Microsoft 365 suite theme
Controls the suite header experience, default and group themes, logos, destination link, navigation color, text/icon color, and accent color.
Microsoft 365 identity and experience governance
Govern the organization theme, Microsoft Entra sign-in branding, app-specific branding themes, public support text, billing and company profile data, brand assets, approvals, testing, and evidence as separate but coordinated control planes.
Governance objective
“Tenant branding” is not one setting. Microsoft 365 suite themes, Microsoft Entra company branding, application-specific branding themes, billing-account details, support contacts, and public legal references live in different administrative experiences and require different roles. A single screenshot cannot prove the entire tenant identity is correct.
Controls the suite header experience, default and group themes, logos, destination link, navigation color, text/icon color, and accent color.
Controls tenant-wide authentication presentation: favicon, background, layout, header/footer, logos, sign-in text, language variants, and SSPR text.
Can apply a specific authentication experience to selected applications while inheriting unspecified properties from tenant default branding.
Includes billing-account name, sold-to address, registration details, communication preferences, phone, email, and technical-contact dependencies.
Includes help-desk wording, password-reset guidance, privacy and terms references, escalation ownership, and content deliberately safe for public display.
Includes source assets, owners, approvals, role use, test results, localization, rollback files, review dates, and superseded-version disposition.
Authority and ownership
| Control plane | Configuration owner | Role and access review | Required evidence |
|---|---|---|---|
| Microsoft 365 suite theme | Microsoft 365 platform owner with brand approval | Microsoft documents Global Administrator for theme customization; treat use of this high privilege as a controlled change and retain who performed it. | Default/group theme inventory, group assignments, source assets, colors, contrast results, logo URL, on-click target, screenshots, and rollback values. |
| Entra default company branding | Identity platform owner with brand, privacy, and support review | Organizational Branding Administrator is the documented minimum role. Review license prerequisites and avoid standing Global Administrator use. | Default branding export/screenshots, asset specifications, public text, language variants, URLs, preview results, change record, and post-change authentication tests. |
| Entra application branding themes | Application and identity owners | Microsoft documents Organizational Branding Administrator and Application Administrator for theme creation and application targeting. | Theme/application mapping, inheritance decision, language variants, asset set, text overrides, approval, test account, and fallback validation. |
| Billing and organization details | Finance/billing owner with business approval | Billing account owner or contributor is required for the Microsoft 365 billing-account changes documented by Microsoft. | Billing-account identifier, approved legal/DBA data, sold-to address, registration details, contact owner, validation screenshot, and review date. |
| Public support and legal references | Help desk, privacy/legal, security, and application owner | Publishing access must be limited to the relevant branding role; content approval is separate from technical access. | Approved wording, monitored contact path, privacy/terms owner, link tests, non-sensitive-data review, localization, and incident escalation. |
Microsoft 365 suite theme
Microsoft currently supports one default theme and up to four additional group themes. A group theme can be assigned to up to five Microsoft 365 groups. Security groups and distribution groups are not supported for this assignment, and a user in multiple group themes receives the default theme. These constraints belong in design and test evidence.
Record the default theme, every group theme, target Microsoft 365 groups, group owners, overlap behavior, user-override setting, display-name setting, and business purpose.
Use an approved HTTPS location that permits anonymous image access when a logo URL is used. Record ownership, certificate/hosting dependency, lifecycle, and the logo click destination.
Maintain the default logo and a dark-theme alternative. Microsoft scales JPG/PNG/GIF assets to fit 200 × 48 pixels and SVG assets to 24 pixels high; narrower assets reduce responsive hiding.
Test navigation background against text and icon color, and test the accent color on light content. Use 4.5:1 as the practical minimum for normal text and essential controls.
Check common browser widths, zoom levels, dark mode, high contrast, Microsoft 365 home, Outlook, and other suite surfaces. Do not assume the logo is always visible.
Save previous logos, URLs, colors, target groups, and screenshots. Theme deletion dependencies matter: Microsoft requires additional themes to be removed before the default theme can be deleted.
Microsoft Entra company branding
Image dimensions and file limits are implementation controls, not design suggestions. Store an approved master, the exact uploaded derivative, ownership, accessibility review, and a replacement/rollback version. Confirm current requirements in the Entra admin center before each production change.
User-experience validation
For common Microsoft and multitenant applications, tenant branding may appear only after the user enters an email address and Microsoft determines the tenant. Capture both stages.
Test tenant-specific URLs and domain hints used by approved applications. Confirm the expected experience before and after identity discovery.
Tenant branding does not carry to personal Microsoft accounts, and B2B cross-tenant scenarios can show the user’s home-tenant branding. Include guest test cases.
Language-specific branding overrides the default experience. Verify every configured language, fallback behavior, right-to-left layouts, text meaning, privacy references, and support routing.
Test desktop apps, mobile apps, joined-device flows, password reset, and narrow screens. Links, custom text, cropping, and theme behavior can differ from a browser preview.
Validate keyboard focus, contrast, zoom, high-contrast mode, readable fallbacks, background color when images fail, and understandable instructions without color or imagery.
Controlled implementation
Inventory suite themes, Entra default branding, app themes, languages, profile data, public wording, support references, source assets, and owners.
Define intended audiences, asset variants, inheritance, application scope, language needs, contrast, crop-safe areas, fallback behavior, and measurable acceptance criteria.
Obtain brand, business, IT, security, accessibility, support, and privacy/legal approval as applicable. Confirm that every public statement is safe and current.
Create exact production files, verify dimensions and size, preserve prior values, record roles, plan communication, and select test users, groups, applications, and languages.
Use controlled privileged access, change one bounded configuration set, record the portal and values, and avoid unrelated tenant changes in the same window.
Test browsers, apps, mobile, guests, languages, dark/high-contrast themes, support wording, privacy references, logo destinations, group targeting, and propagation.
Attach screenshots and results, remove temporary privilege, update the asset register, communicate the supported experience, retain rollback files, and assign the next review date.
Company profile and support readiness
Common failure modes
Users are told that a logo proves legitimacy, making a convincing phishing page more persuasive. Training must emphasize domain and request verification.
Retired email addresses, phone numbers, or URLs delay password-reset help and incident reporting at the moment users need support.
Security groups are selected in the design, or a user belongs to multiple theme assignments and unexpectedly receives the default theme.
An external party owns the anonymous HTTPS location, certificate, DNS, or file lifecycle, creating breakage or content-substitution risk.
The background focal point, logo, text, or footer looks correct in one browser but is cropped, hidden, or non-clickable in mobile/native experiences.
Default wording is updated while browser-language variants retain obsolete support, privacy, or security instructions.
Sign-in content exposes internal-only URLs, staff names, troubleshooting steps, or contact details that should not be visible to anonymous visitors.
A future design assumes Entra custom CSS is universally available even though tenants created after January 5, 2026 do not receive that capability.
Teams cannot prove who approved the change, what users saw, which assets were used, or how to restore the last known-good experience.
Audit-ready evidence
Related ecosystem guides
FAQ
No. Branding can improve familiarity, but attackers can copy visual elements. Users should verify the domain, browser context, requested action, MFA prompt, and approved reporting path.
The Microsoft 365 theme changes the suite header experience, including logos and colors. Entra company branding changes authentication-related presentation such as sign-in layout, background, logos, public text, and language variants. They are separate configurations.
Microsoft documents one default Microsoft 365 theme plus up to four group themes. It also documents up to five Entra branding themes per tenant for application-specific sign-in experiences. Confirm current licensing and portal behavior before implementation.
IT controls configuration, while the business/brand owner approves identity, privacy/legal approves public references where needed, accessibility reviews contrast and usability, help desk approves support routes, and security reviews user guidance and privilege use.
Test first/second sign-in steps, common browsers, narrow/mobile views, native apps, dark and high-contrast themes, guest/personal-account scenarios, language variants, password-reset paths, public links/text, group or application targeting, support contacts, and rollback readiness.
No. Microsoft states that tenants created after January 5, 2026 do not have custom CSS for company branding. Older tenants may retain the capability, but designs should not assume it exists without tenant-specific verification.
IT Perfection helps Orange County and Southern California organizations document Microsoft 365 branding, prepare accessible assets, control privileged changes, validate user experiences, and retain operational evidence.
Created by Ali Hassani, CISO — 25+ years of IT, cybersecurity, compliance, and infrastructure experience. This guide is for initial guidance only and does not replace a professional cybersecurity audit, compliance assessment, penetration test, or legal/compliance review. Microsoft licensing, roles, limits, portal locations, and features change; validate current Microsoft documentation and tenant behavior before implementation.
We use necessary cookies and limited analytics and advertising-measurement cookies. Select Accept to allow optional cookies or Deny to continue with necessary cookies only. No name or email is required. You may close this website at any time.