Update: This post was updated on July 22, 2020.
When you set up user photos in Microsoft 365 (Office 365), they are shared throughout the Microsoft 365 tenant and apps integrated with Azure AD. That means they show up in Outlook, Teams, SharePoint, and more. By default, any user can change their photo to whatever they want. This could be a problem for admins who want to keep everything in order. In this article, I’ll show you why and how to prevent users from changing their photos in Microsoft 365.
Why prevent users from changing photos in Microsoft 365?
The number one reason for blocking users’ ability to change their profile photos is to ensure a consistent visual identity. If you don’t restrict permissions, any user can override the photo that you (the admin) set up for them in Microsoft 365 to comply with your organization’s policies. When users control their profile pictures, it’s impossible to maintain the same quality across the organization. Also, because users can change their photos from different places, they might have different photos in different Microsoft 365 Apps (photos can take up to 72 hours to sync or you might experience sync issues). That’s why setting restrictions on how user profile photos are managed in Microsoft 365 is critical for many organizations.
Where can users change their profile photo?
The tricky part about preventing users from changing their Office/Microsoft 365 photos is that users can independently change them from more than one place:
Deepen:
Microsoft 365 profile:
SharePoint Online
Microsoft Teams:
Fortunately, as of April 2020, Microsoft Teams respects Outlook on the web (OWA) policy settings, so you only need to change two settings to take full control of user photos in Microsoft 365.
Important: Users can also change their photos using the following URL: https://outlook.office.com/mail/changephoto. This is where blocking gets tricky, but I’ll get to that.
How to prevent users from changing their photos in Microsoft 365
To successfully prevent users from changing their own profile photos, you must:
- Change your Outlook on the web policy.
- Set up SharePoint Online permissions.
- Block access to the direct photo settings link.
To do this you need to use PowerShell, Microsoft 365 admin center and do something about the URL that can be used as a backdoor.
Change Outlook on the web policy settings
First you need to start a remote PowerShell session to your Microsoft 365 (Exchange Online). See instructions in this article.
If you want to prevent all users from changing their profile photos, you need to change the default OWA (Outlook on the Web) policy. The name of the default policy is OwaMailboxPolicy-Default. While its name can be changed, the default policy is recreated with the default name and applied to newly created users. Since you can have other policies that only apply to a subset of users, let’s first check what policies you have by running:
Get-OwaMailboxPolicy | FL name,SetPhotoEnabled
The results indicate that I only have the default Outlook on the web mailbox policy and that users can change their profile photos.
To prevent all users from changing their images I can run:
Set-OwaMailboxPolicy OwaMailboxPolicy-Default -SetPhotoEnabled $false
And that’s it. Within up to 60 minutes, any users who try to change their profile photo will not (unless they are using SharePoint, but I’ll get to that in the next section).
If you want to prevent only a subset of users from changing their photos, you need to create a new mailbox policy, change theirs SetPhotoEnabled attribute and assign it to the subset of users. See instructions below.
note: You can create a new Outlook on the web policy in the Exchange admin center (EAC) and assign it to users. However, currently you cannot change the SetPhotoEnabled parameter through this interface, so I’ll show the whole procedure using PowerShell only.
First, create a new Outlook on the web policy with the SetPhotoEnabled
Attribute set to $wrong:
New-OwaMailboxPolicy "Prevent users from changing their photos" | Set-OwaMailboxPolicy -SetPhotoEnabled $false
Run the following cmdlet to apply the policy for a single user (j.doe in the example below):
Set-CASMailbox -Identity [email protected] -OwaMailboxPolicy “Prevent users from changing their photos”
To apply the OWA mailbox policy to more users, the easiest way is to use the foreach loop. In the following example, I use PowerShell to get all members of the Microsoft 365 group named “Marketing” and apply the new policy to them:
$members=(Get-UnifiedGroupLinks "Marketing" -LinkType members).UserPrincipalName; Foreach ($member in $members) {Set-CASMailbox -Identity $member -OwaMailboxPolicy "Prevent users from changing their photos"};
After applying the change, you can use the following cmdlet to verify that the correct OWA mailbox policy has been applied to users:
Get-CASMailbox | FL name,OwaMailboxPolicy
This completes changing the Outlook on the web mailbox policy to prevent users from changing profile photos. It should work for all places except SharePoint. The next step is to change your SharePoint Online settings.
SharePoint Online profile policy
To set up your SharePoint Online profile policy, you must use the Microsoft 365 admin center interface.
- Go to Microsoft 365 admin centerclick show everything in the left menu and select SharePoint to access the SharePoint Online admin center.
- In the SharePoint Online admin center, click More featuresand click Open
in which user profile Section.
- Go to Manage user properties.
- click
picture and then click Edit policy.
In the policy settings, disable the Allow users to edit values for this property check box, scroll down and click on it OK.
From now on, users should no longer be able to edit their profile photos from SharePoint. This applies to all users in your Microsoft 365 organization. There is currently no way to fine-tune this policy to prevent only specific users from changing their profile photos in SharePoint Online.
Block the URL pointing to photo settings
Now that’s a tricky part. Any user who visits the https://outlook.office.com/mail/changephoto URL can change your Microsoft 365 photo. Most URL blocking solutions, like editing the hosts file or changing DNS settings, don’t work for a specific URL, but for an entire domain. Blocking the entire outlook.office.com domain makes Outlook on the web inaccessible. Also, you need to block this domain for mobile devices as well. So, to completely prevent your users from changing their Microsoft 365 photo, you can:
- Use client access rules to completely block access to Outlook on the web and its settings. Users can continue to use Outlook for their mailing needs.
- Block the specific URL with a firewall. This seems like the most elegant solution, but it requires a firewall with such a feature and the ability to use that firewall for all user connections to Microsoft 365.
Changing all of these settings prevents users from editing their photos, but still allows everyone to see their assigned profile pictures. Since users can no longer edit their image attribute, you can manage user photos without fear of someone overwriting them.
How to manage user photos in Microsoft 365
CodeTwo User Photos is a free tool that allows you to centrally manage profile photos in Microsoft 365 for all users. If you are an admin, you can use this app after preventing users from changing their profile pictures. It helps you easily upload user photos to Microsoft 365 so they appear in SharePoint, Exchange Online, Outlook on the web, Microsoft Teams, and virtually any Microsoft 365-connected application and service.
Additionally, the tool lets you automatically rotate and resize images so they always meet Microsoft 365 requirements for photos.
Download it here for free