Add your organization's brand to your encrypted messages
As an Exchange Online or Exchange Online Protection administrator, you can apply your company branding to customize the look of your organization's Office 365 Message Encryption email messages and the contents of the encryption portal. Using the Get-OMEConfiguration and Set-OMEConfiguration Windows PowerShell cmdlets, you can customize the following aspects of the viewing experience for recipients of encrypted email messages:
- Introductory text of the email that contains the encrypted message
- Disclaimer text of the email that contains the encrypted message
- Text that appears in the OME portal
- Logo that appears in the email message and OME portal
- Background color in the email message and OME portal
You can also revert back to the default look and feel at any time.
If you'd like more control, you can create multiple templates for encrypted emails originating from your organization. Using these templates, you can control more than just the look and feel of the email messages, but also control parts of the end-user experience. For example, you can specify whether or not recipients of mail that have this template applied and who use Google, Yahoo, and Microsoft Accounts can use these accounts to sign in to the Office 365 Message Encryption portal. You might use templates to fulfill several use cases, such as:
- Templates for each department, such as Finance, Sales, etc.
- Templates for different products
- Templates for different geographical regions or countries
Once you've created the templates, you can apply them to encrypted emails by using Exchange mail flow rules. All mails that are branded by using these templates can be revoked.
|This article is part of a larger series of articles about Office 365 Message Encryption. This article is intended for administrators and ITPros. If you're just looking for information on sending or receiving an encrypted message, see the list of articles in Office 365 Message Encryption (OME) and locate the article that best fits your needs.|
Create branding templates
You create branding templates for your organization in Windows PowerShell with the New-OMEConfiguration cmdlet. Once you've created the template, you define the pieces of the template by using the Set-OMEConfiguration cmdlet. You can create multiple templates.
Using a work or school account that has global administrator permissions in your Office 365 organization, start a Windows PowerShell session and connect to Exchange Online. For instructions, see Connect to Exchange Online PowerShell.
Use the New-OMEConfiguration cmdlet to create a new template.
New-OMEConfiguration -Identity <OMEConfigurationIdParameter>
New-OMEConfiguration -Identity <Branding template 1>
Define the customizations for the template you just defined by using the Set-OMEConfiguration cmdlet as described in Set-OMEConfiguration or use the following table for guidance.
|To customize this feature of the encryption experience||Use these commands|
Supported file formats: .png, .jpg, .bmp, or .tiff
Optimal size of logo file: less than 40 KB
Optimal size of logo image: 170x70 pixels
|Text next to the sender's name and email address||
|Text that appears on the "Read Message" button||
|Text that appears above below the "Read Message" button||
|Disclaimer statement in the email that contains the encrypted message
|Text that appears at the top of the encrypted mail viewing portal
|To enable or disable authentication with a one-time pass code for this custom template||
To enable one-time passcodes for this custom template
To disable one-time passcodes for this custom template
|To enable or disable authentication with Microsoft, Google, or Yahoo identities for this custom template||
To enable social IDs for this custom template
To disable social IDs for this custom template
To remove brand customizations from the OME portal and email messages encrypted by OME
Use the Set-OMEConfiguration cmdlet as described in Set-OMEConfiguration. To remove your organization's branded customizations from the DisclaimerText, EmailText, and PortalText values, set the value to an empty string,
"". For all image values, such as Logo, set the value to
Encryption customization options
|Use these commands|
|Default text that accompanies encrypted email messages
The default text appears above the instructions for viewing encrypted messages
|Disclaimer statement in the email that contains the encrypted message||
|Text that appears at the top of the encrypted mail viewing portal||
Example reverting back to default:
Example reverting back to default:
Example reverting back to default:
Create an Exchange mail flow rule that applies custom branding to encrypted emails
After you've created a branding template, you can create Exchange mail flow rules to apply that custom branding based on certain conditions. Such a rule will apply custom branding in the following scenarios:
- If the email was manually encrypted by the end-user from the Outlook or OWA clients
- If the email was automatically encrypted by an Exchange Mail Flow rule or Office 365 Data Loss Prevention policy
For information on how to create an Exchange mail flow rule that applies encryption, see Define mail flow rules to encrypt email messages in Office 365.
In a web browser, using a work or school account that has been granted global administrator permissions, sign in to Office 365.
Choose the Admin tile.
In the Office 365 admin center, choose Admin centers > Exchange.
In the EAC, go to Mail flow > Rules and select New > Create a new rule. For more information about using the EAC, see Exchange Admin Center in Exchange Online.
In Name, type a name for the rule, such as Branding for sales department.
In Apply this rule if select a condition, select the condition The sender is located inside the organization as well as other conditions you want from the list of available conditions. For example, you might want to apply a particular branding template to:
- All encrypted emails sent from members of the finance department
- Encrypted emails sent with a certain keyword such as “External” or “Partner”
- Encrypted emails sent to a particular domain
From Do the following, select Modify the message security > Apply custom branding to OME messages. Next, from the drop-down, select a branding template from those that you created.
(Optional) If you want the mail flow rule to also apply encryption in addition to the custom branding, From Do the following, select Modify the message security and then choose Apply Office 365 Message Encryption and rights protection. Select an RMS template from the list, choose Save, and then choose OK.
The list of templates includes all default templates and options as well as any custom templates you've created for use by Office 365. If the list is empty, ensure that you have set up Office 365 Message Encryption with the new capabilities as described in Set up new Office 365 Message Encryption capabilities. For information about the default templates, see Configuring and managing templates for Azure Information Protection. For information about the Do Not Forward option, see Do Not Forward option for emails. For information about the encrypt only option, see Encrypt Only option for emails.
You can choose add action if you want to specify another action.
We'd love to hear your thoughts. Choose the type you'd like to provide:
Our feedback system is built on GitHub Issues. Read more on our blog.