Add your organization's brand to your encrypted messages

As an Exchange Online or Exchange Online Protection administrator, you can apply your company branding to customize the look of your organization's Office 365 Message Encryption email messages and the contents of the encryption portal. Using the Get-OMEConfiguration and Set-OMEConfiguration Windows PowerShell cmdlets, you can customize the following aspects of the viewing experience for recipients of encrypted email messages:

  • Introductory text of the email that contains the encrypted message

  • Disclaimer text of the email that contains the encrypted message

  • Text that appears in the OME portal

  • Logo that appears in the email message and OME portal

  • Background color in the email message and OME portal

You can also revert back to the default look and feel at any time.

If you'd like more control, you can use Office 365 Advanced Message Encryption and create multiple templates for encrypted emails originating from your organization. Using these templates, you can control more than just the look and feel of the email messages, but also control parts of the end-user experience. For example, you can specify whether or not recipients of mail that have this template applied and who use Google, Yahoo, and Microsoft Accounts can use these accounts to sign in to the Office 365 Message Encryption portal. You might use templates to fulfill several use cases, such as:

  • Templates for each department, such as Finance, Sales, etc.

  • Templates for different products

  • Templates for different geographical regions or countries

  • Whether or not you want to allow emails to be revoked

  • Whether or not you want emails sent to external recipients to expire after a specified number of days.

Once you've created the templates, you can apply them to encrypted emails by using Exchange mail flow rules. If you have Office 365 Advanced Message Encryption, you can revoke any email that you've branded by using these templates.

This article is part of a larger series of articles about Office 365 Message Encryption. This article is intended for administrators and ITPros. If you're just looking for information on sending or receiving an encrypted message, see the list of articles in Office 365 Message Encryption (OME) and locate the article that best fits your needs.

Create branding templates

You create branding templates for your organization in Windows PowerShell with the New-OMEConfiguration cmdlet. Once you've created the template, you define the pieces of the template by using the Set-OMEConfiguration cmdlet. You can create multiple templates.

Customizable email parts

  1. Using a work or school account that has global administrator permissions in your Office 365 organization, start a Windows PowerShell session and connect to Exchange Online. For instructions, see Connect to Exchange Online PowerShell.

  2. Use the New-OMEConfiguration cmdlet to create a new template.

    New-OMEConfiguration -Identity <OMEConfigurationIdParameter>
    

    For example,

    New-OMEConfiguration -Identity <Branding template 1>
    
  3. Define the customizations for the template you just defined by using the Set-OMEConfiguration cmdlet as described in Set-OMEConfiguration or use the following table for guidance.

To customize this feature of the encryption experience Use these commands
Background color Set-OMEConfiguration -Identity <OMEConfigurationIdParameter> -BackgroundColor "<Hexadecimal color code>"
Example:
Set-OMEConfiguration -Identity "Branding Template 1" -BackgroundColor "#ffffff"
Logo Set-OMEConfiguration -Identity <OMEConfigurationIdParameter> -Image <Byte[]>
Example:
Set-OMEConfiguration -Identity "Branding Template 1" -Image (Get-Content "C:\Temp\contosologo.png" -Encoding byte)
Supported file formats: .png, .jpg, .bmp, or .tiff
Optimal size of logo file: less than 40 KB
Optimal size of logo image: 170x70 pixels
Text next to the sender's name and email address Set-OMEConfiguration -Identity <OMEConfigurationIdParameter> -IntroductionText "<String up to 1024 characters>"
Example:
Set-OMEConfiguration -Identity "Branding Template 1" -IntroductionText "has sent you a secure message."
Text that appears on the "Read Message" button Set-OMEConfiguration -Identity <OMEConfigurationIdParameter> -ReadButtonText "<String up to 1024 characters>"
Example:
Set-OMEConfiguration -Identity "OME Configuration" -ReadButtonText "Read Secure Message."
Text that appears above below the "Read Message" button Set-OMEConfiguration -Identity <OMEConfigurationIdParameter> -EmailText "<String up to 1024 characters>"
Example:
Set-OMEConfiguration -Identity "OME Configuration" -EmailText "Encrypted message from ContosoPharma secure messaging system."
Disclaimer statement in the email that contains the encrypted message Set-OMEConfiguration -Identity <OMEConfigurationIdParameter> -DisclaimerText "<Disclaimer statement. String of up to 1024 characters.>"
Example:
Set-OMEConfiguration -Identity "Branding Template 1" -DisclaimerText "This message is confidential for the use of the addressee only."
Text that appears at the top of the encrypted mail viewing portal Set-OMEConfiguration -Identity <OMEConfigurationIdParameter> -PortalText "<Text for your portal. String of up to 128 characters.>"
Example:
Set-OMEConfiguration -Identity "OME Configuration" -PortalText "ContosoPharma secure email portal."
To enable or disable authentication with a one-time pass code for this custom template Set-OMEConfiguration -Identity <OMEConfigurationIdParameter> -OTPEnabled <$true|$false>
Examples:
To enable one-time passcodes for this custom template
Set-OMEConfiguration -Identity "Branding Template 1" -OTPEnabled $true
To disable one-time passcodes for this custom template
Set-OMEConfiguration -Identity "Branding Template 1" -OTPEnabled $false
To enable or disable authentication with Microsoft, Google, or Yahoo identities for this custom template Set-OMEConfiguration -Identity <OMEConfigurationIdParameter> -SocialIdSignIn <$true|$false>
Examples:
To enable social IDs for this custom template
Set-OMEConfiguration -Identity "Branding Template 1" -SocialIdSignIn $true
To disable social IDs for this custom template
Set-OMEConfiguration -Identity "Branding Template 1" -SocialIdSignIn $false

To remove brand customizations from the OME portal and email messages encrypted by OME

  1. Connect to Exchange Online PowerShell.

  2. Use the Set-OMEConfiguration cmdlet as described in Set-OMEConfiguration. To remove your organization's branded customizations from the DisclaimerText, EmailText, and PortalText values, set the value to an empty string, "". For all image values, such as Logo, set the value to "$null".

Encryption customization options

Use these commands
Default text that accompanies encrypted email messages
The default text appears above the instructions for viewing encrypted messages
Set-OMEConfiguration -Identity <OMEConfigurationIdParameter> -EmailText "<empty string>"
Example:
Set-OMEConfiguration -Identity "OME Configuration" -EmailText ""
Disclaimer statement in the email that contains the encrypted message Set-OMEConfiguration -Identity <OMEConfigurationIdParameter> DisclaimerText "<empty string>"
Example:
Set-OMEConfiguration -Identity "OME Configuration" -DisclaimerText ""
Text that appears at the top of the encrypted mail viewing portal Set-OMEConfiguration -Identity <OMEConfigurationIdParameter> -PortalText "<empty string>"
Example reverting back to default:
Set-OMEConfiguration -Identity "OME Configuration" -PortalText ""
Logo Set-OMEConfiguration -Identity <OMEConfigurationIdParameter> -Image <"$null">
Example reverting back to default:
Set-OMEConfiguration -Identity "OME configuration" -Image $null
Background color Set-OMEConfiguration -Identity <OMEConfigurationIdParameter> -BackgroundColor <"$null">
Example reverting back to default:
Set-OMEConfiguration -Identity "OME configuration" -BackgroundColor $null

Create an Exchange mail flow rule that applies custom branding to encrypted emails

After you've created a branding template, you can create Exchange mail flow rules to apply that custom branding based on certain conditions. Such a rule will apply custom branding in the following scenarios:

  • If the email was manually encrypted by the end-user from the Outlook or Outlook on the web (formerly known as Outlook Web App) clients

  • If the email was automatically encrypted by an Exchange Mail Flow rule or Office 365 Data Loss Prevention policy

For information on how to create an Exchange mail flow rule that applies encryption, see Define mail flow rules to encrypt email messages in Office 365.

  1. In a web browser, using a work or school account that has been granted global administrator permissions, sign in to Office 365.

  2. Choose the Admin tile.

  3. In the Office 365 admin center, choose Admin centers > Exchange.

  4. In the EAC, go to Mail flow > Rules and select New New icon > Create a new rule. For more information about using the EAC, see Exchange admin center in Exchange Online.

  5. In Name, type a name for the rule, such as Branding for sales department.

  6. In Apply this rule if select a condition, select the condition The sender is located inside the organization as well as other conditions you want from the list of available conditions. For example, you might want to apply a particular branding template to:

    • All encrypted emails sent from members of the finance department
    • Encrypted emails sent with a certain keyword such as “External” or “Partner”
    • Encrypted emails sent to a particular domain
  7. From Do the following, select Modify the message security > Apply custom branding to OME messages. Next, from the drop-down, select a branding template from those that you created.

  8. (Optional) If you want the mail flow rule to also apply encryption in addition to the custom branding, From Do the following, select Modify the message security and then choose Apply Office 365 Message Encryption and rights protection. Select an RMS template from the list, choose Save, and then choose OK.

    The list of templates includes all default templates and options as well as any custom templates you've created for use by Office 365. If the list is empty, ensure that you have set up Office 365 Message Encryption with the new capabilities as described in Set up new Office 365 Message Encryption capabilities. For information about the default templates, see Configuring and managing templates for Azure Information Protection. For information about the Do Not Forward option, see Do Not Forward option for emails. For information about the encrypt only option, see Encrypt Only option for emails.

    You can choose add action if you want to specify another action.