September 2024

Key Visual Branding Factors in Microsoft 365 Tenant-to-Tenant Migrations

It’s About More Than Just Moving Data When you’re undertaking a Microsoft 365 tenant-to-tenant migration, think of it as more than just moving data. It’s like relocating to a new home: you want to do more than just transport your belongings; you want to make sure the new place feels familiar and comfortable. For businesses, this means not only transferring your data but also making sure your digital workspace matches your brand identity and provides a smooth experience for your users. A common reason for tenant-to-tenant migration is an acquisition. For example, if Company A acquires Company B and needs to move Company B’s data into Company A’s tenant, there are extra steps to consider if Company B’s unique identity needs to be preserved. In this article, we’ll cover practical steps and scripts to ensure that your Microsoft 365 tenant transition maintains cohesive visual branding, making the move as smooth as possible for both your team and your data. Customizing the Sign-in Experience The browser sign-in page is usually the first place users interact with in a Microsoft 365 environment. By customizing this page, you can strengthen your environment’s identity and give users confidence that they are logging into the correct tenant. You can also add IT support information for users who might need help with the login process. Microsoft provides guidelines on how to add custom branding to the sign-in experience. Below, you’ll see a comparison between the default Microsoft 365 sign-in page (Figure 1) and a customized version (Figure 2). When you log into Microsoft 365 using general links like portal.office.com or microsoft365.com, you’ll only see your organization’s custom sign-in page after entering your email or phone number and clicking “Next.” This is because Entra ID needs to validate your credentials first. But if you want the custom branding to show up right away, just use your organization’s verified domain name in the URL when you connect to Microsoft 365. Customize Company Branding with PowerShell Once you’ve ensured that all prerequisites for custom company branding are met, connect to Microsoft Graph using the PowerShell SDK. Since there are default values, you can update the string properties for branding by running a PATCH command with the Invoke-MgGraphRequest cmdlet. For image properties, you’ll need to update them one at a time using PUT commands. You can set any of the organizational branding properties supported for branding. Here’s how you can set values for string properties and then update the tenant configuration with Invoke-MgGraphRequest: Don’t forget to disconnect from Graph: Branding the Microsoft 365 Suite Header A consistent theme helps reinforce your organization’s identity across Microsoft 365. The “Organization theme” refers to the colors and logo displayed in the Microsoft 365 suite header. This header, shown below, remains visible in all browser-based Microsoft 365 apps. Tenants can have multiple organization themes: a default theme for everyone in the organization, plus up to four additional themes. These extra themes can be assigned to one or more Microsoft 365 groups (but not to security or distribution groups). For acquisitions, you might want to create an additional theme for migrated users. As long as you meet the prerequisites, you can create a dynamic Microsoft 365 group based on properties like companyName. Microsoft’s documentation provides clear instructions on how to customize the default theme and create additional themes. Currently, you can’t configure a tenant’s organization theme using scripts. SharePoint Online Branding SharePoint sites are key to collaboration and should reflect your company’s visual identity. You can reinforce this identity through the theme, header, navigation, and footer of your SharePoint sites. This blog post explains the basics of changing your site’s look, including adding a site logo, and teaches you how to create and deploy a custom color theme. If your migration involves an acquisition and the source sites aren’t set up in a hub structure, creating a branded hub site for the acquired company and linking their migrated sites to it can help migrated users find their information more easily. It also helps existing users identify which data belongs to the migrated company. Add a Custom Tile to the App Launcher The Microsoft 365 app launcher contains the apps and services that you are licensed for. With a bit of configuration, the app launcher can include custom tiles. These can help users more easily navigate to shared resources – for example, a hub site in SharePoint Online. Below is a simplified image of the app launcher menu: It’s Time to Refresh and Reinforce SharePoint sites are key to collaboration and should reflect your company’s visual identity. You can reinforce this identity through the theme, header, navigation, and footer of your SharePoint sites. This blog post explains the basics of changing your site’s look, including adding a site logo, and teaches you how to create and deploy a custom color theme. If your migration involves an acquisition and the source sites aren’t set up in a hub structure, creating a branded hub site for the acquired company and linking their migrated sites to it can help migrated users find their information more easily. It also helps existing users identify which data belongs to the migrated company.

Protecting Microsoft 365 Data from Unapproved AI Tools

Leave a Comment / Uncategorized / Decent Uwaegbute / September 10, 2024

Generative AI tools are becoming increasingly common, offering claims of boosting productivity by generating content and synthesizing information. However, the rise of these applications brings with it a greater risk of organizational data leaks. Many AI tools operate via web clients and can be accessed without the need for authentication. This makes it crucial for employees to only use services that have been approved by their company, especially when handling sensitive corporate data. Sharing such information with unapproved apps can lead to unintended consequences. When I mention “unapproved applications,” I’m not implying these tools are unsafe. Instead, this term refers to any apps not approved by the organization for official use, including those from well-known vendors. There are several reasons a company might restrict access to widely trusted tools—whether due to data privacy regulations in their industry, GDPR compliance, or simply wanting tighter control over which apps employees can use. This article highlights steps to secure Microsoft 365 data from unapproved generative AI apps. Some solutions might require premium or add-on licenses. Preventing End Users from Granting Consent to Third-Party AppsUnless an organization has Security Defaults enabled, users can often consent to apps accessing company data on their behalf. This means that even non-admin users can give third-party AI tools permission to access their data. Figure 1 illustrates the experience for end users when granting consent to a third-party app in Microsoft Entra. If Security Defaults aren’t enabled for your organization, you should consider turning them on or restricting users’ ability to create app registrations or give consent to applications by default. This article looks into Security Defaults and whether they’re the right choice for your organization. Managing Endpoints and Cloud Apps to Prevent Data Leaks in Generative AI ToolsMicrosoft 365 administrators should look into managing devices with Microsoft Intune and using tools like Defender for Endpoint, Defender for Cloud Apps, and Endpoint DLP to monitor or block unapproved activity in generative AI applications. Intune-onboarded devices can be seamlessly integrated with these solutions, making it easier for admins to manage devices, onboard them into Endpoint DLP, and enable ongoing reporting in Defender for Cloud Apps—all from a single management hub without needing extra tools like a log collector or Secure Web Gateway. Auditing or Blocking Unapproved Generative AI ApplicationsMicrosoft Defender for Endpoint and Defender for Cloud Apps work hand in hand to audit or block access to generative AI tools, even without devices being connected to a corporate network, VPN, or jump box to filter traffic. Figure 2 illustrates the Cloud App Catalog in Defender for Cloud Apps, which includes over 31,000 cloud apps and assesses their enterprise risk based on factors like regulatory certifications, industry standards, and Microsoft’s best practices. For instance, apps can be flagged for risks like a recent data breach, lacking a trusted certificate, or missing HTTP security headers. Organizations can also customize risk score metrics based on their specific needs. The apps can be filtered by categories, such as Generative AI. Organizations might block or monitor apps for reasons unrelated to their risk score. In the example provided, Microsoft Designer is being monitored (maybe to track its usage), while Bing Chat and Microsoft Copilot are blocked. Even though both tools fall under the “Copilot” branding, they are accessed via different URLs. A real-world case for blocking Bing Chat and Microsoft Copilot could be GDPR compliance, as Bing Chat doesn’t keep data within the EU Data Boundary, while Copilot for Microsoft 365 does. In the Cloud App Catalog, administrators can label applications as monitored, sanctioned (approved), or unsanctioned (blocked). Figure 2 shows different types of tags. When an application is marked as unsanctioned, users will encounter the experience shown in Figure 3. With new cloud apps constantly being released, it might feel like trying to block unauthorized apps is a never-ending game of “Whac-a-Mole,” where as soon as you deal with one, another appears. Fortunately, you don’t have to manually tag each app. To set up an automatic app discovery policy for generative AI tools, go to Defender for Cloud Apps > Policy Management (under “Policies”) and select Create. In the policy settings, under “Apps matching all of the following,” choose “Category equals Generative AI” and “App tag equals No value” (see Figure 4). This will help automate the process of identifying and tagging generative AI apps. As shown in Figure 5, administrators can set up alerts for events that match the policy’s severity and set a daily alert limit (between 5 and 1000). Alerts for newly discovered generative AI applications can be sent directly to administrators via email or integrated with Power Automate to trigger a workflow, such as sending alerts to an IT ticketing system. Under “Governance actions,” you can choose to “Tag app as monitored” or “Tag app as unsanctioned,” depending on whether you want to automatically monitor or block generative AI apps that haven’t been manually tagged. When endpoints are managed by Defender, continuous reports can be accessed through Cloud Discovery. The Cloud Discovery dashboard highlights all newly discovered apps from the past 90 days. To review these apps, go to the Discovered Apps page. While the interface is similar to the Cloud App Catalog, it’s worth noting that the Generative AI category filter isn’t available here. To export all data from the Discovered Apps page, select Export > Export data. If you just need a report listing the domains of newly discovered apps, choose Export > Export domains. Preventing Data Transfer to Unauthorized AppsWithout proper controls, employees can easily copy, paste, or upload company data to web applications. Blocking all copying and pasting isn’t practical, so it’s better to selectively block these actions for sensitive data. Microsoft Purview DLP, paired with Defender for Endpoint, can audit and prevent the transfer of organizational data to unauthorized locations (e.g., websites, desktop apps, removable storage) without needing extra software on the device. Purview DLP can also limit data sharing with unapproved cloud apps and services, like unauthorized generative AI tools (as shown in

Protecting Microsoft 365 Data from Unapproved AI Tools Read More »

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Key Visual Branding Factors in Microsoft 365 Tenant-to-Tenant Migrations

Protecting Microsoft 365 Data from Unapproved AI Tools

Email Address

Company Address

Telephone Number

Zainab Imran

Procurement Manager

Jude Anani

Cloud Architect

Omolola Olayemi

Product Developer

Ayosunkanmi Owolabi

Technology Solutions Officer

Temitope Raji

Procurement Officer

Juliana Ojo

Account Officer

Samuel Adebanji

Product Manager