Add your organization's brand to your Microsoft Purview Message Encryption encrypted messages

Apply your company branding to customize the look of your organization's email messages and the encryption portal. You need to apply global administrator permissions to your work or school account before you can get started. You customize branding in one of two ways, using Exchange Online PowerShell or Microsoft Purview Data Loss Prevention (DLP) policies.

For more information about using Microsoft Purview Data Loss Prevention (DLP) policies to add customized branding to encrypted messages, see these resources.

The rest of this article describes using Exchange Online PowerShell.

Use the Get-OMEConfiguration and Set-OMEConfiguration cmdlets in Exchange Online PowerShell to customize these parts of encrypted email messages:

  • Introductory text
  • Disclaimer text
  • URL for Your organization's privacy statement
  • Text in the encrypted message portal
  • Logo that appears in the email message and encrypted message portal, or whether to use a logo at all
  • Background color in the email message and encrypted message portal

You can also revert back to the default look and feel at any time.

If you'd like more control, use Microsoft Purview Advanced Message Encryption to create multiple templates for encrypted emails originating from your organization. Use these templates to control parts of the end-user experience. For example, specify whether recipients can use Google, Yahoo, and Microsoft Accounts to sign in to the encryption portal. Use templates to fulfill several use cases, such as:

  • Individual departments, such as Finance, Sales, and so on.
  • Different products
  • Different geographical regions or countries
  • Whether you want to allow emails to be revoked
  • Whether you want emails sent to external recipients to expire after a specified number of days.

Once you've created the templates, apply them to encrypted emails sent from your online mailbox by using Exchange mail flow rules. If you have Microsoft Purview Advanced Message Encryption, you can revoke any email that you have branded.

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

Work with branding templates

You can modify several features within a branding template, and modify, but not remove, the default template. If you have Advanced Message Encryption, you can also create, modify, and remove custom templates. Use Exchange Online PowerShell to work with one branding template at a time.

  • Set-OMEConfiguration - Modify the default branding template or a custom branding template that you created.
  • New-OMEConfiguration - Create a new branding template, Advanced Message Encryption only.
  • Remove-OMEConfiguration - Remove a custom branding template, Advanced Message Encryption only. You can't delete the default branding template.

Modify a branding template

Use Exchange Online PowerShell to modify one branding template at a time. If you have Advanced Message Encryption, you can also create, modify, and remove custom templates.

  1. Using a work or school account that has global administrator permissions in your organization, connect to Exchange Online PowerShell. For instructions, see Connect to Exchange Online PowerShell.

  2. Use the Set-OMEConfiguration cmdlet as described in Set-OMEConfiguration or use the following graphic and table for guidance.

Customizable email parts.

To customize this feature of the encryption experience Use these commands
Background color Set-OMEConfiguration -Identity "<ConfigurationName>" -BackgroundColor "<#RRGGBB hexadecimal color code or name value>"

Example:

Set-OMEConfiguration -Identity "Branding Template 1" -BackgroundColor "#ffffff"

For more information about background colors, see the Background colors section later in this article.

Logo Set-OMEConfiguration -Identity "<ConfigurationName>" -Image <Byte[]>

Example:

Set-OMEConfiguration -Identity "Branding Template 1" -Image ([System.IO.File]::ReadAllBytes('C:\Temp\contosologo.png'))

Supported file formats: .png, .jpg, .bmp, or .tiff

Optimal size of logo file: less than 40 KB

Optimal size of logo image: 170x70 pixels. If your image exceeds these dimensions, the service resizes your logo for display in the portal. The service doesn't modify the graphic file itself. For best results, use the optimal size.

Text next to the sender's name and email address Set-OMEConfiguration -Identity "<ConfigurationName>" -IntroductionText "<String up to 1024 characters>"

Example:

Set-OMEConfiguration -Identity "Branding Template 1" -IntroductionText "has sent you a secure message."

Text that appears on the "Read Message" button Set-OMEConfiguration -Identity "<ConfigurationName>" -ReadButtonText "<String up to 1024 characters>"

Example:

Set-OMEConfiguration -Identity "Message encryption configuration" -ReadButtonText "Read Secure Message."

Text that appears below the "Read Message" button Set-OMEConfiguration -Identity "<ConfigurationName>" -EmailText "<String up to 1024 characters>"

Example:

Set-OMEConfiguration -Identity "Message encryption configuration" -EmailText "Encrypted message from ContosoPharma secure messaging system."

URL for the Privacy Statement link Set-OMEConfiguration -Identity "<ConfigurationName>" -PrivacyStatementURL "<URL>"

Example:

Set-OMEConfiguration -Identity "Branding Template 1" -PrivacyStatementURL "https://contoso.com/privacystatement.html"

Disclaimer statement in the email that contains the encrypted message Set-OMEConfiguration -Identity "<OMEConfigurationName>" -DisclaimerText "<Disclaimer statement. String of up to 1024 characters.>"

Example:

Set-OMEConfiguration -Identity "Branding Template 1" -DisclaimerText "This message is confidential for the use of the addressee only."

Text that appears at the top of the encrypted mail viewing portal Set-OMEConfiguration -Identity "<OMEConfigurationName>" -PortalText "<Text for your portal. String of up to 128 characters.>"

Example:

Set-OMEConfiguration -Identity "Message encryption cfonfiguration" -PortalText "ContosoPharma secure email portal."

To enable or disable authentication with a one-time pass code for this custom template Set-OMEConfiguration -Identity "<OMEConfigurationName>" -OTPEnabled <$true|$false>

Examples:
To enable one-time passcodes for this custom template

Set-OMEConfiguration -Identity "Branding Template 1" -OTPEnabled $true

To disable one-time passcodes for this custom template

Set-OMEConfiguration -Identity "Branding Template 1" -OTPEnabled $false

To enable or disable authentication with Microsoft, Google, or Yahoo identities for this custom template Set-OMEConfiguration -Identity "<OMEConfigurationName>" -SocialIdSignIn <$true|$false>

Examples:
To enable social IDs for this custom template

Set-OMEConfiguration -Identity "Branding Template 1" -SocialIdSignIn $true

To disable social IDs for this custom template

Set-OMEConfiguration -Identity "Branding Template 1" -SocialIdSignIn $false

Create an encrypted message branding template (Advanced Message Encryption)

If you have Microsoft Purview Advanced Message Encryption, you can create custom branding templates for your organization by using the New-OMEConfiguration cmdlet. Once you've created the template, you modify the template by using the Set-OMEConfiguration cmdlet as described in Modify a branding template. You can create multiple templates.

To create a new custom branding template:

  1. Using a work or school account that has global administrator permissions in your organization, connect to Exchange Online PowerShell. For instructions, see Connect to Exchange Online PowerShell.

  2. Use the New-OMEConfiguration cmdlet to create a new template.

    New-OMEConfiguration -Identity "<OMEConfigurationName>"
    

    For example,

    New-OMEConfiguration -Identity "Custom branding template"
    

Return the default branding template to its original values

To remove all modifications from the default template, including brand customizations, and so on, complete these steps:

  1. Using a work or school account that has global administrator permissions in your organization, connect to Exchange Online PowerShell. For instructions, see Connect to Exchange Online PowerShell.

  2. Use the Set-OMEConfiguration cmdlet as described in Set-OMEConfiguration. To remove your organization's branded customizations from the DisclaimerText, EmailText, and PortalText values, set the value to an empty string, "". For all image values, such as Logo, set the value to "$null".

    The following table describes the encryption customization option defaults.

    To revert this feature of the encryption experience back to the default text and image Use these commands
    Default text that comes with encrypted email messages. The default text appears above the instructions for viewing encrypted messages Set-OMEConfiguration -Identity "<OMEConfigurationName>" -EmailText "<empty string>"

    Example:

    Set-OMEConfiguration -Identity "Message encryption configuration" -EmailText ""

    Disclaimer statement in the email that contains the encrypted message Set-OMEConfiguration -Identity "<OMEConfigurationName>" DisclaimerText "<empty string>"

    Example:

    Set-OMEConfiguration -Identity "Message encryption configuration" -DisclaimerText ""

    Text that appears at the top of the encrypted mail viewing portal Set-OMEConfiguration -Identity "<OMEConfigurationName>" -PortalText "<empty string>"

    Example reverting back to default:

    Set-OMEConfiguration -Identity "Message encryption configuration" -PortalText ""

    Logo Set-OMEConfiguration -Identity "<OMEConfigurationName>" -Image <"$null">

    Example reverting back to default:

    Set-OMEConfiguration -Identity "Message encryption configuration" -Image $null

    Background color Set-OMEConfiguration -Identity "<ConfigurationName>" -BackgroundColor "$null">

    Example reverting back to default:

    Set-OMEConfiguration -Identity "Message encryption configuration" -BackgroundColor $null

Remove a custom branding template (Advanced Message Encryption)

You can only remove or delete branding templates that you've made. You can't remove the default branding template.

To remove a custom branding template:

  1. Using a work or school account that has global administrator permissions in your organization, connect to Exchange Online PowerShell.

  2. Use the Remove-OMEConfiguration cmdlet as follows:

    Remove-OMEConfiguration -Identity "<OMEConfigurationName>"
    

    For example,

    Remove-OMEConfiguration -Identity "Branding template 1"
    

    For more information, see Remove-OMEConfiguration.

Create an Exchange mail flow rule that applies your custom branding to encrypted emails sent from your online organization to external recipients

Important

Third-party applications that scan and modify mail can prevent branding from being applied correctly.

After you've either modified the default template or created new branding templates, you can create Exchange mail flow rules to apply your custom branding based on certain conditions. Most importantly, the email must be encrypted. Such a rule applies custom branding to mail sent from your online mailbox in the following scenarios:

  • If the email was manually encrypted by the end user using Outlook or Outlook on the web, formerly Outlook Web App
  • If the email was automatically encrypted by an Exchange mail flow rule or Microsoft Purview Data Loss Prevention policy

To ensure Microsoft Purview Message Encryption applies your custom branding, set up a mail flow rule to encrypt your messages. The priority of the encryption rule should be higher than the branding rule so that the encryption rule is processed first. By default, if you create the encryption rule before the branding rule, then the encryption rule has a higher priority. For information, see Define mail flow rules to encrypt email messages in Office 365. For information on setting the priority of a mail flow rule, see Manage mail flow rules.

  1. In a web browser, using a work or school account that has been granted global administrator permissions, sign in to Office 365.

  2. Choose the Admin tile.

  3. In the Microsoft 365 admin center, choose Admin centers > Exchange.

  4. In the EAC, go to Mail flow > Rules and select New New icon. > Create a new rule. For more information about using the EAC, see Exchange admin center in Exchange Online.

  5. In Name, type a name for the rule, such as Branding for sales department.

  6. In Apply this rule if, select the condition The sender is located inside the organization and other conditions you want from the list of available conditions. For example, you might want to apply a particular branding template to:

    • All encrypted emails sent from members of the finance department
    • Encrypted emails sent with a certain keyword such as "External" or "Partner"
    • Encrypted emails sent to a particular domain
  7. If you've already defined a mail flow rule to apply encryption, skip this step. Otherwise, to configure the mail flow rule to apply encryption, from Do the following, select Modify the message security, and then select Apply Office 365 Message Encryption and rights protection. Select a Rights Management Service (RMS) template from the list and then select add action.

    The list of templates includes default templates and options and any custom templates you create. If the list is empty, ensure that you have set up Microsoft Purview Message Encryption. For instructions, see Set up Microsoft Purview Message Encryption. For information about the default templates, see Configuring and managing templates for Azure Information Protection. For information about the Do Not Forward option, see the Do Not Forward option for emails. For information about the Encrypt Only option, see Encrypt Only option for emails.

  8. From Do the following, select Modify the message security > Apply custom branding to OME messages. Next, from the drop-down, select a branding template.

    Select add action if you want to specify another action, or select Save, and then select OK.

Background color reference

The color names that you can use for the background color are limited. Instead of a color name, you can use a hex code value (#RRGGBB). You can use a hex code value that corresponds to a color name, or you can use a custom hex code value. Be sure to enclose the hex code value in quotation marks (for example, "#f0f8ff").

The available background color names and their corresponding hex code values are described in the following table.

Color name Color code
aliceblue #f0f8ff
antiquewhite #faebd7
aqua #00ffff
aquamarine #7fffd4
azure #f0ffff
beige #f5f5dc
bisque #ffe4c4
black #000000
blanchedalmond #ffebcd
blue #0000ff
blueviolet #8a2be2
brown #a52a2a
burlywood #deb887
cadetblue #5f9ea0
chartreuse #7fff00
chocolate #d2691e
coral #ff7f50
cornflowerblue #6495ed
cornsilk #fff8dc
crimson #dc143c
cyan #00ffff
darkblue #00008b
darkcyan #008b8b
darkgoldenrod #b8860b
darkgray #a9a9a9
darkgreen #006400
darkkhaki #bdb76b
darkmagenta #8b008b
darkolivegreen #556b2f
darkorange #ff8c00
darkorchid #9932cc
darkred #8b0000
darksalmon #e9967a
darkseagreen #8fbc8f
darkslateblue #483d8b
darkslategray #2f4f4f
darkturquoise #00ced1
darkviolet #9400d3
deeppink #ff1493
deepskyblue #00bfff
dimgray #696969
dodgerblue #1e90ff
firebrick #b22222
floralwhite #fffaf0
forestgreen #228b22
fuchsia #ff00ff
gainsboro #dcdcdc
ghostwhite #f8f8ff
gold #ffd700
goldenrod #daa520
gray #808080
green #008000
greenyellow #adff2f
honeydew #f0fff0
hotpink #ff69b4
indianred #cd5c5c
indigo #4b0082
ivory #fffff0
khaki #f0e68c
lavender #e6e6fa
lavenderblush #fff0f5
lawngreen #7cfc00
lemonchiffon #fffacd
lightblue #add8e6
lightcoral #f08080
lightcyan #e0ffff
lightgoldenrodyellow #fafad2
lightgray #d3d3d3
lightgrey #d3d3d3
lightgreen #90ee90
lightpink #ffb6c1
lightsalmon #ffa07a
lightseagreen #20b2aa
lightskyblue #87cefa
lightslategray #778899
lightsteelblue #b0c4de
lightyellow #ffffe0
lime #00ff00
limegreen #32cd32
linen #faf0e6
magenta #ff00ff
maroon #800000
mediumaquamarine #66cdaa
mediumblue #0000cd
mediumorchid #ba55d3
mediumpurple #9370db
mediumseagreen #3cb371
mediumslateblue #7b68ee
mediumspringgreen #00fa9a
mediumturquoise #48d1cc
mediumvioletred #c71585
midnightblue #191970
mintcream #f5fffa
mistyrose #ffe4e1
moccasin #ffe4b5
navajowhite #ffdead
navy #000080
oldlace #fdf5e6
olive #808000
olivedrab #6b8e23
orange #ffa500
orangered #ff4500
orchid #da70d6
palegoldenrod #eee8aa
palegreen #98fb98
paleturquoise #afeeee
palevioletred #db7093
papayawhip #ffefd5
peachpuff #ffdab9
peru #cd853f
pink #ffc0cb
plum #dda0dd
powderblue #b0e0e6
purple #800080
red #ff0000
rosybrown #bc8f8f
royalblue #4169e1
saddlebrown #8b4513
salmon #fa8072
sandybrown #f4a460
seagreen #00ff00
seashell #fff5ee
sienna #a0522d
silver #c0c0c0
skyblue #87ceeb
slateblue #6a5acd
slategray #708090
snow #fffafa
springgreen #00ff7f
steelblue #4682b4
tan #d2b48c
teal #008080
thistle #d8bfd8
tomato #ff6347
turquoise #40e0d0
violet #ee82ee
wheat #f5deb3
white #ffffff
whitesmoke #f5f5f5
yellow #ffff00
yellowgreen #9acd32