Company Branding and Tenant-Level Settings (SC-300)
Why Is Company Branding and Tenant-Level Settings Important?
Company branding and tenant-level settings are foundational elements of identity management in Microsoft Entra ID (formerly Azure Active Directory). They directly impact user experience, security posture, and organizational governance. When users sign in to your organization's cloud services, the login page is often the first touchpoint they encounter. A properly branded and configured tenant instills trust, reduces phishing susceptibility, and ensures users know they are signing into the correct organization. From an exam perspective, the SC-300 (Microsoft Identity and Access Administrator) certification tests your ability to configure and manage these settings as part of implementing and managing user identities.
What Is Company Branding?
Company branding in Microsoft Entra ID allows administrators to customize the sign-in experience for their tenant. This includes modifying visual elements of the sign-in page such as:
• Banner logo: A logo displayed on the sign-in page (recommended size: 280 × 36 pixels, max 10 KB, transparent PNG or JPEG).
• Background image: A large image displayed on the sign-in page (recommended size: 1920 × 1080 pixels, max 300 KB).
• Background color: A hex color code applied when the background image cannot load (e.g., on low-bandwidth connections).
• Sign-in page text: Custom text that appears at the bottom of the sign-in page (useful for help desk information or legal disclaimers).
• Square logo (light and dark themes): Used in Windows 10+ OOBE (Out-of-Box Experience) and other surfaces.
• Username hint: Placeholder text for the username input field.
• Favicon: A small icon displayed in the browser tab.
Company branding can also be configured on a per-language basis, allowing organizations to present localized branding to users based on their browser language settings. This is configured through language-specific customizations.
What Are Tenant-Level Settings?
Tenant-level settings encompass a broader set of configurations that apply to the entire Microsoft Entra ID tenant. These include:
• Tenant properties: The tenant name, country or region, technical contact, and global privacy contact information.
• User settings: Controls such as whether users can register applications, access the Azure portal, connect LinkedIn accounts, or use the "Stay signed in" (KMSI - Keep Me Signed In) prompt.
• External collaboration settings: Guest user access levels, invitation restrictions, and collaboration restrictions.
• Security defaults: A baseline security configuration that enforces MFA registration, blocks legacy authentication, and requires MFA for privileged actions.
• Custom banned passwords: Tenant-specific banned password lists that enhance Azure AD Password Protection.
• Notification settings: Configurations for technical and billing notifications at the tenant level.
How Does Company Branding Work?
1. Navigate to Microsoft Entra admin center → User experiences → Company branding.
2. You will see a Default branding configuration that applies to all users unless a language-specific override exists.
3. Click Edit to configure the default branding, or click Add custom branding to create language-specific branding.
4. Upload your banner logo, background image, set background color, sign-in page text, and other visual elements.
5. Under the Sign-in form tab, you can configure the "Show option to remain signed in" (KMSI) toggle. When enabled, users see a "Stay signed in?" prompt after successful authentication.
6. Under the Self-service password reset section, you can configure custom helpdesk links.
7. Click Save to apply changes. Changes may take up to 15 minutes to propagate.
Note: Company branding requires at minimum a Microsoft Entra ID P1 license (Azure AD Premium P1). Without it, default Microsoft branding is displayed.
How Do Tenant-Level Settings Work?
Tenant-level settings are configured across multiple areas of the Microsoft Entra admin center:
• Tenant properties are found under Identity → Overview → Properties. Here you set the tenant display name, technical contact, global privacy statement URL, and privacy contact.
• User settings are under Identity → Users → User settings. Key toggles include:
- Users can register applications (Yes/No)
- Restrict non-admin users from creating tenants (Yes/No)
- Users can create security groups (Yes/No)
- LinkedIn account connections (Yes/No)
• External collaboration settings are under Identity → External Identities → External collaboration settings.
• Security defaults are configured under Identity → Overview → Properties → Manage security defaults. Note: Security defaults cannot coexist with Conditional Access policies in most scenarios.
Key Relationships Between Branding and Identity Management
Company branding is not merely cosmetic. It serves critical identity management purposes:
• Anti-phishing: Custom branding helps users visually verify they are signing into a legitimate organizational page rather than a phishing site.
• KMSI (Keep Me Signed In): The "Stay signed in?" prompt is configured within company branding settings, not under a separate security section. This is a commonly tested detail on the SC-300 exam.
• Self-service password reset (SSPR) links: Custom helpdesk links configured in branding provide users with appropriate support contact information during password reset flows.
• Conditional Access interaction: Branding applies to the sign-in page regardless of which Conditional Access policies are in effect.
How to Answer Questions on Company Branding and Tenant-Level Settings in the Exam
The SC-300 exam may test these topics through scenario-based questions, configuration-order questions, or knowledge-check questions. Here is how to approach them:
Exam Tips: Answering Questions on Company Branding and Tenant-Level Settings
1. Remember the licensing requirement: Company branding customization requires Microsoft Entra ID P1 or P2 (Azure AD Premium). If a question mentions a Free or Office 365 tier only, branding customization is not available.
2. Know where KMSI is configured: The "Stay signed in?" (Keep Me Signed In) prompt is configured within Company branding, not under user settings or Conditional Access. This is a frequently tested detail.
3. Understand language-specific branding: If a question asks about displaying different logos or text for users in different regions, the answer involves creating language-specific branding customizations within company branding. Each customization targets a specific browser language.
4. Distinguish between tenant-level and user-level settings: Questions may try to confuse you between settings that apply to the entire tenant (e.g., security defaults, user registration permissions) versus settings that apply per user or per group (e.g., Conditional Access policies). Tenant-level settings affect all users unless overridden.
5. Security defaults vs. Conditional Access: If security defaults are enabled, you cannot enable Conditional Access policies (and vice versa in most configurations). If a question describes both being active, identify the conflict. To use Conditional Access, security defaults must be disabled.
6. Know the propagation delay: Branding changes can take up to 15 minutes to appear. If a scenario asks why branding changes are not immediately visible, time delay is the likely answer.
7. Background color vs. background image: The background color is a fallback for when the background image cannot be loaded (low bandwidth). Know this distinction, as it may appear in scenario questions.
8. Guest user experience: Company branding applies to your tenant's sign-in page only. Guest users authenticating through their home tenant see their own tenant's branding. Guest users who are redirected to your tenant's sign-in page (e.g., for email OTP or direct federation) will see your branding.
9. Role requirements: To configure company branding, you need the Global Administrator or Organizational Branding Administrator role. For tenant-level user settings, the Global Administrator or User Administrator role is typically required. Exam questions may test which role is sufficient.
10. Watch for the "least privilege" principle: If asked which role should configure branding, prefer Organizational Branding Administrator over Global Administrator, as it follows the principle of least privilege.
11. Tenant properties matter: Questions about setting the global privacy contact, privacy statement URL, or technical contact are configured under tenant properties, not company branding. Do not confuse these locations.
12. Self-service password reset customization: Custom helpdesk links (email or URL) shown during SSPR are configured within company branding settings. If a question asks how to provide a custom support link during password reset, the answer is company branding configuration.
Summary
Company branding and tenant-level settings form the visual and administrative foundation of your Microsoft Entra ID tenant. Branding customizes the sign-in experience with logos, images, text, and KMSI settings, while tenant-level settings control broader behaviors like application registration, security defaults, and external collaboration. For the SC-300 exam, focus on where each setting is configured, which license is required, which role is needed, and how these settings interact with Conditional Access and other identity features. Understanding these distinctions will help you confidently answer exam questions on this topic.
