Delegating photos management in CodeTwo User Photos for Office 365 to other users
Problem:
You want to delegate the management of user photos in CodeTwo User Photos for Office 365 to other users.
Solution:
By default, for security reasons, only global admins of your Microsoft 365 tenant can use CodeTwo User Photos for Office 365 to manage (add, change, or remove) user photos for all users in your organization. You can delegate this task to other admins, e.g. User Administrators in your tenant. Non-admin users, on the other hand, can use the application to manage their own photos only. However, the global admin first needs to grant consent to allow all users in your Microsoft 365 tenant to use the application.
Use the links below to learn how to:
- Allow non-admin users to access CodeTwo User Photos for Office 365
- Allow other Microsoft 365 admins to manage photos for all users
Allow non-admin users to access CodeTwo User Photos for Office 365
When a global admin signs in to CodeTwo User Photos for Office 365 for the first time, they need to select the checkbox shown in Fig. 1. to enable non-admin users to sign in to the application.
Fig. 1. Granting permissions to the application on behalf of all users.
You can also grant admin consent later in the Microsoft Entra admin center. To do so:
- Sign in to the Microsoft Entra admin center.
- In the left-hand menu, go to Azure Active Directory (or Identity) > Applications > Enterprise applications (see Fig. 2.).
- Find and click CodeTwo User Photos for Office 365 on the app list. You can use the search box to filter the listed apps, as shown in Fig. 2.
Fig. 2. Accessing the CodeTwo User Photos for Office 365 application settings.
- On the application's page, go to Permissions and click Grant admin consent for <your organization name> (Fig. 3.).
Fig. 3. Granting admin consent for the application on behalf of all users in the Microsoft Entra admin center.
- In the window that opens, sign in with your global admin account and accept the permissions required by the CodeTwo application.
If you encounter any errors at this point, see the troubleshooting section below.
Your users should now be able to sign in to the application and use it to:
- List all users in your organization and check their basic properties (display name, email address and photos).
- Export photos of all users.
- Manage (add/remove) their own user photo.
If you want other users to be able to manage photos for all users in your organization, you need to assign them to the appropriate admin roles in Microsoft 365 (Azure AD), as described in the section below.
Allow other Microsoft 365 admins to manage photos for all users
A user needs the following permissions to be able to manage user photos company-wide in CodeTwo User Photos for Office 365:
- Group.Read.All
- User.Read.All
- User.ReadWrite
- User.ReadWrite.All
The first three permissions are assigned by default to all Azure AD users. The last permission, User.ReadWrite.All, is reserved for admins only (e.g. Global Administrator and User Administrator in Microsoft 365), as it gives the capability to, for example, create and delete users, update their properties, etc.
Since it’s not possible to assign the permission itself to a user (or group), you need to assign an admin role instead. We recommend assigning the User Administrator role, as it is far less privileged than the Global Administrator role.
- Sign in to the Microsoft Entra admin center.
- In the left-hand menu, go to Azure Active Directory (or Identity) > Roles and admins > Roles and admins (see Fig. 4.).
Tip
If you can't see the Roles and admins menu item, click Show more.
- Find User Administrator on the list and click it. You can use the search box to filter the listed roles, as shown in Fig. 4.
Fig. 4. Managing admin roles in the Microsoft Entra admin center.
- Click Add assignments on the User Administrator role page.
- In the pane that opens, select users and/or groups* to which you want to assign this role and click Add (Fig. 5.).
* Important
Only groups that can be assigned to an Azure AD role are listed here. See this Microsoft article to learn how to create such groups.
Fig. 5. Assigning admin roles to users/groups in the Microsoft Entra admin center.
All users assigned the User Administrator role should now be able to use CodeTwo User Photos for Office 365 to manage photos for all users in your organization. If not, wait a couple of minutes for the change to propagate. You should also ask these users to sign out of the application and sign in again.
Troubleshooting
Your users cannot sign in to the application despite granting them access using admin consent
The default User.Read.All permission in Azure AD allows all Microsoft 365 users to view the profile info of other users in their organization. However, this default permissions can be disabled organization-wide in your tenant (which is not recommended by Microsoft). Without this permission, your users also won't be able to sign in to CodeTwo User Photos for Office 365.
To enable this permission in your organization, you can run the following cmdlet:
Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $True
| Related products: | CodeTwo User Photos for Office 365 |
| Categories: | How-To |
| Last modified: | July 14, 2023 |
| Created: | January 17, 2023 |
| ID: | 1017 |
