How to prevent users from changing profile photos in Microsoft 365

Update: This post was updated on July 22, 2020.

When you set up user photos in Microsoft 365 (Office 365), they propagate through the whole Microsoft 365 tenant and apps integrated with Azure AD. This means that they are displayed in Outlook, Teams, SharePoint, and more. By default, any user can change their photo to anything they like. This might be a problem for admins who want to keep everything in order. In this article, I’ll show you why and how to block users from changing their photos in Microsoft 365.

How to prevent users from changing profile photos in Microsoft 365

Why to prevent users from changing photos in Microsoft 365?

The most important reason to lock the ability of users to change their profile photos is to ensure a unified visual identity. If you don’t restrict permissions, any user can overwrite the photo that you (the admin) set up for them in Microsoft 365 to comply with your organization’s guidelines. When users control their profile pictures, it’s impossible to maintain the same quality across the whole organization. What’s more, since users can change their photos from a few different places, they might end up having different photos in various Microsoft 365 apps (photos can take up to 72 hours to sync or can run into sync issues). That’s why setting restrictions on user profile photo management in Microsoft 365 is crucial for many companies.

Where can users change their profile photo?

The challenging part with preventing users from changing their Office/Microsoft 365 photos is that users can change them from more than one place independently:

Delve:

Changing profile photo in Delve

Microsoft 365 profile:

Changing photo in Microsoft 365 profile

SharePoint Online

Changing photo in SharePoint Online

Microsoft Teams:

Changing photo in Microsoft Teams

Luckily, since April 2020 Microsoft Teams honor the Outlook on the web (OWA) policy settings, so there are only two settings that need to be changed to take full control of user photos in Microsoft 365.

Important: Users can also change their photos using the following URL: https://outlook.office.com/mail/changephoto. That’s where blocking gets tricky, but I will get to that.

How to block users from changing their photos in Microsoft 365

To successfully prevent users from changing their own profile photos, you need to:

  1. Change your Outlook on the web policy.
  2. Set up SharePoint Online permissions.
  3. Block access to the direct photo settings link.

To do so, you’ll need to use PowerShell, Microsoft 365 admin center, and do something about the URL which can be used as a backdoor.

Change Outlook on the web policy settings

First, you need to start a remote PowerShell session to your Microsoft 365 (Exchange Online). See instructions in this article.

If you want to prevent all users from changing their profile photos, you need to change the default OWA (Outlook on the Web) policy. The default policy’s name is OwaMailboxPolicy-Default. While its name can be changed, the default policy gets recreated with the default name and will be applied to newly created users. Since you can have other policies that apply to a subset of users only, let’s first check what policies you have by running:

Get-OwaMailboxPolicy | FL name,SetPhotoEnabled
PowerShell get OWA profile policies

The results suggest that I only have the default Outlook on the web mailbox policy, and it allows users to change their profile photos.

To prevent all users from changing their pictures, I can run:

Set-OwaMailboxPolicy OwaMailboxPolicy-Default -SetPhotoEnabled $false

And that’s it. Within up to 60 minutes, all users who try to change their profile photo will fail to do so (unless they use SharePoint, but I’ll get to this in the next section).

If you want to prevent only a subset of users from changing their photos, you need to create a new mailbox policy, change its SetPhotoEnabled attribute and assign it to the subset of users. See instructions below.

Note: You can create a new Outlook on the web policy in the Exchange admin center (EAC) and assign it to users. However, currently, you cannot change the SetPhotoEnabled parameter using this interface, so I’ll show the whole procedure using PowerShell only.

First, create a new Outlook on the web policy with the SetPhotoEnabled attribute set to $false:

New-OwaMailboxPolicy "Prevent users from changing their photos" | Set-OwaMailboxPolicy -SetPhotoEnabled $false

To apply the policy for a single user (j.doe in the example below), run the following cmdlet:

Set-CASMailbox -Identity j.doe@example.com -OwaMailboxPolicy “Prevent users from changing their photos”

To apply the OWA mailbox policy to more users, it’s easiest to use the Foreach loop. In the example below, I use PowerShell to get all members of the Microsoft 365 group called “Marketing” and apply the new policy to them:

$members=(Get-UnifiedGroupLinks "Marketing" -LinkType members).UserPrincipalName;
Foreach ($member in $members) {Set-CASMailbox -Identity $member -OwaMailboxPolicy "Prevent users from changing their photos"};

Once you apply the change, you can use the following cmdlet to check if the right OWA mailbox policy has been applied to users:

Get-CASMailbox | FL name,OwaMailboxPolicy 

This concludes changing the Outlook on the web mailbox policy to prevent users from changing profile photos. It should wor for all places other than SharePoint. The next step is to change your SharePoint Online settings.

SharePoint Online profile policy

Setting up your SharePoint Online profile policy requires you to use the Microsoft 365 admin center interface.

  1. Go to Microsoft 365 admin center, click Show all in the left menu and choose SharePoint to access the SharePoint Online admin center.
Microsoft 365 admin center - open SharePoint admin center
  • In the SharePoint Online admin center, click More features, and click Open in the User profiles section.
SharePoint Online admin center - show more
  • Go to Manage User Properties.
SharePoint Online - manage user profiles
  • Click Picture and then click Edit Policy.
SharePoint Online - modifying the Picture property

In the Policy settings, clear the Allow users to edit values for this property checkbox, scroll down and click OK.

SharePoint Online picture settings

From now on, users should no longer be able to edit their profile photos from SharePoint. This applies to all users in your Microsoft 365 organization. Currently, there is no method to fine-tune this policy to prevent only specific users from changing their profile photos in SharePoint Online.

Block the URL that links to the photo settings

Now, this is a tricky part. Any user who visits the https://outlook.office.com/mail/changephoto URL will be able to change their Microsoft 365 photo. Most solutions used to block URLs, like editing the hosts file or changing the DNS settings, will not work for a specific URL, but for a whole domain. Blocking the whole outlook.office.com domain will make Outlook on the web inaccessible. Besides, you will need to block this domain for mobile devices, too. So, to completely prevent your users from changing their Microsoft 365 photo, you can:

  1. Use Client Access Rules to completely block access to Outlook on the Web and its settings. Users will still be able to use Outlook for their mailing needs.
  2. Block the specific URL with a firewall. This seems like the most elegant solution, but requires a firewall with such a feature and being able to use this firewall for all users’ connections to Microsoft 365.

Changing all these settings stops users from editing their photos but still allows everyone to see the assigned profile images. Since users can no longer edit their picture attribute, you can manage user photos without worrying that someone will overwrite them.

How to manage user photos in Microsoft 365

CodeTwo User Photos is a free tool that allows you to centrally manage profile photos in Microsoft 365 for all users. If you’re an admin, you can use this app after preventing users from changing their profile images. It will help you easily upload user photos to Microsoft 365, so that they will appear in SharePoint, Exchange Online, Outlook on the web, Microsoft Teams and practically any Microsoft 365-connected app and service.

What’s more, the tool will let you automatically rotate and resize images, so that they always meet Microsoft 365 photo requirements.

Download it here for free

See more:

CodeTwo Products

2 thoughts on “How to prevent users from changing profile photos in Microsoft 365


  1. User can still change picture by using Outlook client. It has link to page https://outlook.office.com/mail/changephoto and it works althought you have stopped it in SharePoint and Default OwaMailboxPolicy.

    • Hi Ville,
      You are right, the URL is kind of backdoor to this setting for any user, regardless of the policy settings. As soon as the policy starts working, I cannot click the link in the Outlook client BUT visiting the URL still allows me to change the picture and reactivates the button in Outlook on the web.
      I’ll check if there is a way to block this backdoor and will post an update. Thanks for letting me know!

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*

*