Microsoft 365 identity and experience governance

Microsoft 365 Tenant Branding and Company Profile Governance Guide

Govern the organization theme, Microsoft Entra sign-in branding, app-specific branding themes, public support text, billing and company profile data, brand assets, approvals, testing, and evidence as separate but coordinated control planes.

Suite themeEntra sign-inCompany profileAccessible assetsChange evidence
Cross-functional Microsoft 365 tenant branding governance and sign-in experience design review
Brand, IT, support, privacy, and security owners should approve one controlled asset set and validate every user-facing context.

Governance objective

Separate the control planes before assigning ownership

“Tenant branding” is not one setting. Microsoft 365 suite themes, Microsoft Entra company branding, application-specific branding themes, billing-account details, support contacts, and public legal references live in different administrative experiences and require different roles. A single screenshot cannot prove the entire tenant identity is correct.

Microsoft 365 suite theme

Controls the suite header experience, default and group themes, logos, destination link, navigation color, text/icon color, and accent color.

Microsoft Entra company branding

Controls tenant-wide authentication presentation: favicon, background, layout, header/footer, logos, sign-in text, language variants, and SSPR text.

Application branding themes

Can apply a specific authentication experience to selected applications while inheriting unspecified properties from tenant default branding.

Organization and billing profile

Includes billing-account name, sold-to address, registration details, communication preferences, phone, email, and technical-contact dependencies.

Support and public content

Includes help-desk wording, password-reset guidance, privacy and terms references, escalation ownership, and content deliberately safe for public display.

Evidence and lifecycle

Includes source assets, owners, approvals, role use, test results, localization, rollback files, review dates, and superseded-version disposition.

Security boundary: consistent branding can improve recognition and user confidence, but it does not authenticate a page and does not prevent phishing. Train users to verify the domain, browser context, request, MFA prompt, and reporting path—not merely colors or logos.

Authority and ownership

Map each setting to its owner, role, and evidence

Control planeConfiguration ownerRole and access reviewRequired evidence
Microsoft 365 suite themeMicrosoft 365 platform owner with brand approvalMicrosoft documents Global Administrator for theme customization; treat use of this high privilege as a controlled change and retain who performed it.Default/group theme inventory, group assignments, source assets, colors, contrast results, logo URL, on-click target, screenshots, and rollback values.
Entra default company brandingIdentity platform owner with brand, privacy, and support reviewOrganizational Branding Administrator is the documented minimum role. Review license prerequisites and avoid standing Global Administrator use.Default branding export/screenshots, asset specifications, public text, language variants, URLs, preview results, change record, and post-change authentication tests.
Entra application branding themesApplication and identity ownersMicrosoft documents Organizational Branding Administrator and Application Administrator for theme creation and application targeting.Theme/application mapping, inheritance decision, language variants, asset set, text overrides, approval, test account, and fallback validation.
Billing and organization detailsFinance/billing owner with business approvalBilling account owner or contributor is required for the Microsoft 365 billing-account changes documented by Microsoft.Billing-account identifier, approved legal/DBA data, sold-to address, registration details, contact owner, validation screenshot, and review date.
Public support and legal referencesHelp desk, privacy/legal, security, and application ownerPublishing access must be limited to the relevant branding role; content approval is separate from technical access.Approved wording, monitored contact path, privacy/terms owner, link tests, non-sensitive-data review, localization, and incident escalation.
Least-privilege rule: privilege required by one Microsoft portal must not become permanent ownership of the brand. Use a documented request, time-bound elevation where available, independent review, and evidence of the saved result.

Microsoft 365 suite theme

Govern default and group themes as production configuration

Microsoft currently supports one default theme and up to four additional group themes. A group theme can be assigned to up to five Microsoft 365 groups. Security groups and distribution groups are not supported for this assignment, and a user in multiple group themes receives the default theme. These constraints belong in design and test evidence.

1

Inventory theme scope

Record the default theme, every group theme, target Microsoft 365 groups, group owners, overlap behavior, user-override setting, display-name setting, and business purpose.

2

Control logo hosting

Use an approved HTTPS location that permits anonymous image access when a logo URL is used. Record ownership, certificate/hosting dependency, lifecycle, and the logo click destination.

3

Prepare light and dark assets

Maintain the default logo and a dark-theme alternative. Microsoft scales JPG/PNG/GIF assets to fit 200 × 48 pixels and SVG assets to 24 pixels high; narrower assets reduce responsive hiding.

4

Validate contrast

Test navigation background against text and icon color, and test the accent color on light content. Use 4.5:1 as the practical minimum for normal text and essential controls.

5

Test responsive behavior

Check common browser widths, zoom levels, dark mode, high contrast, Microsoft 365 home, Outlook, and other suite surfaces. Do not assume the logo is always visible.

6

Retain rollback values

Save previous logos, URLs, colors, target groups, and screenshots. Theme deletion dependencies matter: Microsoft requires additional themes to be removed before the default theme can be deleted.

Microsoft Entra company branding

Build an asset register from Microsoft’s current requirements

Image dimensions and file limits are implementation controls, not design suggestions. Store an approved master, the exact uploaded derivative, ownership, accessibility review, and a replacement/rollback version. Confirm current requirements in the Entra admin center before each production change.

Core asset specifications

Favicon32 × 32 px; PNG or JPG; maximum 5 KB.
Background1920 × 1080 px; PNG or JPG; maximum 300 KB; expect scaling and cropping.
Header logo245 × 36 px; PNG or JPG; maximum 10 KB; header must be enabled.
Banner logo245 × 36 px; PNG or JPG; maximum 50 KB.
Square logos240 × 240 px; separate light/dark versions when needed; maximum 50 KB each.

Layout, text, and platform constraints

  • Choose full-screen or partial-screen layout deliberately; the sign-in pane can obscure important background subjects.
  • Sign-in page text is public, supports up to 1,024 Unicode characters, and must not expose sensitive contacts, internal URLs, or troubleshooting details.
  • Hyperlinks or external URLs may render as non-clickable text in native desktop and mobile experiences; write instructions that remain usable without a clickable link.
  • The default Microsoft Terms of Use footer is not Conditional Access Terms of Use acceptance evidence.
  • Tenants created after January 5, 2026 do not have custom CSS for company branding; older tenants may retain it. Do not build a new design dependency on unavailable CSS.
  • All properties are optional, and unspecified values inherit/fall back. Document intentional defaults so omissions are not mistaken for defects.

User-experience validation

Test where branding appears—and where it does not

First and second sign-in steps

For common Microsoft and multitenant applications, tenant branding may appear only after the user enters an email address and Microsoft determines the tenant. Capture both stages.

Home Realm Discovery

Test tenant-specific URLs and domain hints used by approved applications. Confirm the expected experience before and after identity discovery.

Guests and personal accounts

Tenant branding does not carry to personal Microsoft accounts, and B2B cross-tenant scenarios can show the user’s home-tenant branding. Include guest test cases.

Browser languages

Language-specific branding overrides the default experience. Verify every configured language, fallback behavior, right-to-left layouts, text meaning, privacy references, and support routing.

Native and mobile clients

Test desktop apps, mobile apps, joined-device flows, password reset, and narrow screens. Links, custom text, cropping, and theme behavior can differ from a browser preview.

Accessibility and failure mode

Validate keyboard focus, contrast, zoom, high-contrast mode, readable fallbacks, background color when images fail, and understandable instructions without color or imagery.

Controlled implementation

Use a seven-stage branding change runbook

1

Discover

Inventory suite themes, Entra default branding, app themes, languages, profile data, public wording, support references, source assets, and owners.

2

Design

Define intended audiences, asset variants, inheritance, application scope, language needs, contrast, crop-safe areas, fallback behavior, and measurable acceptance criteria.

3

Approve

Obtain brand, business, IT, security, accessibility, support, and privacy/legal approval as applicable. Confirm that every public statement is safe and current.

4

Prepare

Create exact production files, verify dimensions and size, preserve prior values, record roles, plan communication, and select test users, groups, applications, and languages.

5

Implement

Use controlled privileged access, change one bounded configuration set, record the portal and values, and avoid unrelated tenant changes in the same window.

6

Validate

Test browsers, apps, mobile, guests, languages, dark/high-contrast themes, support wording, privacy references, logo destinations, group targeting, and propagation.

7

Close and review

Attach screenshots and results, remove temporary privilege, update the asset register, communicate the supported experience, retain rollback files, and assign the next review date.

Rollback trigger: revert or remove custom values when users cannot complete sign-in, support/legal text is wrong, contrast becomes unreadable, a logo target is unsafe, group targeting is incorrect, or a language variant materially changes meaning.

Company profile and support readiness

Keep business identity and operational contacts synchronized

Organization and billing record

  • Billing account and tenant identifiers
  • Legal name and approved doing-business-as name
  • Sold-to address, country/region limitations, and registration number
  • Business email and phone used for Microsoft correspondence
  • Invoice and subscription address dependencies
  • Named business and finance owner with last-review date

Support and technical-contact record

  • Monitored help-desk mailbox and support portal
  • Published phone and operating hours
  • After-hours, identity incident, and vendor escalation paths
  • Technical contact and Microsoft communication preferences
  • Ownership for privacy, terms, SSPR, and sign-in wording
  • Test ticket/call result and continuity coverage
Change dependency: an office move, merger, rebrand, legal-name change, help-desk replacement, domain migration, or privacy-policy update can affect several portals. Use a dependency checklist; changing one profile field does not update every Microsoft 365 or Entra surface.

Common failure modes

Find trust, support, and lifecycle gaps before users do

Branding treated as authentication

Users are told that a logo proves legitimacy, making a convincing phishing page more persuasive. Training must emphasize domain and request verification.

Stale public contact

Retired email addresses, phone numbers, or URLs delay password-reset help and incident reporting at the moment users need support.

Wrong group-theme assumption

Security groups are selected in the design, or a user belongs to multiple theme assignments and unexpectedly receives the default theme.

Uncontrolled public logo host

An external party owns the anonymous HTTPS location, certificate, DNS, or file lifecycle, creating breakage or content-substitution risk.

Desktop-only approval

The background focal point, logo, text, or footer looks correct in one browser but is cropped, hidden, or non-clickable in mobile/native experiences.

Language drift

Default wording is updated while browser-language variants retain obsolete support, privacy, or security instructions.

Unsafe public text

Sign-in content exposes internal-only URLs, staff names, troubleshooting steps, or contact details that should not be visible to anonymous visitors.

Custom CSS dependency

A future design assumes Entra custom CSS is universally available even though tenants created after January 5, 2026 do not receive that capability.

No evidence or rollback

Teams cannot prove who approved the change, what users saw, which assets were used, or how to restore the last known-good experience.

Audit-ready evidence

Retain a compact, reproducible branding package

Configuration

  • Tenant and billing-account identifiers
  • Theme/application/group/language inventory
  • Exact saved values and inheritance decisions
  • Roles used and privilege removal

Assets and content

  • Approved master and uploaded derivatives
  • Dimensions, size, hash/version, and owner
  • Colors and contrast measurements
  • Public text and privacy/support approvals

Validation

  • Before/after screenshots
  • Browser, mobile, native, guest, language results
  • Links, phone, mailbox, and escalation tests
  • Exceptions, residual risk, and next review
Evidence quality: screenshots show appearance, not complete configuration. Pair them with the saved setting values, scope mappings, source assets, approval, test method, date, and named owner.

FAQ

Microsoft 365 tenant branding governance FAQ

Does custom branding prove a Microsoft sign-in page is legitimate?

No. Branding can improve familiarity, but attackers can copy visual elements. Users should verify the domain, browser context, requested action, MFA prompt, and approved reporting path.

What is the difference between a Microsoft 365 theme and Entra company branding?

The Microsoft 365 theme changes the suite header experience, including logos and colors. Entra company branding changes authentication-related presentation such as sign-in layout, background, logos, public text, and language variants. They are separate configurations.

How many Microsoft 365 themes and Entra app branding themes can a tenant use?

Microsoft documents one default Microsoft 365 theme plus up to four group themes. It also documents up to five Entra branding themes per tenant for application-specific sign-in experiences. Confirm current licensing and portal behavior before implementation.

Who should approve a branding change?

IT controls configuration, while the business/brand owner approves identity, privacy/legal approves public references where needed, accessibility reviews contrast and usability, help desk approves support routes, and security reviews user guidance and privilege use.

What must be tested after changing branding?

Test first/second sign-in steps, common browsers, narrow/mobile views, native apps, dark and high-contrast themes, guest/personal-account scenarios, language variants, password-reset paths, public links/text, group or application targeting, support contacts, and rollback readiness.

Can every tenant use custom CSS for Entra company branding?

No. Microsoft states that tenants created after January 5, 2026 do not have custom CSS for company branding. Older tenants may retain the capability, but designs should not assume it exists without tenant-specific verification.

Make the tenant experience trustworthy, current, and supportable

IT Perfection helps Orange County and Southern California organizations document Microsoft 365 branding, prepare accessible assets, control privileged changes, validate user experiences, and retain operational evidence.

Created by Ali Hassani, CISO — 25+ years of IT, cybersecurity, compliance, and infrastructure experience. This guide is for initial guidance only and does not replace a professional cybersecurity audit, compliance assessment, penetration test, or legal/compliance review. Microsoft licensing, roles, limits, portal locations, and features change; validate current Microsoft documentation and tenant behavior before implementation.