Your Entra Tenant: Branding, Settings & Domains
Configure company branding, custom domains, and tenant-wide settings to make Microsoft Entra ID yours — the foundation every identity admin builds on.
What is an Entra tenant?
Your Entra tenant is your organisation’s private building in the Microsoft cloud.
Think of it like renting an office floor. You get your own reception area (sign-in page), your own name on the door (custom domain), your own lobby screen (company branding), and your own rules about who can enter and what they can do (tenant settings).
Every Microsoft 365 or Azure subscription lives inside a tenant. Before you manage a single user, you set up the building itself.
Company branding — your sign-in page, your brand
Company branding controls what users see on the Microsoft sign-in page. This matters because:
- It builds trust — users know they’re signing in to the right place
- It reduces phishing risk — employees recognise the legitimate sign-in page
- It’s professional — clients and partners see your brand, not generic Microsoft
What you can customise:
| Element | What It Controls |
|---|---|
| Banner logo | Your logo on the sign-in page (top left) |
| Background image | Full-page background behind the sign-in box |
| Sign-in page text | Custom message below the sign-in form |
| Favicon | Browser tab icon |
| Username hint | Placeholder text in the username field |
| Colour scheme | Page background colour when no image is set |
Scenario: Jake brands Coastline Creative's sign-in
Jake Torres at Coastline Creative (35 people, design agency) adds their logo, a beach-themed background, and the text “Welcome to Coastline Creative — please sign in with your work account.” Now when freelancers and clients see the sign-in page, it looks professional instead of generic.
Exam tip: You can configure different branding per locale (language). A French user sees French branding, an English user sees English branding. The default branding applies when no locale-specific branding matches.
Custom domains — ditch the onmicrosoft.com
Every tenant starts with a default domain: contoso.onmicrosoft.com. Most organisations add a custom domain so users sign in with user@contoso.com instead.
Steps to add a custom domain:
- Go to Entra admin center → Settings → Domain names
- Add your domain (e.g.,
coastlinecreative.co.nz) - Microsoft gives you a DNS verification record (TXT or MX)
- Add that record to your DNS provider (Cloudflare, GoDaddy, etc.)
- Microsoft verifies ownership → domain is ready to use
Exam tip: DNS verification
The exam tests that you know the DNS verification step. Microsoft requires you to prove domain ownership by adding a TXT record (preferred) or MX record to your domain’s DNS zone. Without this, anyone could claim any domain.
Key fact: You can have multiple custom domains, but only one can be the primary (default) domain — this is what new users get automatically.
Tenant settings — the master control panel
Tenant-wide settings control default behaviour for everyone. These live in the Entra admin center under Identity → Settings and Users → User settings.
User settings
| Setting | What It Controls | Default |
|---|---|---|
| Users can register applications | Whether non-admins can create app registrations | Yes |
| Restrict non-admin users from creating tenants | Prevent shadow IT tenant sprawl | No (users can create) |
| Users can consent to apps | Whether users can grant permissions to third-party apps | Yes (limited) |
| LinkedIn account connections | Allow LinkedIn integration in M365 apps | Enabled |
Group settings
| Setting | What It Controls |
|---|---|
| Self-service group management | Users can create and manage their own security groups or M365 groups |
| Restrict group creation | Only specific roles/groups can create M365 groups |
| Naming policy | Enforce prefixes/suffixes and blocked words in group names |
| Expiration policy | Auto-delete unused M365 groups after N days |
Device settings
| Setting | What It Controls |
|---|---|
| Users may join devices to Entra ID | Who can join devices to Entra ID |
| Maximum number of devices per user | Limit to prevent device sprawl |
| Require MFA to register/join devices | Extra security for device registration |
Scenario: Priya locks down Meridian Health's tenant
Priya Sharma at Meridian Health (5,000 employees, healthcare) tightens tenant settings:
- App registrations: Disabled for non-admins (prevents rogue apps accessing patient data)
- User consent: Restricted to verified publishers only (no unknown third-party apps)
- Group creation: Limited to IT and department managers (prevents group sprawl)
- Device limit: Set to 5 per user (clinicians don’t need 20 registered devices)
These settings reflect Meridian Health’s strict compliance posture — in healthcare, you lock down first and open up on request.
🎬 Video walkthrough
🎬 Video coming soon
Entra Tenant Configuration — SC-300 Module 1
Entra Tenant Configuration — SC-300 Module 1
~10 minFlashcards
Knowledge Check
Jake at Coastline Creative wants freelancers to see the agency's logo and a welcome message when signing in. He also needs French-speaking contractors to see French text. What should he configure?
Priya needs to prevent non-admin staff at Meridian Health from registering applications that could access patient data. Which setting should she change?
A new employee at Coastline Creative signs in and their UPN is sam@coastlinecreative.onmicrosoft.com. Jake wants it to be sam@coastlinecreative.co.nz. What must Jake do first?
Next up: Entra Roles & Administrative Units — how to delegate admin access safely using built-in roles, custom roles, and scoped management with administrative units.