Before we go applying changes to our Hybrid Identity implementation, I feel it’s a good time to discuss some of my recommendations for branding.
These below five recommendations flow from my own personal experience branding the components of Hybrid Identity implementations.
Built-in branding vs. Full customization
For Active Directory Federation Services (AD FS), you can apply branding in two ways:
- Leveraging the built-in AD FS Branding options
- Applying a Custom Theme
In a Hybrid Identity environment, the first option is the recommended option. While you can go all out on customizing the AD FS login pages through custom themes, you don’t want to do that.
When a colleague accesses an Internet-based application that is configured to be federated to Azure Active Directory, users see the Azure AD login pages in the following situations:
- The colleague logs off
- The colleague hits the time-out
In both these cases, the colleague might perceive the Azure AD login pages as rip offs to the Active Directory Federation Services (AD FS) login pages and suspect a phishing attack. To avoid this confusion, I recommend to leverage only the built-in AD FS branding possibilities.
Full customization vs. Support
When we’re looking at the on-premises components of any Hybrid Identity deployment, we have the option to apply full customization. For the Azure Multi-Factor Authentication Server User Portal(s), you may even edit the *.aspx files.
However, please note that when you go completely overboard here, it may be hard to get support from Microsoft, because they can’t rule out that your customization cause (a side effect) the problem. You may be required to roll back your customizations.
Technical State Compliancy Monitoring (TSCM)
When you apply branding, you change the end-user experience for your colleagues and/or customers for your Hybrid Identity implementation.
Since you don’t want that to change, it’s my recommendation to design a Technical State Compliancy Monitoring (TSCM) process and create appropriate tooling to support it.
Lifecycle Management (LCM)
Microsoft offers you a ton of possibilities to change the look and feel of the components that make up your Hybrid Identity implementation.
First off, apply branding in a test or acceptance environment before you apply it in your production environment. Remember acceptance is not just a technical area, but also a process area. In my opinion, an acceptance environment serves the purpose of accepting the proper operation of your scripts. Then, without problems, you can use the script in your production environment.
When you go beyond the cascading stylesheets and graphical resources for your Azure Multi-Factor Authentication Server User Portal(s), expect that your customizations become undone after each upgrade to the Azure Multi-Factor Authentication Server product. Add steps to your (automated) upgrade processes to check and address any issues you might encounter after upgrading components.
Branding may or may not be a requirement from your IT Security colleagues. However, branding does offer opportunities to get involved with the processes many other colleagues cover.
For your disclaimers, I feel it’s a good idea to talk to colleagues in the legal department. They will tell you what’s a good text to use, and in what languages your organization needs it.
For the graphical resources, you could install a tool like Paint.Net to create these. However, colleagues in the Marketing department already have a tool and know how to use it. They might be able to come up with the graphical resources faster than you. Additionally, these resources might be of higher quality and adhere better to the organization’s brand style.