. This script can download the image from the same Azure Storage Account used in the device configuration profile. A pretty good routine which can be found here: Set preference for a suitable wallpaper with Intune – Modern IT – Cloud – Workplace (oliverkieselbach.com)

If I need to set the lockscreen image by Powershell on devices, I often tend to customize the following script: How to set Custom backgrounds for Desktop and Lockscreen in Windows 10 Creators Update v1703 and later with PowerShell – ABC.Deploy (wordpress.com)

The result should be a branded lock screen and desktop on your managed devices.

Branding Windows OEM info

There is possible to add your branding as support information on Windows. This information will be available in Settings - System - About - Support, and it will look like this when implemented:


The implementation is done by use of a PowerShell script assigned to Windows devices in Microsoft Endpoint Manager.

Branding Microsoft Defender

Using a Device Configuration Profile, we can define contact information to be displayed in Microsoft Defender app and notifications. Using an Endpoint protection profile type, this is done in the following location:

This will look like this inside Microsoft Defender on Windows.

Branding Microsoft Edge

Microsoft Edge can be branded in several ways from Microsoft Endpoint Manager by using a device configuration profile and settings from the settings catalogue. 

Setting a company wide branded startup, home page and new tab page is a great way to start branding the Edge browser.

Adding managed favorites and force sign in and synchronization of the user in the browser is also a nice addition to get the company brand into the browser:

The managed favorites can be organized with subfolder. This format can also be used directly towards Google Chrome in Microsoft Endpoint Manager. 

When applied, this will give a uniform shortcut folder in Edge for all users and you can set a fixed starting page for the browser.

The same settings can be implemented for Microsoft Edge on mobile devices.

Branding Microsoft Outlook

Earlier in 2016 I made a (Norwegian) blog post of the importance of branding all emails sent from mailboxes belonging to the company by using a standardized set of Auto-Signatures in Microsoft Outlook. At that point in time I had a script for assigning a standardized set of signatures to the users Outlook. The script did reuse information registered on the user accounts in Active Directory.

Even though most of e-mail communication has been replaced by Microsoft Teams communication today, the importance of having a branded signature in Microsoft Outlook is not gone. We still need this to ensure receiver of emails from our company gets the perception of the company's brand that is desirable, and they have enough information to get in touch with your company. You know the feeling of searching your mailbox for a phone number to a person you have been in contact with earlier?

Today this is often solved by third parties which can integrate with Azure Active Directory for getting user details and Microsoft Endpoint Manager for distributing the signatures to the devices. There are several providers of this functionality in the market like Letsignit and CodeTwo. These tools can also be used for marketing campaigns which in turn gives even more branding to the e-mails sent by the company's employees. 

Here are two examples of e-mail signatures branded by Letsignit where all information on the user are fetched from Azure Active directory. One of the signatures also has a marketing campaign inserted.

Branding Microsoft Word, Microsoft Excel and Microsoft PowerPoint

In Microsoft Word, Excel and PowerPoint we can use SharePoint technology to make company branded templates available for managed devices. This is done by creating a document library in SharePoint as an organization assets library. Create an asset for Office templates and add the company's branded office templates. When a user creates a new document in Microsoft Word or Microsoft PowerPoint, they can select the tab for the organization to see the available templates. This is also available in the online Office app versions.

Get instructions on creating and specifying a SharePoint library as an organization assets library on the following URL: https://aka.ms/orgassets

Branding Teams background filter

Microsoft Teams has a nice function for background filters allowing meeting participants to blur or hide the background when attending online meetings. The feature first came as a background blur functionality which I covered in this YouTube clip from 2019.

There are several alternative backgrounds available out of the box, and it is even possible to add your own backgrounds. I often see people create a folder in Sharepoint with the company's branded Teams backgrounds with corresponding long descriptions on how to download and add these to Teams.

The pictures you add as background filters in Teams, will be saved in the folder named %APPDATA%\Microsoft\Teams\Backgrounds\Uploads\ on your computer. We could easily create a routine in Microsoft Endpoint Manager for downloading the company's branded images to this folder. One example is the routine described by Ben Whitmore a couple of years ago. This would give the background filters for every Windows computer. The flip side of this is that it will only work on Windows devices - AND the images will be placed below the standard images. Out of sight, out of mind.

I have found it better to use the routine inside Teams Admin Center for adding company branded Teams background filters. It is kind of hidden, but easy to use when you first find it. This will make the images appear at the top of the list. Please be aware that this feature in the future will be limited to users with the Teams Advanced Communication License.

Navigate to https://admin.teams.microsoft.com - Meetings - Meeting policies - Customize meeting images.

Turn on the feature for custom backgrounds and upload your images:

Branding Viva Connections

Viva Connections is popular to use as a dynamic intranet in SharePoint bringing together relevant news, conversations and resources in one place for the organization. The design and content in Viva Connections is often well integrated with the company's brand through the setup process of the home site.

Branding the Viva Connection icon in Teams

Once the Viva Connections home site is designed, it can be added as an app in the Teams Admin Center. By customizing this app, you can add a branded icon which will be as a branded anchor for the company in the Teams menu on the left hand side. You can reuse the square icon added in the Azure branding earlier in this document. You could follow this routine from Microsoft to add the Viva Connections app in the Teams admin center and customize the icon.


When the app has been branded with the icon, you can pin it to all users by using a setup policy in Microsoft Teams Admin Center where you add the Viva Connection app and organize it to the desired location in the Teams app bar.

By adding this as the first icon, you will have the company's brand at the top of Microsoft Teams app bar with a handy quick access to the Viva Connections home site with targeted information for each employee in the company.

Branding the Teams Store

You can add your brand logo, background image and text color to the Teams apps store. This is done under Teams Admin Center - Teams Apps - Customize store:

Branding Surface Hub's

At the same way as on the Windows devices, we can define a wallpaper to be used on the Surface Hub devices. This is done with a device configuration profile based on the Device restrictions (Windows 10 Team) profile type. Under Apps and experience you will find the setting for adding a URL to a background image, and this can be the same image as you use on your windows devices previously.

Branding macOS endpoints

macOS devices onboarded as Corporate can also be branded from Microsoft Endpoint Manager. The wallpaper can be set in a device configuration profile to a local picture - not a URL like we did at Microsoft Windows endpoints. This means I have to do this in two steps with a separate process for downloading the picture.

I use a shell script provided by Neil Johnson to download the image from the same URL as used on windows devices earlier. This script is available from Github: shell-intune-samples/downloadWallpaper.sh at master · microsoft/shell-intune-samples (github.com)

The script will be assigned through a Shell Script policy in Microsoft Endpoint Manager.

With the local wallpaper picture distributed to the macOS, I can use a Device Configuration Policy for macOS where the local picture path is specified under User Experience. I am also specifying a branded login window text in this policy which will be displayed on the login window for the devices:

Branding iOS supervised devices

We can add device configuration profiles for supervised iOS devices where we can control pretty much on the device, including some branding by using a Device Features profile type.

Under the Lock Screen Message we can provide a message to be displayed on the locked screen of the device. This could a message like "This device belongs to Cloud Limits, please return if found".

We can also provide a branded wallpaper for the device by uploading a image to be configured for the lock screen and the home screen.

Branding Android Corporate Owned devices

At the same way as for the iOS supervised devices, we can add branding to Android corporate owned devices. This will give a branded look and feel on the device.

Branding the general user interface

When creating a new tenant, the first information you need provide is the name and other vital data of the company. You can later on see and modify these data under the Organization Information found in https://admin.microsoft.com - Settings - Org settings - Organization Profile.

This name will actively be used by the system, for instance in messages related to updates and patch management on the devices.


Branding Windows 11 Search

The brandings performed thus far will also brand the Windows 11 Search interface. You will find naming, logos and contents from your company when clicking on the magnifier icon on the taskbar.

If you click on a colleague from the Search field, you will have more information available on that specific person as found in the system. This will help you bond with the collegiate, and it shows the importance of keeping the catalog current. Here you will find a shortcut to the floorplan as described in one of my previous blog posts.



Branding Windows 11 Custom theme and Start menu

If your company has a strong branding profile, you might be interested in assigning a custom desktop theme pack to your Windows 11 computers reflecting your brand. I have put together a simple routine for distributing a deskthemepack with Microsoft Endpoint Manager. This was presented in a separate blogpost earlier this year: Simon does...: Windows 11 - Custom theme with MEM (skotheimsvik.blogspot.com)

You can also take a look at customizing the start menu. This will give you a chance of putting your company's most beloved applications at the center of the managed Windows devices. This was covered in this blogpost released earlier this year: Simon does...: Windows 11 - Customize the Start menu layout (skotheimsvik.blogspot.com)

Branding Third Party Integrations

If you depend on third party tools it is worth investigating how these tools can adopt to your company. 

The most obvious thing would be an integrated identity to ensure unified single-sign-on based on Azure AD identities. This will directly benefit from the security mechanisms and graphical customization implemented in Azure AD earlier in this blog post.

It is also smart to check out the options available for graphic adjustments in the application itself. As an example, I will use Scappman where I can brand the popup message appearing on the user's endpoints.

This seems like a small detail, but it will be one of many parts forming the total experiencing of working in the company. It will also help to provide a safe experience for the users working for the company. 

A love for the brand for the distributed workforce

Hopefully these steps will help you utilize the technology found in Microsoft 365 and Microsoft Endpoint Manager to spread the love for your brand to your distributed workforce. 

You should top it all by sending out swag packs full of physical goodies of great quality related to the work being performed.

This has been a long blog post. It might be that you have other new ideas of implementing the brand - Please share this in a comment.

Let's use technology to build belonging, connection, pride and a love for the company brand despite scattered workplaces! 

Let me know if you want me to do a session on this topic for the stakeholders in your organization.



No comments:

Post a Comment