How to prevent users from changing profile photos in Microsoft 365

How to prevent users from changing profile photos in Microsoft 365 OG

By default, users of Microsoft 365 apps can change their profile photos to anything they like. This might be a problem for admins who want to keep everything in order. In this article, I’ll show you why and how to block users from changing their photos in Microsoft 365.

Why to prevent users from changing photos in Microsoft 365?

When a user sets up their user photo in Microsoft 365 (Office 365), the photo propagates through the whole Microsoft 365 tenant and apps integrated with Entra ID (Azure AD). This means that they are displayed in Outlook, Teams, SharePoint, and other apps.

The most important reason for preventing users from changing their profile photos is to ensure a unified visual identity. If you don’t restrict permissions, any user can overwrite the photo that you (the admin) set up for them in Microsoft 365 to comply with your organization’s guidelines. When users are free to control their profile pictures, maintaining the same quality across the entire organization becomes difficult. That’s why restricting user profile photo management in Microsoft 365 is crucial for many companies.

Where can users change their profile photo?

Users can change their profile photo on the My Account page. Additionally, a profile photo can be changed by navigating to the following URL: https://outlook.office.com/mail/changephoto. In the past, this URL used to be a “backdoor” for users to change their photos despite blocking policies. Now, the correct photo update settings block this as well.

Note that regardless of the method you choose, it can take up to 48 hours for the photo to propagate across Microsoft 365 apps & services. Learn more

How to block all users from changing their photos in Microsoft 365

To be fully precise, it’s not possible to block permission to change profile photos for virtually all users in a Microsoft 365 organization. However, this permission can be limited to specific Entra ID user roles – for example, admins only – which should be sufficient in most cases. To do this, you need to modify photo update settings using Microsoft Graph.

Follow the steps below to modify these settings in your organization. In our example, the only user roles allowed to change user photos will be People Administrator, User Administrator, and Global Administrator.

  1. Go to Graph Explorer, select the Sign in button in the top-right corner, and sign in using an account with the People Administrator or Global Administrator role. If you’re signing in for the first time, you’ll also be asked to accept requested permissions.
  2. Specify query parameters:
    • In the HTTP request method drop-down, select PATCH.
    • In the Microsoft Graph API Version drop-down, select beta.
    • In the query URL bar, enter https://graph.microsoft.com/beta/admin/people/photoUpdateSettings.
Defining query parameters in Graph Explorer.
  1. In the text field on the Request Body tab, paste the following code:
{
"source": "cloud",
"allowedRoles": [
"024906de-61e5-49c8-8572-40335f1e0e10",
"fe930be7-5e62-47db-91af-98c3a49a38b1",
"62e90394-69f5-4237-9190-012177145e10"
]
}

Note: The IDs in the allowedRoles array are predefined template IDs from Microsoft Entra ID that represent the People Administrator, User Administrator, and Global Administrator user roles, respectively. If needed, you can include additional roles by adding their template IDs as well. Be aware, however, that only the predefined roles are supported.

You can find the list of roles in the Microsoft Entra admin center > Roles & admins. To check a role’s template ID, select it on the list and go to the Description tab – the ID will be displayed in the Template ID field included in the Summary section.

Checking a role's template ID in the Microsoft Entra admin center.
  1. Click Run query.
Running a query in Graph Explorer.

Tip: If you get a 403 error, it likely means you don’t have the required permissions. To fix this, switch to the Modify Permissions tab, click Consent for the PeopleSettings.ReadWrite.All permission, and accept the requested permission. Next, run the query again.

Modifying permissions in Graph Explorer.

That’s it – once the changes propagate across your organization, only the users with the specified admin roles will be able to change their profile photos in Microsoft 365 apps. Now, when a user tries to change their profile photo, they will see a relevant message without being able to edit their photo in any way.

Blocked permission to change the user photo in Microsoft 365.

Since users can no longer edit their picture attribute, you can manage user photos without worrying that someone will overwrite them.

One final note: if you want to revoke these settings and allow all users to change their photos, simply complete steps 1–4 again but remove the role IDs from the allowedRoles array in step 3. The code should then look like this:

{
"source": "cloud",
"allowedRoles": []
}

After you run this query and wait for the changes to propagate, your users will once again be able to modify their profile photos.

How to manage user photos in Microsoft 365?

CodeTwo User Photos for Office 365 is a free tool that helps you centrally manage profile photos for all users in Microsoft 365 – even (or especially) if you’ve just prevented your users from changing their profile images on their own.

The program allows you to easily upload user photos to Microsoft 365 and display them in SharePoint, Exchange Online, Outlook on the web, Microsoft Teams and any other Microsoft 365-connected app and service. What’s more, the tool lets you automatically rotate and resize images, so that they always meet Microsoft 365 photo requirements. And you don’t need to use any scripts to do all this!

Download it here for free

See more:

Tools for Microsoft 365

Recommended articles

How to connect and remotely manage Microsoft 365 with PowerShell

How to connect and remotely manage Microsoft 365 with PowerShell

Microsoft 365 web interface was designed to make it easier to manage your tenant right down to its administrative bowels. On the one hand it really is quick and simple to navigate, on the other it definitely lacks some advanced configuration options so loved by sysadmins. Luckily there is the mighty PowerShell coming to the rescue! You should already know its potential, which can also be utilized in Microsoft 365. Find out how.
New-ComplianceSearch: how to use the newer version of Search-Mailbox

New-ComplianceSearch: how to use the newer version of Search-Mailbox

Microsoft retired the Search-Mailbox cmdlet – now what? Discover how to use New-ComplianceSearch, its key advantages and how to make the switch seamlessly.
How to start remote PowerShell session to Exchange or Microsoft 365

How to start remote PowerShell session to Exchange or Microsoft 365

One of many features of the PowerShell command line tool is its ability to connect with and manage the Exchange Server remotely. The procedure described below applies to the classic on-prem Exchange server and to the Microsoft 365/Exchange Online version.

Comments

  1. Users are still able to change their photos in the myaccount.microsoft.com page. I have been working with Microsoft on how to block it but so far they have no idea. If there is a way to block this page as well, we would have a working solution.

  2. Is there an article on learn.microsoft about this?
    Unfortunately this does NOT work. Users can still change their picture in Microsoft Teams. However, this image will not be transferred to other services!

    • avatar
      Adam the 32-bit Aardvark says:

      I’ve just tested it. Applied Set-PhotoEnabled $false to the default mailbox policy and restarted a user’s Teams client. When trying to use the change photo option, I get an error “Picture options are disabled by policy”. Check your policy settings and make sure that users shutdown their Teams clients (and devices in general), at least once in a while.

  3. Great write-up! I noticed there was never a response from the backdoor comment, and I know this might be obvious to some, but I thought it might be helpful to mention that one could always blacklist this specific URL so your staff can’t access it.

  4. Hi, I downloaded CodeTwo User Photos Manager, but it shows me just few users, and on some users old pictures, like kind cached one… Is there some settings required?

    • avatar
      Adam the 32-bit Aardvark says:

      Hi,
      Note that an Office 365 (Microsoft 365) account with global admin rights is required to grant the necessary permissions to the application to perform its tasks (access users’ profiles and update their photos).
      To manage photos for all users in your organization, an Office 365 user that signs in to the application needs to be assigned the Global administrator or User administrator role in Azure AD. See this Knowledge Base article to learn how to do this

  5. avatar
    Rajeev Verma says:

    There must be more backdoors. We have Picture upload blocked in our tenant via OWA policy, Remote PS is blocked for All users and Picture property is set to False in SPO Online profile Policy, Access to Azure portal /AAD is also blocked . But users are still able to upload the pics through some other method and we are struggling to determine the backdoor. Recently We noticed Though Access to Azure portal/AAD is blocked for our regular users but anyone can access Azure Entra portal (https://portal.azure.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/AllUsers) to change the profile picture OR upload a new one. We called Microsoft and reported the same. They appreciated the effort to report this backdoor and said product enginering is looking into this matter. This method to upload profile pic is also not capturing the events in audit logs which is another issue. The problem is how many more backdoors might have for users to change/upload pictures?

    • avatar
      Adam the 32-bit Aardvark says:

      Thanks for the comment! The quickest way to block this backdoor is to use Conditional Access Policies to block access to Azure portal. I’ll try to find a more granular method, though.

  6. Hi Adam,
    We can successfully manage all users profile photos using Code Two User Photos. However users photos are not updating in SharePoint until they visit a page that contains a person element for their user (Org Chart, Employee list, etc.).

  7. Per default users have permissions to the Cmdlets Set-UserPhoto and Remove-UserPhoto. These are assigned via the Default Role Assignment Policy.
    The Default Role Assignment Policy contains the roles MyContactInformation and MyBaseOptions, which both include the RoleEntries Set-UserPhoto and Remove-UserPhoto.

    There are several options to revoke permissions to these Cmdlets:

    1. Remove the Roles MyBaseOptions and MyContactInformation from the Role Assignment Policy
    This is most likely a bad choice, as this also revokes a lot of other permissions that are included in those roles.

    2. Remove the RoleEntries from the ManagementRole
    Remove-ManagementRoleEntry mybaseoptions\set-userphoto
    Remove-ManagementRoleEntry mybaseoptions\remove-userphoto

    If you are working with multiple Role Assignment Policies, this will revoke permissions for all policies that include those roles.

    3. Create custom Management Roles for MyBaseOptions and MyContactInformation, remove the RoleEntries and add them to the Default Role Assignment Policy
    New-ManagementRole -Name custom-mybaseoptions -Parent MyBaseOptions
    Remove-ManagementRoleEntry custom-mybaseoptions\set-userphoto
    Remove-ManagementRoleEntry custom-mybaseoptions\remove-userphoto

    New-ManagementRole -Name custom-mycontactinformation -Parent MyContactInformation
    Remove-ManagementRoleEntry custom-mycontactinformation\set-userphoto
    Remove-ManagementRoleEntry custom-mycontactinformation\remove-userphoto

    Get-ManagementRoleAssignment -Role mybaseoptions -RoleAssignee "Default Role Assignment Policy" | Remove-ManagementRoleAssignment
    Get-ManagementRoleAssignment -Role mycontactinformation -RoleAssignee "Default Role Assignment Policy" | Remove-ManagementRoleAssignment
    New-ManagementRoleAssignment -Role custom-mybaseoptions -Policy "Default Role Assignment Policy"
    New-ManagementRoleAssignment -Role custom-mycontactinformation -Policy "Default Role Assignment Policy"

    4. Create a new Role Assignment Policy and set it as default, then create custom roles and add these to your new default policy. This way you can always revert to the “Default Role Assignment Policy” in case you messed up.

    Be aware that the Role Assignment Policy, that is assigned to a user per default, is managed in the Mailbox Plan in Office 365. The same goes for the OWA Mailbox Policy, which is assigned by the CAS Mailbox Plan. See here.

    Hope this helps.

  8. avatar
    Ville Liukkonen says:

    User can still change picture by using Outlook client. It has link to page https://outlook.office.com/mail/changephoto and it works althought you have stopped it in SharePoint and Default OwaMailboxPolicy.

    • avatar
      Adam the 32-bit Aardvark says:

      Hi Ville,
      You are right, the URL is kind of backdoor to this setting for any user, regardless of the policy settings. As soon as the policy starts working, I cannot click the link in the Outlook client BUT visiting the URL still allows me to change the picture and reactivates the button in Outlook on the web.
      I’ll check if there is a way to block this backdoor and will post an update. Thanks for letting me know!

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*

CodeTwo sp. z o.o. sp. k. is a controller of your personal data.
See our Privacy Policy to learn more.