How to prevent users from changing profile photos in Microsoft 365

When you set up user photos in Microsoft 365 (Office 365), they propagate through the whole Microsoft 365 tenant and apps integrated with Azure AD – they are displayed in Outlook, Teams, SharePoint, and more. By default, any user can change their photo to anything they like. This might be a problem for admins who want to keep everything in order. In this article, I’ll show you why and how to block users from changing their photos in Microsoft 365.

How to prevent users from changing profile photos in Microsoft 365

Why to prevent users from changing photos in Microsoft 365?

The most important reason to lock the ability of users to change their profile photos is to ensure a unified visual identity. If you don’t restrict permissions, any user can overwrite the photo that you (the admin) set up for them in Microsoft 365 to comply with your organization’s guidelines. When users control their profile pictures, it’s impossible to maintain the same quality across the whole organization. What’s more, since users can change their photos from a few different places, they might end up having different photos in various Microsoft 365 apps (photos can take up to 72 hours to sync or can run into sync issues). That’s why setting restrictions on user profile photo management in Microsoft 365 is crucial for many companies.

Where can users change their profile photo?

The challenging part with preventing users from changing their Office/Microsoft 365 photos is that users can change them from more than one place independently:

Delve:

Changing profile photo in Delve

Microsoft 365 profile:

Changing photo in Microsoft 365 profile

SharePoint Online

Changing photo in SharePoint Online

Microsoft Teams:

Changing photo in Microsoft Teams

Luckily, since April 2020 Microsoft Teams honor the Outlook on the web (OWA) policy settings, so there are only two settings that need to be changed to take full control of user photos in Microsoft 365.

How to block users from changing their photos in Microsoft 365

To successfully prevent users from changing their own profile photos, you need to change:

  • your Outlook on the web policy
  • and SharePoint Online permissions.

To do so, you’ll need to use both PowerShell and Microsoft 365 admin center.

Change Outlook on the web policy settings

First, you need to start a remote PowerShell session to your Microsoft 365 (Exchange Online). See instructions in this article.

If you want to prevent all users from changing their profile photos, you need to change the default OWA (Outlook on the Web) policy. The default policy’s name is OwaMailboxPolicy-Default. While its name can be changed, the default policy gets recreated with the default name and will be applied to newly created users. Since you can have other policies that apply to a subset of users only, let’s first check what policies you have by running:

Get-OwaMailboxPolicy | FL name,SetPhotoEnabled
PowerShell get OWA profile policies

The results suggest that I only have the default Outlook on the web mailbox policy, and it allows users to change their profile photos.

To prevent all users from changing their pictures, I can run:

Set-OwaMailboxPolicy OwaMailboxPolicy-Default -SetPhotoEnabled $false

And that’s it. Within up to 60 minutes, all users who try to change their profile photo will fail to do so (unless they use SharePoint, but I’ll get to this in the next section).

If you want to prevent only a subset of users from changing their photos, you need to create a new mailbox policy, change its SetPhotoEnabled attribute and assign it to the subset of users. See instructions below.

Note: You can create a new Outlook on the web policy in the Exchange admin center (EAC) and assign it to users. However, currently, you cannot change the SetPhotoEnabled parameter using this interface, so I’ll show the whole procedure using PowerShell only.

First, create a new Outlook on the web policy with the SetPhotoEnabled attribute set to $false:

New-OwaMailboxPolicy "Prevent users from changing their photos" | Set-OwaMailboxPolicy -SetPhotoEnabled $false

To apply the policy for a single user (j.doe in the example below), run the following cmdlet:

Set-CASMailbox -Identity j.doe@example.com -OwaMailboxPolicy “Prevent users from changing their photos”

To apply the OWA mailbox policy to more users, it’s easiest to use the Foreach loop. In the example below, I use PowerShell to get all members of the Microsoft 365 group called “Marketing” and apply the new policy to them:

$members=(Get-UnifiedGroupLinks "Marketing" -LinkType members).UserPrincipalName;
Foreach ($member in $members) {Set-CASMailbox -Identity $member -OwaMailboxPolicy "Prevent users from changing their photos"};

Once you apply the change, you can use the following cmdlet to check if the right OWA mailbox policy has been applied to users:

Get-CASMailbox | FL name,OwaMailboxPolicy 

This concludes changing the Outlook on the web mailbox policy to prevent users from changing profile photos. It should wor for all places other than SharePoint. The next step is to change your SharePoint Online settings.

SharePoint Online profile policy

Setting up your SharePoint Online profile policy requires you to use the Microsoft 365 admin center interface.

  1. Go to Microsoft 365 admin center, click Show all in the left menu and choose SharePoint to access the SharePoint Online admin center.
Microsoft 365 admin center - open SharePoint admin center
  • In the SharePoint Online admin center, click More features, and click Open in the User profiles section.
SharePoint Online admin center - show more
  • Go to Manage User Properties.
SharePoint Online - manage user profiles
  • Click Picture and then click Edit Policy.
SharePoint Online - modifying the Picture property

In the Policy settings, clear the Allow users to edit values for this property checkbox, scroll down and click OK.

SharePoint Online picture settings

From now on, users should no longer be able to edit their profile photos from SharePoint. This applies to all users in your Microsoft 365 organization. Currently, there is no method to fine-tune this policy to prevent only specific users from changing their profile photos in SharePoint Online.

Changing these settings stops users from editing their photos but still allows everyone to see the assigned profile images. Since users can no longer edit their picture attribute, you can manage user photos without worrying that someone will overwrite them.

How to manage user photos in Microsoft 365

CodeTwo User Photos is a free tool that allows you to centrally manage profile photos in Microsoft 365 for all users. If you’re an admin, you can use this app after preventing users from changing their profile images. It will help you easily upload photos to Microsoft 365 users, so that they will appear in SharePoint, Exchange Online, Outlook on the web, Microsoft Teams and practically any Microsoft 365-connected app and service.

What’s more, the tool will let you automatically rotate and resize images, so that they always meet Microsoft 365 photo requirements.

Download it for free

See more:

CodeTwo Products

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*

*