Prevent Microsoft 365 Users From Changing Profile Photos Using PowerShell
In the corporate world, maintaining a professional appearance in Microsoft 365 profile picture and upholding a unified visual identity is crucial for organizations. But there’s a catch: Microsoft lets users update their profile pictures which is sometimes against company policies. Managing this aspect can be challenging for admins, especially since the Microsoft 365 admin centers don’t offer a straightforward solution. But there’s hope! PowerShell comes to the rescue, offering a way to prevent Microsoft 365 users from changing their profile photos. Let’s dive in!
Let’s explore how admins can restrict M365 users from changing their profile photos using PowerShell. Before getting started, ensure you connect to the Exchange Online PowerShell module with the required permissions.
Primarily, you can verify if your users can update their profile photos in Microsoft 365 apps and services using the current OWA mailbox policy.
To do this, execute the “Get-OwaMailboxPolicy” cmdlet as shown below. This will help you determine what policy is applied and whether it allows users to change profile photos.
Get-OwaMailboxPolicy | ft Name, SetPhotoEnabled
The default OWA mailbox policy allows users to change their Microsoft 365 profile pictures. Since we’ve confirmed this, let’s explore how to prevent users from changing their profile photos in four ways:
- Restrict a specific Microsoft 365 user from changing their profile picture.
- Block multiple users from updating their user profile photo.
- Block bulk users from uploading profile pictures (CSV input).
- Prevent all users from changing their profile photos.
To restrict a single user from changing a profile picture, create a new OWA mailbox policy with the Set-PhotoEnabled state configured to false. Then, apply the respective OWA mailbox policy to the specific user whom you wish to block from updating profile photos.
You can create a policy with the Set-PhotoEnabled state set to false by running the following cmdlet.
New-OwaMailboxPolicy "Restrict a Specific User from Changing Profile Photos" | Set-OwaMailboxPolicy -SetPhotoEnabled $false
In this example, we have created a policy named “Restrict a Specific User from Changing Profile Photos.” Now, apply this created policy to a specific user using the following cmdlet. Make sure to specify the UPN before proceeding.
Set-CASMailbox -Identity "<UPN>" -OwaMailboxPolicy "Restrict a Specific User from Changing Profile Photos"
For blocking multiple users from changing their profile pictures, you can use the following PowerShell cmdlets. Before execution, make sure to enter their names in the $users variable, separated by commas.
New-OwaMailboxPolicy "Block multiple users from updating M365 profile photos"|Set-OwaMailboxPolicy -SetPhotoEnabled $false # Apply the policy to multiple users $users = "<UPN1>","<UPN2>","<UPN3>" foreach ($user in $users) { Set-CASMailbox -Identity $user -OWAMailboxPolicy "Block multiple users from updating M365 profile photos" }
To bulk update the restriction policy for uploading profile pictures, follow these steps:
1. Create a CSV file containing ‘UserPrincipalName’ as shown in the image.
2. Copy the path of this CSV file. Replace it with the ‘File path’ in the PowerShell script below, then execute the script.
New-OwaMailboxPolicy "NoPhotoPolicy"|Set-OwaMailboxPolicy -SetPhotoEnabled $false # Get the list of users from the CSV file $users = Import-Csv -Path "<FilePath>" # Apply the policy to each user foreach ($user in $users) { Set-CASMailbox -Identity $user.UserPrincipalName -OWAMailboxPolicy "NoPhotoPolicy" }
The script creates a policy named “NoPhotoPolicy.” It then uses that policy to restrict the users mentioned in the CSV file from changing their profile pictures in the Microsoft 365 environment.
To prevent all users from changing their profile pictures in Microsoft 365, use the “Set-OwaMailboxPolicy” cmdlet. Change the “SetPhotoEnabled” parameter to false to apply this restriction.
Set-OwaMailboxPolicy "OwaMailboxPolicy-Default" -SetPhotoEnabled $false
If users have any other mailbox policies in place and you want to set the default OwaMailboxPolicy for them, you can use the following PowerShell cmdlet:
Get-CASMailbox -ResultSize Unlimited | Set-CASMailbox -OWAMailboxPolicy "OwaMailboxPolicy-Default"
NOTE: Each mailbox can have only one OWA mailbox policy applied to it.
Thus, we’ve explored various methods to prevent Microsoft 365 users from changing their profile photos using PowerShell. As an administrator, you can always upload, change and manage Microsoft 365 user photos using MS Graph PowerShell.
Now that we’ve looked at the configurations, let’s see how to verify which users are restricted from uploading profile pictures. You can use the following cmdlet to check users who can’t change their profile pictures in Outlook and OWA.
Enforcing restrictions on the OWA mailbox policy applies to major services like MS Teams, SharePoint, Outlook, and Delve, effectively preventing Microsoft 365 users from changing their profile photos. To additionally verify, try changing the photo on Microsoft 365’s home page or other apps like Teams and SharePoint. These services won’t allow changing the user profile photo in Microsoft 365.
Here is the image of a user unable to change the photo in Delve, with the message ‘Can’t change the photo.’
However, users with access to Microsoft Entra ID (Azure AD) can still change their Microsoft Entra profile photos. Therefore, it is crucial to restrict user access to Azure AD to ensure that controls on uploading photos in Azure AD user profiles are enforced.
In conclusion, PowerShell offers a straightforward method for user profile photo management in Microsoft 365, ensuring that users cannot alter their profile pictures. This ensures a consistent and professional look across the organization while enhancing security. With these restrictions in place, you can also achieve the same profile picture quality across the organization. I hope this blog has helped you in managing Microsoft 365 user profile pictures more effectively. For any queries, please reach out to the comments section.
