Outlook Signature Deployment Guide for Microsoft 365

Method 1: Exchange Transport Rules

Exchange transport rules (called mail flow rules in the Exchange Admin Center) let you inject a signature at the server level — after the email is sent and before it reaches the recipient. This is the most reliable method for guaranteed delivery across all devices, because the signature is applied server-side regardless of what client or device the sender used. Outlook Mobile, Apple Mail, a web browser — it doesn’t matter. The signature gets appended.

When to use this method

• You need signatures on emails sent from mobile devices — this is the only built-in Microsoft method that covers mobile.
• Compliance is a priority and you cannot rely on users to set up their own signatures.
• You have a small IT team and want a set-it-and-forget-it approach.
• Your signature doesn't need to be visible to users while they're composing (they won't see it until after sending).

Step-by-step in Exchange Admin Center

HTML template with Active Directory placeholders

Exchange resolves Active Directory attribute tokens at send time. Use this template as a starting point — paste it into the disclaimer text box in the admin center:

<table cellpadding="0" cellspacing="0" border="0"
  style="font-family: Arial, sans-serif; font-size: 13px;
         color: #333333; border-top: 3px solid #2563EB;
         padding-top: 12px; margin-top: 16px;">
  <tr>
    <td style="padding-right: 16px; vertical-align: top;">
      <img src="https://yourdomain.com/logo.png"
           width="120" height="40"
           alt="Company logo"
           style="display: block;" />
    </td>
    <td style="border-left: 1px solid #e2e8f0;
               padding-left: 16px; vertical-align: top;">
      <strong style="font-size: 14px; color: #1e293b;">
        %%DisplayName%%
      </strong><br/>
      <span style="color: #64748b;">%%Title%%</span><br/>
      <span style="color: #64748b;">%%Company%%</span><br/>
      <a href="tel:%%PhoneNumber%%"
         style="color: #2563EB; text-decoration: none;">
        %%PhoneNumber%%
      </a>
    </td>
  </tr>
  <tr>
    <td colspan="2"
        style="padding-top: 10px; font-size: 11px;
               color: #94a3b8;">
      This email and any attachments are confidential.
      If you are not the intended recipient, please delete
      this message and notify the sender immediately.
    </td>
  </tr>
</table>

Available Active Directory tokens: %%DisplayName%%, %%Title%%, %%PhoneNumber%%, %%Department%%, %%Company%%, %%City%%, %%StateOrProvince%%, %%CountryOrRegion%%. These are resolved from the sender’s Azure AD profile at the time the email is sent.

Method 2: PowerShell Set-MailboxMessageConfiguration

The Set-MailboxMessageConfiguration cmdlet lets you set the signature that appears in the Outlook compose window for any mailbox in your tenant. Unlike transport rules, users see their signature while composing. Unlike Group Policy, this works for Outlook on the Web (OWA) as well as desktop Outlook.

This is the right method when you want users to see their signature in the compose window, you have per-user variation (different departments, different signatures), and you’re comfortable running PowerShell scripts with Exchange Online credentials. For a broader look at managing signatures in Microsoft 365, see the Microsoft 365 email signature management guide.

Connect to Exchange Online

Install the Exchange Online PowerShell module if you haven’t already, then connect:

# Install the module (run once, as administrator)
Install-Module -Name ExchangeOnlineManagement -Force -AllowClobber

# Connect — this opens a browser login window
Connect-ExchangeOnline -UserPrincipalName [email protected]

# Verify the connection
Get-OrganizationConfig | Select-Object DisplayName

Set the same signature for all users

This script sets an HTML signature for every mailbox in your tenant. Replace the HTML string with your actual signature code:

$signatureHTML = @"
<table cellpadding="0" cellspacing="0" border="0"
  style="font-family:Arial,sans-serif;font-size:13px;color:#333;">
  <tr>
    <td style="padding-right:16px;">
      <img src="https://yourdomain.com/logo.png"
           width="120" alt="Logo" />
    </td>
    <td style="border-left:1px solid #e2e8f0;padding-left:16px;">
      <strong>EMPLOYEE_NAME</strong><br/>
      <span style="color:#64748b;">EMPLOYEE_TITLE</span><br/>
      <a href="tel:EMPLOYEE_PHONE"
         style="color:#2563EB;">EMPLOYEE_PHONE</a>
    </td>
  </tr>
</table>
"@

# Get all user mailboxes and apply the signature
Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails UserMailbox |
  ForEach-Object {
    Set-MailboxMessageConfiguration -Identity $_.UserPrincipalName `
      -SignatureHTML $signatureHTML `
      -AutoAddSignature $true `
      -AutoAddSignatureOnReply $false
    Write-Host "Set signature for $($_.UserPrincipalName)"
  }

Per-department signatures

To apply different signatures by department, get the department attribute from Azure AD and switch on it:

# Define signatures per department
$sigSales = "<table><!-- Sales signature HTML --></table>"
$sigLegal = "<table><!-- Legal signature with compliance text --></table>"
$sigDefault = "<table><!-- Default company signature --></table>"

Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails UserMailbox |
  ForEach-Object {
    $mbx = $_
    # Get department from Azure AD
    $user = Get-User -Identity $mbx.UserPrincipalName
    $sig = switch ($user.Department) {
      "Sales"  { $sigSales }
      "Legal"  { $sigLegal }
      default  { $sigDefault }
    }
    Set-MailboxMessageConfiguration -Identity $mbx.UserPrincipalName `
      -SignatureHTML $sig `
      -AutoAddSignature $true `
      -AutoAddSignatureOnReply $false
    Write-Host "$($mbx.UserPrincipalName) -> $($user.Department)"
  }

Full script with CSV input

For the most control, generate personalized HTML for each user from a CSV of employee data. The CSV should have columns: email, display_name, title, phone, department.

# employees.csv columns:
# email,display_name,title,phone,department

$employees = Import-Csv -Path "C:\signatures\employees.csv"

foreach ($emp in $employees) {

  # Build conditional phone line
  $phoneLine = if ($emp.phone) {
    "<a href='tel:$($emp.phone)'
       style='color:#2563EB;text-decoration:none;'>$($emp.phone)</a>"
  } else { "" }

  $html = @"
<table cellpadding="0" cellspacing="0" border="0"
  style="font-family:Arial,sans-serif;font-size:13px;
         color:#333333;border-top:3px solid #2563EB;
         padding-top:12px;margin-top:16px;">
  <tr>
    <td style="padding-right:16px;vertical-align:top;">
      <img src="https://yourdomain.com/logo.png"
           width="120" height="40" alt="Logo" />
    </td>
    <td style="border-left:1px solid #e2e8f0;
               padding-left:16px;vertical-align:top;">
      <strong style="font-size:14px;color:#1e293b;">
        $($emp.display_name)
      </strong><br/>
      <span style="color:#64748b;">$($emp.title)</span><br/>
      <span style="color:#64748b;">Your Company Ltd</span><br/>
      $phoneLine
    </td>
  </tr>
  <tr>
    <td colspan="2"
        style="padding-top:10px;font-size:11px;color:#94a3b8;">
      This email is confidential. If received in error,
      please delete and notify the sender.
    </td>
  </tr>
</table>
"@

  try {
    Set-MailboxMessageConfiguration `
      -Identity $emp.email `
      -SignatureHTML $html `
      -AutoAddSignature $true `
      -AutoAddSignatureOnReply $false
    Write-Host "OK: $($emp.email)"
  } catch {
    Write-Warning "FAILED: $($emp.email) — $_"
  }
}

Write-Host "Done. $($employees.Count) mailboxes processed."
Disconnect-ExchangeOnline -Confirm:$false

Method 3: Group Policy for Classic Outlook

If your organization runs classic Outlook (2016, 2019, or the LTSC version) on domain-joined Windows PCs, you can deploy signatures via Group Policy. GPO sets registry keys that Outlook reads on startup. The signature appears in the Outlook compose window.

This method has a hard requirement: domain-joined PCs with classic Outlook installed. It does not work on the new Outlook for Windows, Outlook on the Web, or any non-Windows device. If your team is a mix of old and new Outlook, you need a secondary method for everyone not covered by GPO. For more on managing Outlook signatures for a whole company, including non-domain scenarios, that guide covers the full picture.

Registry keys Outlook reads for signatures

Outlook 2016 and later reads signature settings from:

HKCU\Software\Microsoft\Office\16.0\Common\MailSettings

Key: NewSignature
Type: REG_SZ
Value: Name of the signature (must match a .htm file in the signatures folder)

Key: ReplySignature
Type: REG_SZ
Value: Name of the signature for replies (can be the same or different)

Key: SignaturePickerForced
Type: REG_DWORD
Value: 1 (prevents users from switching to a different signature)

The signature file itself (the .htm file) needs to be placed in the user’s Outlook signatures folder: %APPDATA%\Microsoft\Signatures\

GPO setup steps

Method 4: Intune for Managed Devices

If you use Microsoft Intune to manage your Windows devices, you can deploy signatures via a PowerShell script that runs on each managed endpoint. This works for both classic Outlook and the new Outlook for Windows, and doesn’t require domain membership — making it the right choice for hybrid or cloud-only organizations.

Deploying a PowerShell script via Intune

For organizations running Intune-managed devices, combining Intune script deployment with an Exchange transport rule gives you the broadest coverage: desktop users see the signature in their compose window, and mobile users get it appended server-side. The Outlook Mobile signature guide covers the mobile side in detail.

Method 5: Third-party tools

The native Microsoft methods each have gaps: transport rules work on mobile but users can’t see their signature in compose; PowerShell gives compose-window visibility but needs re-running when things change; Group Policy is desktop-only; Intune requires a specific license tier and per-deployment script updates.

Third-party tools are built to fill those gaps without requiring you to chain multiple methods together. They typically provide a no-code template editor, directory sync (Azure AD, Google Workspace, or CSV), and a deployment layer that handles different clients.

NeatStamp: master template + deployment script

NeatStamp’s workflow for Outlook 365 deployment works like this: you build the master template in the signature editor — logo, colors, social links, promotional banners, and the legal disclaimer are set centrally and locked. Variable fields (name, title, phone) are marked as employee-fillable or pulled from your directory.

Once the template is ready, you upload your team via CSV or sync with Azure AD. NeatStamp generates a personalized signature for each user and provides two deployment paths:

• Self-service: each employee gets an email with a personal link to their signature setup page, with step-by-step instructions specific to their Outlook version. See the full Outlook 365 setup steps in the email signature Outlook 365 guide.
• Admin-push via PowerShell: NeatStamp generates a ready-to-run PowerShell script that calls Set-MailboxMessageConfiguration for each user in your team. You run it once with Exchange admin credentials. No scripting required on your part.

When you update the master template — new logo, new banner, new legal text — you re-generate the signatures and re-run the deployment script. The whole cycle takes about 5 minutes rather than the 2-4 hours a manual update typically requires. For organizations that want a comparison with enterprise alternatives, the Exclaimer alternative page and CodeTwo alternative page break down the feature and pricing differences.

For Teams users, the Teams plan covers multi-user signature management with an admin dashboard showing who has installed their signature and who hasn’t. The pricing page has details on per-seat costs for different team sizes.

Comparison: all 5 deployment methods

Each method fits a different situation. Here’s how they stack up across the factors that matter most for IT deployments:

For most organizations under 200 people, the PowerShell method or a third-party tool gives the best balance of control and maintainability. Transport rules are a solid addition for mobile coverage regardless of which primary method you choose.

Post-deployment: how to verify signatures are working

Don’t assume deployment worked — verify it. Each method has a slightly different verification approach.

For Exchange transport rules

Send a test email from an affected mailbox to an external address. Check the received email in its raw form (in Gmail: three-dot menu → Show original; in Outlook: File → Properties → Internet headers). Look for your HTML signature in the message body. Confirm the AD attribute tokens have been replaced with actual values.

Common mistake: sending to a mailbox in the same tenant. Internal emails may bypass external-only transport rules. Always test with an external address.

For PowerShell-deployed signatures

Log into Outlook on the Web (outlook.office.com) using the affected user’s credentials (or impersonate via Exchange admin). Go to Settings → Mail → Compose and reply. You should see the signature in the signature field.

For desktop Outlook, open the Outlook client and go to File → Options → Mail → Signatures. The signature should be listed there. Compose a new email and confirm it auto-inserts.

To verify all users at once using PowerShell:

# Check signature status for all user mailboxes
Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails UserMailbox |
  Get-MailboxMessageConfiguration |
  Select-Object Identity, AutoAddSignature, SignatureHTML |
  Export-Csv -Path "C:signatureserification-report.csv" -NoTypeInformation

# Quick summary count
$results = Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails UserMailbox |
  Get-MailboxMessageConfiguration
$withSig = $results | Where-Object { $_.SignatureHTML -ne $null -and $_.SignatureHTML -ne "" }
Write-Host "$($withSig.Count) of $($results.Count) mailboxes have a signature set"

For Group Policy deployments

On a test machine, run gpupdate /force in Command Prompt, then open Outlook. Check File → Options → Mail → Signatures. If the signature doesn’t appear, verify the .htm file was copied to %APPDATA%\Microsoft\Signatures\ and the registry keys are set using reg query HKCU\Software\Microsoft\Office\16.0\Common\MailSettings.

Troubleshooting common issues

These are the problems that come up most often after deploying signatures in Microsoft 365, with the specific fix for each.

Related guides

Frequently asked questions