
By default, users of Microsoft 365 apps can change their profile photos to anything they like. This might be a problem for admins who want to keep everything in order. In this article, I’ll show you why and how to block users from changing their photos in Microsoft 365.
Why to prevent users from changing photos in Microsoft 365?
When a user sets up their user photo in Microsoft 365 (Office 365), the photo propagates through the whole Microsoft 365 tenant and apps integrated with Entra ID (Azure AD). This means that they are displayed in Outlook, Teams, SharePoint, and other apps.
The most important reason for preventing users from changing their profile photos is to ensure a unified visual identity. If you don’t restrict permissions, any user can overwrite the photo that you (the admin) set up for them in Microsoft 365 to comply with your organization’s guidelines. When users are free to control their profile pictures, maintaining the same quality across the entire organization becomes difficult. That’s why restricting user profile photo management in Microsoft 365 is crucial for many companies.
Where can users change their profile photo?
Users can change their profile photo on the My Account page. Additionally, a profile photo can be changed by navigating to the following URL: https://outlook.office.com/mail/changephoto. In the past, this URL used to be a “backdoor” for users to change their photos despite blocking policies. Now, the correct photo update settings block this as well.
Note that regardless of the method you choose, it can take up to 48 hours for the photo to propagate across Microsoft 365 apps & services. Learn more
How to block all users from changing their photos in Microsoft 365
To be fully precise, it’s not possible to block permission to change profile photos for virtually all users in a Microsoft 365 organization. However, this permission can be limited to specific Entra ID user roles – for example, admins only – which should be sufficient in most cases. To do this, you need to modify photo update settings using Microsoft Graph.
Follow the steps below to modify these settings in your organization. In our example, the only user roles allowed to change user photos will be People Administrator, User Administrator, and Global Administrator.
- Go to Graph Explorer, select the Sign in button in the top-right corner, and sign in using an account with the People Administrator or Global Administrator role. If you’re signing in for the first time, you’ll also be asked to accept requested permissions.
- Specify query parameters:
- In the HTTP request method drop-down, select PATCH.
- In the Microsoft Graph API Version drop-down, select beta.
- In the query URL bar, enter https://graph.microsoft.com/beta/admin/people/photoUpdateSettings.

- In the text field on the Request Body tab, paste the following code:
{
"source": "cloud",
"allowedRoles": [
"024906de-61e5-49c8-8572-40335f1e0e10",
"fe930be7-5e62-47db-91af-98c3a49a38b1",
"62e90394-69f5-4237-9190-012177145e10"
]
}Note: The IDs in the allowedRoles array are predefined template IDs from Microsoft Entra ID that represent the People Administrator, User Administrator, and Global Administrator user roles, respectively. If needed, you can include additional roles by adding their template IDs as well. Be aware, however, that only the predefined roles are supported.
You can find the list of roles in the Microsoft Entra admin center > Roles & admins. To check a role’s template ID, select it on the list and go to the Description tab – the ID will be displayed in the Template ID field included in the Summary section.

- Click Run query.

Tip: If you get a 403 error, it likely means you don’t have the required permissions. To fix this, switch to the Modify Permissions tab, click Consent for the PeopleSettings.ReadWrite.All permission, and accept the requested permission. Next, run the query again.

That’s it – once the changes propagate across your organization, only the users with the specified admin roles will be able to change their profile photos in Microsoft 365 apps. Now, when a user tries to change their profile photo, they will see a relevant message without being able to edit their photo in any way.

Since users can no longer edit their picture attribute, you can manage user photos without worrying that someone will overwrite them.
One final note: if you want to revoke these settings and allow all users to change their photos, simply complete steps 1–4 again but remove the role IDs from the allowedRoles array in step 3. The code should then look like this:
{
"source": "cloud",
"allowedRoles": []
}After you run this query and wait for the changes to propagate, your users will once again be able to modify their profile photos.
How to manage user photos in Microsoft 365?
CodeTwo User Photos for Office 365 is a free tool that helps you centrally manage profile photos for all users in Microsoft 365 – even (or especially) if you’ve just prevented your users from changing their profile images on their own.
The program allows you to easily upload user photos to Microsoft 365 and display them in SharePoint, Exchange Online, Outlook on the web, Microsoft Teams and any other Microsoft 365-connected app and service. What’s more, the tool lets you automatically rotate and resize images, so that they always meet Microsoft 365 photo requirements. And you don’t need to use any scripts to do all this!




Users are still able to change their photos in the myaccount.microsoft.com page. I have been working with Microsoft on how to block it but so far they have no idea. If there is a way to block this page as well, we would have a working solution.
Is there an article on learn.microsoft about this?
Unfortunately this does NOT work. Users can still change their picture in Microsoft Teams. However, this image will not be transferred to other services!
I’ve just tested it. Applied
Set-PhotoEnabled $falseto the default mailbox policy and restarted a user’s Teams client. When trying to use the change photo option, I get an error “Picture options are disabled by policy”. Check your policy settings and make sure that users shutdown their Teams clients (and devices in general), at least once in a while.Great write-up! I noticed there was never a response from the backdoor comment, and I know this might be obvious to some, but I thought it might be helpful to mention that one could always blacklist this specific URL so your staff can’t access it.
Hi Ivan,
Actually, the article was updated in July 2020 to address this backdoor. Please see this section for details.
Hi, I downloaded CodeTwo User Photos Manager, but it shows me just few users, and on some users old pictures, like kind cached one… Is there some settings required?
Hi,
Note that an Office 365 (Microsoft 365) account with global admin rights is required to grant the necessary permissions to the application to perform its tasks (access users’ profiles and update their photos).
To manage photos for all users in your organization, an Office 365 user that signs in to the application needs to be assigned the Global administrator or User administrator role in Azure AD. See this Knowledge Base article to learn how to do this
Your also able to change the photo in windows if you are connected to AAD.
There must be more backdoors. We have Picture upload blocked in our tenant via OWA policy, Remote PS is blocked for All users and Picture property is set to False in SPO Online profile Policy, Access to Azure portal /AAD is also blocked . But users are still able to upload the pics through some other method and we are struggling to determine the backdoor. Recently We noticed Though Access to Azure portal/AAD is blocked for our regular users but anyone can access Azure Entra portal (https://portal.azure.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/AllUsers) to change the profile picture OR upload a new one. We called Microsoft and reported the same. They appreciated the effort to report this backdoor and said product enginering is looking into this matter. This method to upload profile pic is also not capturing the events in audit logs which is another issue. The problem is how many more backdoors might have for users to change/upload pictures?
Thanks for the comment! The quickest way to block this backdoor is to use Conditional Access Policies to block access to Azure portal. I’ll try to find a more granular method, though.
Hi Adam,
We can successfully manage all users profile photos using Code Two User Photos. However users photos are not updating in SharePoint until they visit a page that contains a person element for their user (Org Chart, Employee list, etc.).
Unfortunately, that’s the default behavior of photo distribution in Microsoft 365. I’m afraid there’s no way to force the synchronization. See this Microsoft’s article for details
Per default users have permissions to the Cmdlets Set-UserPhoto and Remove-UserPhoto. These are assigned via the Default Role Assignment Policy.
The Default Role Assignment Policy contains the roles MyContactInformation and MyBaseOptions, which both include the RoleEntries Set-UserPhoto and Remove-UserPhoto.
There are several options to revoke permissions to these Cmdlets:
1. Remove the Roles MyBaseOptions and MyContactInformation from the Role Assignment Policy
This is most likely a bad choice, as this also revokes a lot of other permissions that are included in those roles.
2. Remove the RoleEntries from the ManagementRole
Remove-ManagementRoleEntry mybaseoptions\set-userphotoRemove-ManagementRoleEntry mybaseoptions\remove-userphoto
If you are working with multiple Role Assignment Policies, this will revoke permissions for all policies that include those roles.
3. Create custom Management Roles for MyBaseOptions and MyContactInformation, remove the RoleEntries and add them to the Default Role Assignment Policy
New-ManagementRole -Name custom-mybaseoptions -Parent MyBaseOptionsRemove-ManagementRoleEntry custom-mybaseoptions\set-userphoto
Remove-ManagementRoleEntry custom-mybaseoptions\remove-userphoto
New-ManagementRole -Name custom-mycontactinformation -Parent MyContactInformation
Remove-ManagementRoleEntry custom-mycontactinformation\set-userphoto
Remove-ManagementRoleEntry custom-mycontactinformation\remove-userphoto
Get-ManagementRoleAssignment -Role mybaseoptions -RoleAssignee "Default Role Assignment Policy" | Remove-ManagementRoleAssignment
Get-ManagementRoleAssignment -Role mycontactinformation -RoleAssignee "Default Role Assignment Policy" | Remove-ManagementRoleAssignment
New-ManagementRoleAssignment -Role custom-mybaseoptions -Policy "Default Role Assignment Policy"
New-ManagementRoleAssignment -Role custom-mycontactinformation -Policy "Default Role Assignment Policy"
4. Create a new Role Assignment Policy and set it as default, then create custom roles and add these to your new default policy. This way you can always revert to the “Default Role Assignment Policy” in case you messed up.
Be aware that the Role Assignment Policy, that is assigned to a user per default, is managed in the Mailbox Plan in Office 365. The same goes for the OWA Mailbox Policy, which is assigned by the CAS Mailbox Plan. See here.
Hope this helps.
Thanks! Although it might be more reasonable to block access to remote PowerShell for all users except from IT using Client Access Rules.
User can still change picture by using Outlook client. It has link to page https://outlook.office.com/mail/changephoto and it works althought you have stopped it in SharePoint and Default OwaMailboxPolicy.
Hi Ville,
You are right, the URL is kind of backdoor to this setting for any user, regardless of the policy settings. As soon as the policy starts working, I cannot click the link in the Outlook client BUT visiting the URL still allows me to change the picture and reactivates the button in Outlook on the web.
I’ll check if there is a way to block this backdoor and will post an update. Thanks for letting me know!