Add your organization's brand to your Microsoft Purview Message Encryption encrypted messages
Article
Apply your company branding to customize the look of your organization's email messages and the encryption portal. You need to apply global administrator permissions to your work or school account before you can get started. You customize branding in one of two ways, using Exchange Online PowerShell or Microsoft Purview Data Loss Prevention (DLP) policies.
For more information about using Microsoft Purview Data Loss Prevention (DLP) policies to add customized branding to encrypted messages, see these resources.
The rest of this article describes using Exchange Online PowerShell.
Use the Get-OMEConfiguration and Set-OMEConfiguration cmdlets in Exchange Online PowerShell to customize these parts of encrypted email messages:
Introductory text
Disclaimer text
URL for Your organization's privacy statement
Text in the encrypted message portal
Logo that appears in the email message and encrypted message portal, or whether to use a logo at all
Background color in the email message and encrypted message portal
You can also revert back to the default look and feel at any time.
If you'd like more control, use Microsoft Purview Advanced Message Encryption to create multiple templates for encrypted emails originating from your organization. Use these templates to control parts of the end-user experience. For example, specify whether recipients can use Google, Yahoo, and Microsoft Accounts to sign in to the encryption portal. Use templates to fulfill several use cases, such as:
Individual departments, such as Finance, Sales, and so on.
Different products
Different geographical regions or countries
Whether you want to allow emails to be revoked
Whether you want emails sent to external recipients to expire after a specified number of days.
Once you've created the templates, apply them to encrypted emails sent from your online mailbox by using Exchange mail flow rules. If you have Microsoft Purview Advanced Message Encryption, you can revoke any email that you have branded.
Tip
If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview trials hub. Learn details about signing up and trial terms.
Work with branding templates
You can modify several features within a branding template, and modify, but not remove, the default template. If you have Advanced Message Encryption, you can also create, modify, and remove custom templates. Use Exchange Online PowerShell to work with one branding template at a time.
Set-OMEConfiguration - Modify the default branding template or a custom branding template that you created.
New-OMEConfiguration - Create a new branding template, Advanced Message Encryption only.
Remove-OMEConfiguration - Remove a custom branding template, Advanced Message Encryption only. You can't delete the default branding template.
Modify a branding template
Use Exchange Online PowerShell to modify one branding template at a time. If you have Advanced Message Encryption, you can also create, modify, and remove custom templates.
Using a work or school account that has global administrator permissions in your organization, connect to Exchange Online PowerShell. For instructions, see Connect to Exchange Online PowerShell.
Use the Set-OMEConfiguration cmdlet as described in Set-OMEConfiguration or use the following graphic and table for guidance.
To customize this feature of the encryption experience
Use these commands
Background color
Set-OMEConfiguration -Identity "<ConfigurationName>" -BackgroundColor "<#RRGGBB hexadecimal color code or name value>"
Supported file formats: .png, .jpg, .bmp, or .tiff
Optimal size of logo file: less than 40 KB
Optimal size of logo image: 170x70 pixels. If your image exceeds these dimensions, the service resizes your logo for display in the portal. The service doesn't modify the graphic file itself. For best results, use the optimal size.
Text next to the sender's name and email address
Set-OMEConfiguration -Identity "<ConfigurationName>" -IntroductionText "<String up to 1024 characters>"
Example:
Set-OMEConfiguration -Identity "Branding Template 1" -IntroductionText "has sent you a secure message."
Text that appears on the "Read Message" button
Set-OMEConfiguration -Identity "<ConfigurationName>" -ReadButtonText "<String up to 1024 characters>"
Create an encrypted message branding template (Advanced Message Encryption)
If you have Microsoft Purview Advanced Message Encryption, you can create custom branding templates for your organization by using the New-OMEConfiguration cmdlet. Once you've created the template, you modify the template by using the Set-OMEConfiguration cmdlet as described in Modify a branding template. You can create multiple templates.
To create a new custom branding template:
Using a work or school account that has global administrator permissions in your organization, connect to Exchange Online PowerShell. For instructions, see Connect to Exchange Online PowerShell.
Return the default branding template to its original values
To remove all modifications from the default template, including brand customizations, and so on, complete these steps:
Using a work or school account that has global administrator permissions in your organization, connect to Exchange Online PowerShell. For instructions, see Connect to Exchange Online PowerShell.
Use the Set-OMEConfiguration cmdlet as described in Set-OMEConfiguration. To remove your organization's branded customizations from the DisclaimerText, EmailText, and PortalText values, set the value to an empty string, "". For all image values, such as Logo, set the value to "$null".
The following table describes the encryption customization option defaults.
To revert this feature of the encryption experience back to the default text and image
Use these commands
Default text that comes with encrypted email messages. The default text appears above the instructions for viewing encrypted messages
Create an Exchange mail flow rule that applies your custom branding to encrypted emails sent from your online organization to external recipients
Important
Third-party applications that scan and modify mail can prevent branding from being applied correctly.
After you've either modified the default template or created new branding templates, you can create Exchange mail flow rules to apply your custom branding based on certain conditions. Most importantly, the email must be encrypted. Such a rule applies custom branding to mail sent from your online mailbox in the following scenarios:
If the email was manually encrypted by the end user using Outlook or Outlook on the web, formerly Outlook Web App
If the email was automatically encrypted by an Exchange mail flow rule or Microsoft Purview Data Loss Prevention policy
To ensure Microsoft Purview Message Encryption applies your custom branding, set up a mail flow rule to encrypt your messages. The priority of the encryption rule should be higher than the branding rule so that the encryption rule is processed first. By default, if you create the encryption rule before the branding rule, then the encryption rule has a higher priority. For information, see Define mail flow rules to encrypt email messages in Office 365. For information on setting the priority of a mail flow rule, see Manage mail flow rules.
In a web browser, using a work or school account that has been granted global administrator permissions, sign in to Office 365.
Choose the Admin tile.
In the Microsoft 365 admin center, choose Admin centers > Exchange.
In Name, type a name for the rule, such as Branding for sales department.
In Apply this rule if, select the condition The sender is located inside the organization and other conditions you want from the list of available conditions. For example, you might want to apply a particular branding template to:
All encrypted emails sent from members of the finance department
Encrypted emails sent with a certain keyword such as "External" or "Partner"
Encrypted emails sent to a particular domain
If you've already defined a mail flow rule to apply encryption, skip this step. Otherwise, to configure the mail flow rule to apply encryption, from Do the following, select Modify the message security, and then select Apply Office 365 Message Encryption and rights protection. Select a Rights Management Service (RMS) template from the list and then select add action.
From Do the following, select Modify the message security > Apply custom branding to OME messages. Next, from the drop-down, select a branding template.
Select add action if you want to specify another action, or select Save, and then select OK.
Background color reference
The color names that you can use for the background color are limited. Instead of a color name, you can use a hex code value (#RRGGBB). You can use a hex code value that corresponds to a color name, or you can use a custom hex code value. Be sure to enclose the hex code value in quotation marks (for example, "#f0f8ff").
The available background color names and their corresponding hex code values are described in the following table.
This module introduces Microsoft Purview Message Encryption, an online service that’s built on Microsoft Azure Rights Management and includes encryption, identity, and authorization policies to help organizations secure their email.
> Create a new rule. For more information about using the EAC, see