Delegating photos management in CodeTwo User Photos for Office 365 to other users
Problem:
You want to delegate the management of user photos in CodeTwo User Photos for Office 365 to other users.
Solution:
By default, for security reasons, only global admins of your Microsoft 365 tenant can use CodeTwo User Photos for Office 365 to manage (add, change, or remove) user photos for all users in your organization. You can delegate this task to other admins, e.g. User Administrators in your tenant. Non-admin users, on the other hand, can use the application to manage their own photos only. However, the global admin first needs to grant consent to allow all users in your Microsoft 365 tenant to use the application.
Use the links below to learn how to:
- Allow non-admin users to access CodeTwo User Photos for Office 365
- Allow other Microsoft 365 admins to manage photos for all users
Allow non-admin users to access CodeTwo User Photos for Office 365
When a global admin signs in to CodeTwo User Photos for Office 365 for the first time, they need to select the checkbox shown in Fig. 1. to enable non-admin users to sign in to the application.
Fig. 1. Granting permissions to the application on behalf of all users.
You can also grant admin consent later in the Azure Active Directory admin center. To do so:
- Sign in to the Azure AD admin center.
- Go to Enterprise applications.
- Find and click CodeTwo User Photos for Office 365 on the app list. You can use the search box to filter the listed apps, as shown in Fig. 2.
Fig. 2. Locating the CodeTwo User Photos for Office 365 application in Azure AD.
- On the application's page, go to Permissions and click Grant admin consent for <your organization>.
Fig. 3. Granting admin consent for the application on behalf of all users in the Azure AD admin center.
- In the window that opens, sign in with your global admin account and accept the permissions required by the CodeTwo application.
If you encounter any errors at this point, see the troubleshooting section below.
Your users should now be able to sign in to the application and use it to:
- List all users in your organization and check their basic properties (display name, email address and photos).
- Export photos of all users.
- Manage (add/remove) their own user photo.
If you want other users to be able to manage photos for all users in your organization, you need to assign them to the appropriate admin roles in Microsoft 365 (Azure AD), as described in the section below.
Allow other Microsoft 365 admins to manage photos for all users
A user needs the following permissions to be able to manage user photos company-wide in CodeTwo User Photos for Office 365:
- Group.Read.All
- User.Read.All
- User.ReadWrite
- User.ReadWrite.All
The first three permissions are assigned by default to all Azure AD users. The last permission, User.ReadWrite.All, is reserved for admins only (e.g. Global Administrator and User Administrator in Microsoft 365), as it gives the capability to, for example, create and delete users, update their properties, etc.
Since it’s not possible to assign the permission itself to a user (or group), you need to assign an admin role instead. We recommend assigning the User Administrator role, as it is far less privileged than the Global Administrator role.
- Sign in to the Azure AD admin center.
- Go to Azure Active Directory > Roles and administrators.
- Find User Administrator on the list and click it. You can use the search box to filter the listed roles, as shown in Fig. 4.
Fig. 4. Managing admin roles in the Azure AD admin center.
- Click Add assignments on the User Administrator role page.
- In the pane that opens, select users and/or groups* to which you want to assign this role and click Add (Fig. 5.).
* Important
Only groups that can be assigned to an Azure AD role are listed here. See this Microsoft article to learn how to create such groups.
Fig. 5. Assigning admin roles to users/groups in the Azure AD admin center.
All users assigned the User Administrator role should now be able to use CodeTwo User Photos for Office 365 to manage photos for all users in your organization. If not, wait a couple of minutes for the change to propagate. You should also ask these users to sign out of the application and sign in again.
Troubleshooting
Check the following troubleshooting topics to find a solution to your problem:
- You cannot grant admin consent in the Azure AD admin center
- Your users cannot sign in to the application despite granting them access using admin consent
You cannot grant admin consent in the Azure AD admin center
When you get the AADSTS50011 error (the reply URL specified in the request does not match, as shown in Fig. 6.), it might mean that you are attempting to grant admin consent in the Microsoft Entra admin center (entra.microsoft.com).
Fig. 6. The redirect URI error shown in Microsoft Entra.
See this Microsoft article to learn how to fix this issue or simply sign in to the Azure Active Directory admin center instead (aad.portal.azure.com) and perform these steps again.
Your users cannot sign in to the application despite granting them access using admin consent
The default User.Read.All permission in Azure AD allows all Microsoft 365 users to view the profile info of other users in their organization. However, this default permissions can be disabled organization-wide in your tenant (which is not recommended by Microsoft). Without this permission, your users also won't be able to sign in to CodeTwo User Photos for Office 365.
To enable this permission in your organization, you can run the following cmdlet:
Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $True
| Related products: | CodeTwo User Photos for Office 365 |
| Categories: | How-To |
| Last modified: | January 30, 2023 |
| Created: | January 17, 2023 |
| ID: | 1017 |
