Anti-Phishing in 15 Minutes: Add Your Logo to the Microsoft 365 Login Page

TL;DR

An unbranded Microsoft 365 login page is an open invitation for phishing attacks — your employees cannot distinguish the real page from a fake one. In 15 minutes, you can add your company logo, a background image, and custom sign-in text via Entra Admin Center → Company Branding. This gives your users a visual anchor to verify they are on the legitimate login page. Combined with MFA and Conditional Access, this is a critical layer of your anti-phishing defense.

Why This Matters: The Phishing Problem

According to Microsoft's Digital Defense Report, over 90% of cyberattacks begin with a phishing email. The most common attack vector? A fake Microsoft 365 login page that looks identical to the real one.

Here is the problem: if your organization uses the default, unbranded Microsoft login page, your employees have zero visual cues to distinguish the real page from a clone. An attacker can spin up a pixel-perfect copy in minutes using phishing kits like EvilGinx or Modlishka.

When you add company branding — your logo, a custom background, a personalized sign-in message — your employees immediately notice when something is off. It is not bulletproof (a sophisticated attacker could replicate branding too), but it raises the bar significantly against commodity phishing attacks, which account for the vast majority of incidents.

What Branding Protects Against

• Commodity phishing kits — pre-built tools that clone the default Microsoft login page
• Spray-and-pray campaigns — mass phishing emails that rely on generic login pages
• Employee complacency — users who auto-pilot through login without checking the URL

What Branding Does NOT Protect Against

• Targeted spear-phishing where the attacker replicates your branding (but this requires extra effort)
• Adversary-in-the-middle (AitM) attacks that proxy the real login page in real-time
• Token theft or session hijacking after authentication

This is why branding is one layer in a defense-in-depth strategy. We cover the additional layers at the end of this article.

Prerequisites

• Microsoft 365 license — Any M365 Business or Enterprise plan (Basic, Standard, Premium, E3, E5). Company branding requires at minimum an Entra ID P1 license (included in M365 Business Premium and E3/E5). If you are on Business Basic or Standard, you get only the default branding tab (limited options).
• Admin role — You need Global Administrator or Organizational Branding Administrator role in Entra ID.
• Your company logo in PNG, JPG, or SVG format
• A background image (optional but recommended) in JPG or PNG format
• 15 minutes of uninterrupted time

Prepare Your Assets Before You Start

Gather these files before opening the admin center. This avoids the back-and-forth of finding the right file while the admin portal times out.

Asset	Format	Max Size	Recommended Dimensions
Banner logo (header)	PNG, JPG, SVG	36 KB	245 × 36 px (max 245 × 36)
Square logo (light theme)	PNG, JPG, SVG	50 KB	240 × 240 px (appears on login box)
Square logo (dark theme)	PNG, JPG, SVG	50 KB	240 × 240 px
Background image	PNG, JPG	300 KB	1920 × 1080 px
Favicon	ICO, PNG	10 KB	32 × 32 px or 48 × 48 px

Tip: Use a transparent PNG for logos. The square logo appears inside the white sign-in box, so a transparent background looks cleanest. For the banner logo, keep it horizontally oriented — it appears in the top-left corner.

Step 1: Access Company Branding in Entra Admin Center

1. Open https://entra.microsoft.com in your browser.
2. Sign in with your admin account.
3. In the left navigation, expand Identity.
4. Click User experiences.
5. Click Company branding.

Alternatively, navigate directly to:

https://entra.microsoft.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/LoginTenantBranding

You will see either an empty branding page (if never configured) or the current branding settings with a preview.

Step 2: Configure the Default Branding

Click Configure (or Edit if branding already exists). This opens the branding editor with multiple tabs.

Microsoft organizes branding into a Default experience and optional per-language overrides. Configure the Default first — it applies to all users regardless of browser language. You can add language-specific variants later.

The editor has these tabs:

• Basics — Favicon, background image
• Layout — Template, header/footer visibility
• Header — Banner logo
• Footer — Privacy & Terms links
• Sign-in form — Square logo, sign-in page text
• Review — Preview and save

Step 3: Upload Your Logo

Banner Logo (Header)

1. Go to the Header tab.
2. Click the upload area for Banner logo.
3. Select your horizontal logo file (245 × 36 px, max 36 KB).
4. The preview updates immediately.

Square Logo (Sign-In Box)

1. Go to the Sign-in form tab.
2. Upload your Square logo (light theme) (240 × 240 px, max 50 KB).
3. Upload your Square logo (dark theme) if you have a variant for dark backgrounds.

The square logo appears prominently in the center of the sign-in box. This is the most visible element — make sure it is high-quality and immediately recognizable as your company.

Logo Best Practices

• Use transparent PNG for both logos
• Avoid text-heavy logos — at 240px they may become unreadable
• Test on both light and dark backgrounds
• If your logo is only available in one color scheme, upload the same file for both light and dark

Step 4: Set the Background Image

1. Go to the Basics tab.
2. Upload your Background image (1920 × 1080 px, max 300 KB).
3. Check the preview — the image appears behind the sign-in box on desktop. On mobile, it may be cropped or hidden.

Background Image Guidelines

• Keep it simple — an abstract pattern, a subtle brand color gradient, or a muted office photo works best
• Avoid busy images — they compete with the sign-in form
• Keep the right side lighter — the sign-in box typically appears on the right
• Compress wisely — 300 KB max means you need to optimize. Use TinyPNG or similar
• Consider accessibility — ensure sufficient contrast for the sign-in form overlay

If you prefer not to use a background image, you can set a Page background color instead (hex value, e.g., #f0f2f5 for a light gray). This is set in the Basics tab under the background image upload.

Step 5: Configure Sign-In Page Text

1. Go to the Sign-in form tab.
2. Find the Sign-in page text field.
3. Enter a short message that your employees will recognize, for example:

Welcome to Contoso Ltd. If you did not expect to see this page, close your browser immediately and report the email to security@contoso.com.

This text appears below the sign-in form. Keep it under 1024 characters (Microsoft's limit). Only plain text is supported — no HTML, no links.

What to Include in the Sign-In Text

• Company name — confirms the user is on the right tenant
• Security instruction — what to do if the page looks suspicious
• IT support contact — where to report phishing attempts

What NOT to Include

• Passwords or security codes
• Links (they are not clickable in this field)
• Overly long legal disclaimers (users will not read them)

Step 6: Advanced Options (Favicon, Colors)

Favicon

1. In the Basics tab, upload your favicon (32 × 32 px or 48 × 48 px, max 10 KB).
2. This appears in the browser tab when users visit the login page. A small detail, but it reinforces brand recognition.

Footer Links

1. Go to the Footer tab.
2. Toggle on Show footer.
3. Add your Privacy & Cookies URL (e.g., https://www.contoso.com/privacy).
4. Add your Terms of Use URL.

Layout Options

1. Go to the Layout tab.
2. Choose a Template — options include the default (sign-in box on right) or a full-screen centered layout.
3. Configure whether to show the header and footer.

Step 7: Save and Test

1. Click Review to see a full preview.
2. Click Save.
3. Wait 5–15 minutes — branding changes propagate across Microsoft's CDN. It is not instant.
4. Test the branded login page.

How to Test

1. Open a private/incognito browser window (this avoids cached sessions).
2. Navigate to https://login.microsoftonline.com.
3. Enter a valid email address from your tenant (e.g., user@contoso.com).
4. After entering the email, the sign-in page should display your branding.

Important: Branding appears after the user enters their email address and the system identifies the tenant. The initial email entry page remains the generic Microsoft page. This is by design — Microsoft cannot show tenant-specific branding until it knows which tenant the user belongs to.

Testing Checklist

[ ] Logo appears correctly in the sign-in box
[ ] Banner logo shows in the top-left header
[ ] Background image displays properly (desktop)
[ ] Sign-in text is visible below the form
[ ] Favicon appears in the browser tab
[ ] Footer links work (if configured)
[ ] Test on mobile device (branding may render differently)
[ ] Test in both light and dark mode (if applicable)
[ ] Test with a non-admin user account

Before & After Comparison

Before: Default Microsoft Login Page

• Generic Microsoft logo
• Plain white/gray background
• No company identification
• No sign-in text
• No favicon
• Verdict: Indistinguishable from a phishing page

After: Branded Login Page

• Your company logo prominently displayed
• Custom background image or color
• Company name and security message in sign-in text
• Custom favicon in browser tab
• Footer with privacy/terms links
• Verdict: Employees can immediately verify authenticity. Any deviation is a red flag.

Train your employees to look for these visual cues. Include screenshots of the branded login page in your security awareness training. Tell them: "If you see a Microsoft login page without our logo, stop and report it."

Troubleshooting

Branding Not Showing After Saving

• Wait at least 15 minutes. CDN propagation takes time. In rare cases, up to 24 hours.
• Clear your browser cache or use an incognito window.
• Make sure you entered an email address from your tenant. Branding only appears after tenant identification.

Logo Looks Blurry

• Upload at the exact recommended dimensions (240 × 240 for square, 245 × 36 for banner).
• Use PNG format with sharp edges rather than JPG (which introduces compression artifacts).
• If your source logo is a vector (SVG), export at 2x the display size for crisp rendering on retina displays.

Background Image Not Displaying

• Verify the file is under 300 KB.
• Ensure the resolution is 1920 × 1080 px.
• Try a different image format (switch between PNG and JPG).
• On mobile, the background image may be hidden by design — test on desktop first.

Sign-In Text Not Appearing

• Verify the text is under 1024 characters.
• Do not include HTML tags — only plain text is supported.
• The text may not show on all sign-in flows (e.g., some app-specific sign-in dialogs skip it).

"You Don't Have Permission" Error

• You need Global Administrator or Organizational Branding Administrator role.
• If you have the right role but still see this error, check if a Conditional Access policy is blocking admin access from your current location/device.
• Try a different browser or disable browser extensions that might interfere with Entra ID.

Branding Shows for Some Users But Not Others

• CDN propagation can be uneven — wait 24 hours before investigating further.
• Users with cached sessions may see old branding. They need to clear cookies or use incognito.
• If you configured per-language branding, users whose browser language does not match may see the default branding (or none, if default is not configured).

Beyond Branding: Complete Anti-Phishing Prevention

Company branding is a visual deterrent. It is necessary but not sufficient. Here are the additional layers you should implement:

1. Multi-Factor Authentication (MFA)

MFA is the single most effective defense against credential phishing. Even if an attacker captures the password, they cannot complete authentication without the second factor.

# Check MFA status for all users via Microsoft Graph PowerShell
Connect-MgGraph -Scopes "Reports.Read.All"
Get-MgReportAuthenticationMethodUserRegistrationDetail | 
  Select-Object UserPrincipalName, IsMfaRegistered, DefaultMfaMethod | 
  Export-Csv -Path "mfa-status.csv" -NoTypeInformation

Recommendation: Enforce MFA for all users with a Conditional Access policy (not per-user MFA, which is legacy). Prefer phishing-resistant MFA methods:

• FIDO2 security keys (YubiKey, etc.) — best protection
• Windows Hello for Business — passwordless
• Microsoft Authenticator with number matching — good, mitigates MFA fatigue attacks
• Avoid SMS-based MFA — vulnerable to SIM swapping

2. Conditional Access Policies

Conditional Access lets you enforce security requirements based on context (location, device, risk level). Key policies for anti-phishing:

# Essential Conditional Access Policies:

1. Require MFA for all users, all cloud apps
   - Users: All users (exclude break-glass accounts)
   - Cloud apps: All cloud apps
   - Grant: Require MFA

2. Block legacy authentication
   - Users: All users
   - Cloud apps: All cloud apps
   - Conditions: Client apps = Exchange ActiveSync, Other clients
   - Grant: Block access

3. Require compliant/hybrid-joined devices for sensitive apps
   - Users: All users
   - Cloud apps: Office 365, Azure Management
   - Grant: Require compliant device OR Hybrid Azure AD joined

4. Block sign-ins from high-risk locations
   - Users: All users
   - Conditions: Locations = All locations EXCEPT trusted
   - Grant: Block (or require MFA + compliant device)

3. Microsoft Defender for Office 365

If your plan includes Defender for Office 365 (M365 Business Premium, E5, or add-on), enable these features:

• Safe Links — rewrites URLs in emails and scans them at click time
• Safe Attachments — detonates attachments in a sandbox before delivery
• Anti-phishing policies — impersonation protection for key users and domains
• Attack simulation training — send simulated phishing emails to train employees

4. Security Defaults (If No Conditional Access)

If you do not have Entra ID P1 for Conditional Access, at minimum enable Security Defaults:

Entra Admin Center → Identity → Overview → Properties → Manage Security defaults → Enabled

This enforces MFA registration for all users, blocks legacy authentication, and requires MFA for admin roles.

5. User Training

Technology alone is not enough. Train your employees to:

• Check the URL before entering credentials — it should be login.microsoftonline.com
• Look for the company branding you just configured
• Never enter credentials from an email link — navigate to the portal directly
• Report suspicious emails using the "Report" button in Outlook or forward to your IT security team
• Be suspicious of urgency — phishing emails always create a sense of urgency

Anti-Phishing Defense Summary

Layer	What It Protects Against	Effort
Company Branding	Generic phishing pages	15 minutes
MFA (Authenticator)	Stolen passwords	30 minutes
Phishing-resistant MFA (FIDO2)	AitM attacks, MFA fatigue	1–2 hours
Conditional Access	Risky sign-ins, legacy auth	1–2 hours
Defender for O365	Malicious emails, links, attachments	1 hour
User Training	Social engineering	Ongoing

Summary

Adding company branding to your Microsoft 365 login page is one of the fastest, simplest security improvements you can make. It takes 15 minutes, costs nothing beyond your existing license, and gives every employee in your organization a visual anchor to verify they are on the legitimate sign-in page.

But do not stop at branding. The real protection comes from the combination of branding + MFA + Conditional Access + Defender + training. Each layer makes the attacker's job harder. Branding alone will not stop a determined adversary, but it will stop the vast majority of commodity phishing attacks that target your organization every day.

Quick wins you can implement today:

1. Configure company branding (this article) — 15 minutes
2. Enable MFA with number matching — 30 minutes
3. Block legacy authentication via Conditional Access — 15 minutes
4. Send a company-wide email with a screenshot of the new branded login page and instructions to report anything that looks different