Customize Azure AD Login Branding

The ability to customize Azure AD Login branding with company images has been around for many years. Recently though additional configuration options have become available. Specifically, the ability to provide Username hint and Sign-in page text. Having recently done a mock-up of this for an engagement there were a few items that I want to recall for the next time I need to do this. This post summarizes the options to customize Azure AD login branding.

The following graphic shows the “Company branding” configuration items under the Azure Active Directory Blade in the Azure Portal.

NOTE:
Before obtaining your images to customize your Azure AD login branding, keep in mind the graphic formats and maximum image and file sizes. No doubt you will be provided hi-res images from a marketing or corporate communications department and they will exceed the Azure AD image configuration limits. A quick online method to resize images (image quality reduction) is to use a service such as Reduce Images.

Also keep in mind every time you make a change and test it out, your branding will get cached on one of the many global Azure AD Authentication endpoints. As stated in the documentation changes can take up to an hour to be reflected. Be patient (or keep reloading many times until you hit a new endpoint that will get the new config).

Customize Azure AD Login Branding

In the Azure Portal under the Azure Active Directory blade select “Company Branding“. By default, there will be none. The following screenshot shows a configured company branding profile that is the default branding for the associated tenant.

Sign-In using AAD Tenant Authentication Endpoint

In order to see your new company branding you will need to either navigate to the common Microsoft Login endpoint and enter your Login ID at which point the login will know the context of you identity and load the branding, or specify you tenant along with the Microsoft Login endpoint. The example PowerShell below is to authenticate to a specific Azure AD registered application within my idmspecialistdev.onmicrosoft.com Tenant.

$tenantName = 'idmspecialistdev.onmicrosoft.com'
$loginBaseURL = 'https://login.microsoftonline.com'
$appClientID = '384ade2f-8e77-4110-8ef3-19801234abcd'
Start-Process "$($loginBaseURL)/$($tenantName)/oauth2/v2.0/authorize?client_id=$($appClientID)&response_type=id_token&scope=openid"

Running the script above will trigger authentication to Azure AD for my tenant, and with the configured Company branding query my local MSAL cache to return any identities that have been used previously.

Sign-In using AAD Tenant Authentication Endpoint with Custom Text

A second example like the example above. Using a few PowerShell variables to build the Azure AD Authentication URL (but within a new InPrivate Browser session) so that the MSAL cache doesn’t show a list of previous logins, we can now see the Username hint and Sign-in page text options.

$tenantName = 'idmspecialistdev.onmicrosoft.com'
$loginBaseURL = 'https://login.microsoftonline.com'
$appClientID = '6731de76-14a6-49ae-97bc-19801234abcd'
$userUPN = ''
Start-Process "$($loginBaseURL)/$($tenantName)/oauth2/v2.0/authorize?client_id=$($appClientID)&login_hint=$($userUPN)&domain_hint=$($tenantName)&response_type=id_token&scope=openid"

The Username hint shows up in the Sign in / Login ID window as the default or hint text. The Sign-in page text shows in the bottom of the Login dialog window. The full configuration for the text as shown looks like this. Formatting of Sign-in page text uses markdown syntax.

Note: Only paragraph spacing is possible. A new paragraph is specified using two carriage returns. It is not possible to specify a single newline.

__IDM Specialist__ 

 *Azure Active Directory Logon* 

++keep your password secure++ 

[Service Desk](https://blog.darrenjrobinson.com)

Sign-In pre-populating User Login ID and Tenant Authentication Endpoint

If you are building a custom Azure AD Application, you maybe passing users to the Authentication page after already collecting/knowing their LoginID. You may want to pre-populate the Login ID with their details.

$tenantName = 'idmspecialistdev.onmicrosoft.com'
$loginBaseURL = 'https://login.microsoftonline.com'
$appClientID = '6731de76-14a6-49ae-97bc-19801234abcd'
$userUPN = 'darren@darrenjrobinson.com'
Start-Process "$($loginBaseURL)/$($tenantName)/oauth2/v2.0/authorize?client_id=$($appClientID)&login_hint=$($userUPN)&domain_hint=$($tenantName)&response_type=id_token&scope=openid"

Running the example above takes the login darren@darrenjrobinson.com and passes it to the Tenant Login Page pre-populating the Login ID field.

Summary

We now have good granularity around configuration of items associated with customizing Azure AD login branding. Knowing how and what appears where should also assist in getting it right a lot quicker.