The OrganizationalBranding.ReadWrite.All Graph API permission has now been added to the Organizational Branding Administrator role in Microsoft Entra. This allows users assigned to the role the ability to update company branding settings. Where previously, the Global Administrator role was required to update your organisation’s branding, you can now limit the scope for this task by only assigning the Organizational Branding Administrator role.
Page Contents
Assigning the Organizational Branding Administrator role
The role can be quickly assigned to specific users from the Microsoft Entra admin portal by following the steps below:
- Log in to entra.microsoft.com.
- Expand Identity > Roles & admins.
- Select Roles & admins > All roles.
- Search for and select the Organizational Branding Administrator role.
- Click Add assignment and assign the role to the users you require.
To assign the Organizational Branding Administrator role to a user using Microsoft Graph PowerShell, use the below example code:
Connect-MgGraph -Scopes RoleManagement.ReadWrite.Directory
$User = Get-MgBetaUser -Userid "enter username here"
$body = @{
"@odata.type" = "#microsoft.graph.unifiedRoleAssignment"
"principalId" = $User.id
"roleDefinitionId" = "92ed04bf-c94a-4b82-9729-b799a7a4c178"
"directoryScopeId" = "/"
}
Invoke-MgGraphRequest -Method POST `
-Uri "/v1.0/roleManagement/directory/roleAssignments" `
-body $body
Requirements for custom branding in Microsoft Entra
Using the custom branding features in Microsoft Entra requires having either Microsoft Entra ID P1 or Microsoft Entra ID P2 licenses assigned to your users.
Update organisation branding in Microsoft Entra
Once assigned the role, you can log in to the Microsoft Entra admin portal and update your organisation’s branding configuration. Follow the below steps to update your organisation’s branding from the Entra portal:
2. Expand Identity > User experiences and select Company branding.
From here, you can update elements of your company branding. Simply follow the steps on the screen to modify settings such as your Logos, background, layout and your own custom CSS settings.
Major considerations for the Organizational Branding Administrator role
Looking at this role, while it may seem like the right thing to do, where you assign a lesser privileged role to a user to manage elements of your company branding, it has its dark side…
This role lets the administrator modify the ‘Forgot password’ URL on your customer company signing page. This means that someone with a seemingly lower privileged role can redirect any user who needs to reset their password to a potentially malicious URL to obtain information such as their password or access tokens.
Check out the below example where I have used my Organizational Branding Administrator to redirect the Forgot my password URL on my company sign-in page to my blog.
Summary
While Microsoft is on the right path to correctly split out administrator roles and correctly assign Graph API permissions to said roles, you should always look into these changes with care (this is something I show you how to do in my book, Microsoft Graph PowerShell for Administrators).
Specifically, the Organization Branding Administrator provides hidden attack paths and can easily be abused. Assigning the role should be well thought through, and you should consider using a dedicated account protected with stronger authentication and Conditional Access, as well as the use of Privileged Identity Management.