How to prevent users from changing profile photos in Microsoft 365

[Update]: This post was updated on November 3, 2023 to reflect changes in Microsoft 365 (Office 365).

When you set up user photos in Microsoft 365 (Office 365), they propagate through the whole Microsoft 365 tenant and apps integrated with Entra ID (Azure AD). This means that they are displayed in Outlook, Teams, SharePoint, and more. By default, any user can change their photo to anything they like. This might be a problem for admins who want to keep everything in order. In this article, I’ll show you why and how to block users from changing their photos in Microsoft 365.

How to prevent users from changing profile photos in Microsoft 365

Why to prevent users from changing photos in Microsoft 365?

The most important reason to lock the ability of users to change their profile photos is to ensure a unified visual identity. If you don’t restrict permissions, any user can overwrite the photo that you (the admin) set up for them in Microsoft 365 to comply with your organization’s guidelines. When users control their profile pictures, it’s impossible to maintain the same quality across the whole organization. That’s why setting restrictions on user profile photo management in Microsoft 365 is crucial for many companies.

Where can users change their profile photo?

Users can change their profile photo by clicking their avatar in the top right corner of any Microsoft 365 app:

How to change a Microsoft 365 (Office 365) profile photo in a Microsoft 365 app or service

Additionally, users can use Delve, an app dedicated to manage their Microsoft 365 profile:

How to change a Microsoft 365 (Office 365) profile photo in the Microsoft Delve app

Finally, a profile photo can be changed by navigating to the following URL: https://outlook.office.com/mail/changephoto. In the past, the URL used to be a “backdoor” for users to change their photos despite policies. Now, the correct mailbox policy blocks this as well.

Note that regardless of the method you choose, it can take up to 48 hours for the photo to propagate across Microsoft 365 apps & services. Learn more

How to block users from changing their photos in Microsoft 365

To successfully prevent users from changing their own profile photos, you need to change your Outlook on the web policy. To do so, you’ll need to use PowerShell.

First, you need to start a remote PowerShell session to your Microsoft 365 (Exchange Online). See instructions in this article.

If you want to prevent all users from changing their profile photos, you need to change the default OWA (Outlook on the web) policy. The default policy’s name is OwaMailboxPolicy-Default. While its name can be changed, the default policy gets recreated with the default name and will be applied to newly created users. Since you can have other policies that apply to a subset of users only, let’s first check what policies you have by running:

Get-OwaMailboxPolicy | FL name,SetPhotoEnabled
PowerShell get OWA profile policies

The results suggest that I only have the default Outlook on the web mailbox policy, and it allows users to change their profile photos.

To prevent all users from changing their pictures, I can run:

Set-OwaMailboxPolicy OwaMailboxPolicy-Default -SetPhotoEnabled $false

And that’s it. Within up to 60 minutes, all users who try to change their profile photo will fail to do so.

If you want to prevent only a subset of users from changing their photos, you need to create a new mailbox policy, change its SetPhotoEnabled attribute and assign it to the subset of users. See instructions below.

Note: You can create a new Outlook on the web policy in the Exchange admin center (EAC) and assign it to users. However, currently, you cannot change the SetPhotoEnabled parameter using this interface, so I’ll show the whole procedure using PowerShell only.

First, create a new Outlook on the web policy with the SetPhotoEnabled attribute set to $false:

New-OwaMailboxPolicy "Prevent users from changing their photos" | Set-OwaMailboxPolicy -SetPhotoEnabled $false

To apply the policy for a single user (m.smith in the example below), run the following cmdlet:

Set-CASMailbox -Identity [email protected] -OwaMailboxPolicy “Prevent users from changing their photos”

To apply the OWA mailbox policy to more users, it’s easiest to use the Foreach loop. In the example below, I use PowerShell to get all members of the Microsoft 365 group called “Marketing” and apply the new policy to them:

$members=Get-UnifiedGroupLinks "Marketing" -LinkType members;
Foreach ($member in $members) {Set-CASMailbox -Identity $member.guid -OwaMailboxPolicy "Prevent users from changing their photos"}

Once you apply the change, you can use the following cmdlet to check if the right OWA mailbox policy has been applied to users:

Get-CASMailbox | FL name,OwaMailboxPolicy 

This concludes modifying the Outlook on the web mailbox policy to prevent users from changing profile photos. It should work for all the above mentioned places in Microsoft 365 where you can change a profile photo.

Now, when a user tries to change their profile photo, they will see a relevant message without being able to edit their photo in any way.

Photo change in Microsoft 365 has been blocked - a user sees just an error message

Since users can no longer edit their picture attribute, you can manage user photos without worrying that someone will overwrite them.

How to manage user photos in Microsoft 365

CodeTwo User Photos is a free tool that allows you to centrally manage profile photos in Microsoft 365 for all users. If you’re an admin, you can use this app after preventing users from changing their profile images. It will help you easily upload user photos to Microsoft 365, so that they will appear in SharePoint, Exchange Online, Outlook on the web, Microsoft Teams and any other Microsoft 365-connected app and service.

What’s more, the tool will let you automatically rotate and resize images, so that they always meet Microsoft 365 photo requirements. It’s especially useful since the old Set-UserPhoto cmdlet has been discontinued.

Download it here for free

See more:

Tools for Exchange Server

15 thoughts on “How to prevent users from changing profile photos in Microsoft 365


  1. Is there an article on learn.microsoft about this?
    Unfortunately this does NOT work. Users can still change their picture in Microsoft Teams. However, this image will not be transferred to other services!

    • I’ve just tested it. Applied Set-PhotoEnabled $false to the default mailbox policy and restarted a user’s Teams client. When trying to use the change photo option, I get an error “Picture options are disabled by policy”. Check your policy settings and make sure that users shutdown their Teams clients (and devices in general), at least once in a while.

  2. Great write-up! I noticed there was never a response from the backdoor comment, and I know this might be obvious to some, but I thought it might be helpful to mention that one could always blacklist this specific URL so your staff can’t access it.

  3. Hi, I downloaded CodeTwo User Photos Manager, but it shows me just few users, and on some users old pictures, like kind cached one… Is there some settings required?

    • Hi,
      Note that an Office 365 (Microsoft 365) account with global admin rights is required to grant the necessary permissions to the application to perform its tasks (access users’ profiles and update their photos).
      To manage photos for all users in your organization, an Office 365 user that signs in to the application needs to be assigned the Global administrator or User administrator role in Azure AD. See this Knowledge Base article to learn how to do this

  4. There must be more backdoors. We have Picture upload blocked in our tenant via OWA policy, Remote PS is blocked for All users and Picture property is set to False in SPO Online profile Policy, Access to Azure portal /AAD is also blocked . But users are still able to upload the pics through some other method and we are struggling to determine the backdoor. Recently We noticed Though Access to Azure portal/AAD is blocked for our regular users but anyone can access Azure Entra portal (https://portal.azure.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/AllUsers) to change the profile picture OR upload a new one. We called Microsoft and reported the same. They appreciated the effort to report this backdoor and said product enginering is looking into this matter. This method to upload profile pic is also not capturing the events in audit logs which is another issue. The problem is how many more backdoors might have for users to change/upload pictures?

    • Thanks for the comment! The quickest way to block this backdoor is to use Conditional Access Policies to block access to Azure portal. I’ll try to find a more granular method, though.

  5. Hi Adam,
    We can successfully manage all users profile photos using Code Two User Photos. However users photos are not updating in SharePoint until they visit a page that contains a person element for their user (Org Chart, Employee list, etc.).

  6. Per default users have permissions to the Cmdlets Set-UserPhoto and Remove-UserPhoto. These are assigned via the Default Role Assignment Policy.
    The Default Role Assignment Policy contains the roles MyContactInformation and MyBaseOptions, which both include the RoleEntries Set-UserPhoto and Remove-UserPhoto.

    There are several options to revoke permissions to these Cmdlets:

    1. Remove the Roles MyBaseOptions and MyContactInformation from the Role Assignment Policy
    This is most likely a bad choice, as this also revokes a lot of other permissions that are included in those roles.

    2. Remove the RoleEntries from the ManagementRole
    Remove-ManagementRoleEntry mybaseoptions\set-userphoto
    Remove-ManagementRoleEntry mybaseoptions\remove-userphoto

    If you are working with multiple Role Assignment Policies, this will revoke permissions for all policies that include those roles.

    3. Create custom Management Roles for MyBaseOptions and MyContactInformation, remove the RoleEntries and add them to the Default Role Assignment Policy
    New-ManagementRole -Name custom-mybaseoptions -Parent MyBaseOptions
    Remove-ManagementRoleEntry custom-mybaseoptions\set-userphoto
    Remove-ManagementRoleEntry custom-mybaseoptions\remove-userphoto

    New-ManagementRole -Name custom-mycontactinformation -Parent MyContactInformation
    Remove-ManagementRoleEntry custom-mycontactinformation\set-userphoto
    Remove-ManagementRoleEntry custom-mycontactinformation\remove-userphoto

    Get-ManagementRoleAssignment -Role mybaseoptions -RoleAssignee "Default Role Assignment Policy" | Remove-ManagementRoleAssignment
    Get-ManagementRoleAssignment -Role mycontactinformation -RoleAssignee "Default Role Assignment Policy" | Remove-ManagementRoleAssignment
    New-ManagementRoleAssignment -Role custom-mybaseoptions -Policy "Default Role Assignment Policy"
    New-ManagementRoleAssignment -Role custom-mycontactinformation -Policy "Default Role Assignment Policy"

    4. Create a new Role Assignment Policy and set it as default, then create custom roles and add these to your new default policy. This way you can always revert to the “Default Role Assignment Policy” in case you messed up.

    Be aware that the Role Assignment Policy, that is assigned to a user per default, is managed in the Mailbox Plan in Office 365. The same goes for the OWA Mailbox Policy, which is assigned by the CAS Mailbox Plan. See here.

    Hope this helps.

  7. User can still change picture by using Outlook client. It has link to page https://outlook.office.com/mail/changephoto and it works althought you have stopped it in SharePoint and Default OwaMailboxPolicy.

    • Hi Ville,
      You are right, the URL is kind of backdoor to this setting for any user, regardless of the policy settings. As soon as the policy starts working, I cannot click the link in the Outlook client BUT visiting the URL still allows me to change the picture and reactivates the button in Outlook on the web.
      I’ll check if there is a way to block this backdoor and will post an update. Thanks for letting me know!

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*

CodeTwo sp. z o.o. sp. k. is a controller of your personal data.
See our Privacy Policy to learn more.