Configuring M365 Company Branding & Privacy Settings: Simple Tricks to Reduce Phishing Risks
- welka2111
- Jul 8
- 6 min read
Introduction
When you think about securing your login page, you probably picture complex authentication methods or firewalls. But here’s the twist - there’s actually a much simpler step that can drastically reduce phishing risks: company branding. Yes, adding your logo and custom colours to your login page isn’t just for aesthetics - it’s a clever security move that helps your users quickly recognise a fake site and steer clear of phishing traps.
Now, you might be wondering: why the hell is there a picture of a giant duck in the featured image for this post? Spoiler alert: there are more duck pictures scattered throughout this article, because, well, every excuse is good enough for me. But if you’re curious about the ducks, you’ll have to read on to find out.
But back to business - branding your login page doesn’t stop at just a logo and colour scheme. You can take it even further by adding a unique, easily recognisable image to the background. This isn’t just for style - it’s a subtle but effective way to train users and raise their awareness of phishing threats. Let’s take a closer look at how it works and why it’s so effective.
Table of contents
Why company branding works: more than just a logo
Every day, users receive phishing emails that appear legitimate, tricking them into clicking links that lead to fake login pages. These attacks rely on creating a sense of familiarity - making users believe they’re on a trusted website, even when they’re not.
Now, imagine a login page that mirrors your company’s actual website. It includes your logo, your brand colours, and a distinctive background image. This image is so recognisable that even the most distracted user would notice if it were missing. This becomes a powerful tool to help users spot phishing attempts.
How company branding reduces phishing click-through rates
Recognition is key. When users are familiar with the look and feel of your login page, they can easily spot when something’s off. Customising your login page with your corporate branding - like your logo and company colours - provides users with a mental checklist. Here’s how this works:
Logo and colours: the first step is adding your company’s logo and ensuring the colours match your brand. If your login page doesn’t reflect your company’s website, it’s a red flag for users that something’s wrong.
A unique, recognisable background: this is where the real power lies. Consider adding a unique, recognisable image to the background of your login page. The image could be quirky and eye-catching, yet deeply associated with your brand. Examples include:
A pink flamingo that’s part of your company’s mascot or theme.
A red bus, if it’s a symbol tied to your company’s branding.
Or something playful, like a smiley cow that stands out.
By using an image like this, you create a mental shortcut for users. When they see that flamingo, red bus, or smiley cow, they’ll immediately recognise the page as legitimate. It’s a simple but highly effective way to help them avoid phishing attacks.
How company branding trains your users
At first, users might not consciously recognise the image as a sign of authenticity. But over time, they’ll start associating that background with your brand. It’s like training them without them even realising it. They won’t need to scrutinise every tiny detail on the page to confirm its legitimacy. If they see that unique image and your corporate logo, they’ll know they’re on the real login page. If it’s missing, they’ll be more cautious and double-check the URL.
Data privacy: making it clear and accessible
While company branding helps users visually identify the page as legitimate, it’s also important to provide clear information about data privacy. Include a link to your privacy policy on the login page. This reassures users that you take their data seriously and strengthens trust. When users see your logo, the unique background image, and the data privacy link, they’ll have all the information they need to confidently log in.
Quick step-by-step guide to setting up your company branding
Ready to jazz up your Microsoft 365 login page and give phishing a run for its money? Here’s how to make it happen - and add a dash of personality while you’re at it.
Head over to Entra Open up your favourite browser, and go to entra.microsoft.com > Identity navigation pane > User experiences > Company branding
Edit your default sign-in page Under the Default sign-in tab, click on Edit and navigate through tabs like Basics, Layout, Header, Footer, and Sign-in form. Be sure to keep an eye on your image sizes and file types.
Resizing your images Now, this is where the magic happens. If your images are too big, resize them! Don’t worry, no Photoshop wizardry required. Simply open the image in your Photos app (Yes, it’s the same Photos app that comes with Windows), click on the three horizontal dots in the top left, and choose Resize image.
You’ll get a pop-up window where you can tweak the pixels or percentages, watch the size change, and save it.
Boom, resized and ready to upload.
(Pro tip: you can even use an online tool like TinyPNG to shrink files without losing quality - but hey, let’s keep it simple for now).
Upload and save your images Once your images are resized, it’s time to go back to Entra and upload them. Review your new masterpiece, give it a final “yep, this is good,” and hit Save. You’re officially a branding expert now.
Testing your new sign-in page Now comes the fun part - let’s see how it all looks in action. When you test your new sign-in page, before typing in your username, you’ll see a default Microsoft sign-in page.
But as soon as you enter your username, bam, your custom sign-in page will show up in all its glory.
Pay attention to the favicon, header logo, banner logo, sign-in page text, and those important terms of use and privacy settings links. It’s all about making sure your users can spot a phishing attempt from a mile away.
And... let’s address the duck in the room. Yep, I went there. Anyone who knows me is aware of my borderline obsessive fascination with ducks (seriously, I probably have around 500 plastic and rubber ducks scattered around my house - please, no more, I beg you!). Naturally, I couldn’t resist making one my background image. So, when you see a giant duck in the background, just know: it’s my way of keeping things fun while making sure no one gets phished. 🦆
How it all comes together
Let’s say a user receives an email that looks like it’s from your company, but contains a link to a login page. When they click the link, they should immediately recognise whether the page is genuine. If it features your logo, brand colours, and the familiar background image (like the flamingo, red bus, smiley cow, ... or a duck), they’ll know they’re in the right place. And if the data privacy link checks out, they can enter their credentials without worrying about phishing.
On the other hand, if they land on a page that lacks these elements, they’ll pause, double-check the URL, and think twice before entering their information.
Conclusion
Customising your login page with company branding and a unique, easily recognisable background image is one of the simplest yet most effective ways to train users to avoid phishing scams. It’s about creating familiarity and trust. By adding a distinctive visual cue - like a pink flamingo or a red bus - alongside your logo and clear data privacy information, you’re giving users the tools to spot phishing attempts from a mile away.
A little creativity can go a long way in helping your users stay safe while keeping the login process smooth and secure.
So, there you have it. With a bit of creativity and some cheeky branding, you’ve now got a login page that not only looks great but actively helps users stay safe.
For official Microsoft documentation on company branding check here: https://learn.microsoft.com/en-us/entra/fundamentals/how-to-customize-branding
Further Resources:
For more on Microsoft 365 company branding and privacy settings, including how to configure it via PowerShell and update your company’s branding annually, check out these detailed guides:
evilginx easily proxies the background and all these stuff
I love this, and I've been using it for a while, but I think that some clever buggers are able to pass the request for the sign-in image straight to your tenant and then serve it up to you in their login screen - which means that if people are trained to immediately trust the image, they could still fall prey to something bad. It's good to look for the image and wonder why it's not there, but I'm now wary of telling people that they can definitely trust it.