Block Teams Users from Changing Their Account Picture
First, they’re bringing back the feature that existed in Skype for Business Online where the SetPhotoEnabled setting in the Exchange Online OWA Mailbox policy assigned to accounts controls whether users can change the avatar (picture) in Teams settings (Figure 1).
Figure 1: Where to change an account picture in Teams settings
Although it might not seem a big thing to stop users updating their photos, changing the user picture in Teams creates a ripple effect as the picture is updated for all Office 365 apps.
Updating and Assigning a OWA Mailbox Policy to Block Photo Upload
According to Office 365 notification MC209349, this change will roll out in mid-April. When the update is available in a tenant, if you want to block users from updating their picture, you’ll have to change the value for the SetPhotoEnabled setting to False in existing OWA mailbox policies. Alternatively, you can create a new OWA mailbox policy, update it with the setting, and assign it to selected mailboxes. Here’s how to update a policy and assign it to a mailbox:
Teams meetings last until the last user has left the meeting (if the meeting is recorded, the recording lasts a maximum of four hours). I often forget to stop meetings that I organize and only realize the fact when I switch tenants (this automatically terminates calls).
People should not have to manually leave meetings in order for them to end. We have had several people forget to manually leave meetings, and the channel continues to show that a meeting is in progress when in fact it has ended.
On April 9, Microsoft announced that the ability for organizers to terminate meetings was being distributed to tenants. Organizers should see the End meeting option in the meeting menu now (Figure 2).
Figure 2: Ending a Teams meeting
Lots of changes are happening in Teams right now. Stay up to date with important developments by subscribing to the Office 365 for IT Pros eBook.
17 Replies to “How to Block Users from Updating Their Photo in Teams”
In the Office 365 notification, they also mention changes to the global Teams policies. I am happy with the way they are set right now. E.g. I allow anonymous people to start the meeting and allow everyone to bypass the lobby.
If I understand this correctly, this policy will be changed and I have to check daily if that update has been applied to my tenant and revert it. Or is there a way to block the change or some other option?
If that info is in the book, please feel free to point me there, I must have missed it 🙂
The information isn’t in the book… I’m not sure how Microsoft will handle the policy update. I believe they’ll leave a policy that has non-default values alone because a tenant has made a decision to change the policy (like you). At least, I hope they will…
Any idea if this update has pushed to the GCC High Tenant? I’m having the same issue. I tested setting the policy which works for OWA but I can still go into teams and change the photo and it then populates to owa and everywhere else.
So I have done this in a test environment because a client is requesting that this be stopped. I set the value to false and assigned it to my profile. When going into Teams from the fat client I am still able to update my profile picture. Is there something I missed or will this only apply if the users are using the web client?
Do you mean an OWA mailbox policy? If so, it’s easy to assign this by group in PowerShell. Set up a group, retrieve its membership, and run Set-CASMailbox to assign the policy to each mailbox.
The OWA mailbox policy controls the user ability to update photos, so you could create a DL of users you want to allow/block and then assign a relevant OWA mailbox policy to the members of the DL.
We still have Exchange 2016 on premise and have recently disabled OWA due to security concerns. How can user update their profile picture in O365 with OWA disabled? If you go to your profile in Delve the following message appears: “Can’t change photo
Your profile photo was provided by your IT or human resources department. To change your photo, contact them or your admin. Learn more”
There must be more backdoors to upload/chage profile picture in O365. We have Picture upload blocked in our tenant via OWA policy, Remote PS is blocked for All users and Picture property is set to False in SPO Online profile Policy, Access to Azure portal /AAD is also blocked . But users are still able to upload the pics through some other method and we are struggling to determine the backdoor. Recently We noticed Though Access to Azure portal/AAD is blocked for our regular users but anyone can access Azure Entra portal (https://portal.azure.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/AllUsers) to change the profile picture OR upload a new one. We called Microsoft and reported the same. They appreciated the effort to report this backdoor and said product enginering is looking into this matter. This method to upload profile pic is also not capturing the events in audit logs which is another issue. The problem is how many more backdoors might have for users to change/upload pictures?
Well, if people can write some PowerShell or Graph code, they can update pictures. It’s all down to apps to block the ability to update photos through their UIs, including the admin portals.
{"id":null,"mode":"button","open_style":"in_modal","currency_code":"EUR","currency_symbol":"\u20ac","currency_type":"decimal","blank_flag_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/blank.gif","flag_sprite_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/flags.png","default_amount":100,"top_media_type":"featured_image","featured_image_url":"https:\/\/office365itpros.com\/wp-content\/uploads\/2022\/11\/cover-141x200.jpg","featured_embed":"","header_media":null,"file_download_attachment_data":null,"recurring_options_enabled":true,"recurring_options":{"never":{"selected":true,"after_output":"One time only"},"weekly":{"selected":false,"after_output":"Every week"},"monthly":{"selected":false,"after_output":"Every month"},"yearly":{"selected":false,"after_output":"Every year"}},"strings":{"current_user_email":"","current_user_name":"","link_text":"Virtual Tip Jar","complete_payment_button_error_text":"Check info and try again","payment_verb":"Pay","payment_request_label":"Office 365 for IT Pros","form_has_an_error":"Please check and fix the errors above","general_server_error":"Something isn't working right at the moment. Please try again.","form_title":"Office 365 for IT Pros","form_subtitle":null,"currency_search_text":"Country or Currency here","other_payment_option":"Other payment option","manage_payments_button_text":"Manage your payments","thank_you_message":"Thank you for supporting the work of Office 365 for IT Pros!","payment_confirmation_title":"Office 365 for IT Pros","receipt_title":"Your Receipt","print_receipt":"Print Receipt","email_receipt":"Email Receipt","email_receipt_sending":"Sending receipt...","email_receipt_success":"Email receipt successfully sent","email_receipt_failed":"Email receipt failed to send. Please try again.","receipt_payee":"Paid to","receipt_statement_descriptor":"This will show up on your statement as","receipt_date":"Date","receipt_transaction_id":"Transaction ID","receipt_transaction_amount":"Amount","refund_payer":"Refund from","login":"Log in to manage your payments","manage_payments":"Manage Payments","transactions_title":"Your Transactions","transaction_title":"Transaction Receipt","transaction_period":"Plan Period","arrangements_title":"Your Plans","arrangement_title":"Manage Plan","arrangement_details":"Plan Details","arrangement_id_title":"Plan ID","arrangement_payment_method_title":"Payment Method","arrangement_amount_title":"Plan Amount","arrangement_renewal_title":"Next renewal date","arrangement_action_cancel":"Cancel Plan","arrangement_action_cant_cancel":"Cancelling is currently not available.","arrangement_action_cancel_double":"Are you sure you'd like to cancel?","arrangement_cancelling":"Cancelling Plan...","arrangement_cancelled":"Plan Cancelled","arrangement_failed_to_cancel":"Failed to cancel plan","back_to_plans":"\u2190 Back to Plans","update_payment_method_verb":"Update","sca_auth_description":"Your have a pending renewal payment which requires authorization.","sca_auth_verb":"Authorize renewal payment","sca_authing_verb":"Authorizing payment","sca_authed_verb":"Payment successfully authorized!","sca_auth_failed":"Unable to authorize! Please try again.","login_button_text":"Log in","login_form_has_an_error":"Please check and fix the errors above","uppercase_search":"Search","lowercase_search":"search","uppercase_page":"Page","lowercase_page":"page","uppercase_items":"Items","lowercase_items":"items","uppercase_per":"Per","lowercase_per":"per","uppercase_of":"Of","lowercase_of":"of","back":"Back to plans","zip_code_placeholder":"Zip\/Postal Code","download_file_button_text":"Download File","input_field_instructions":{"tip_amount":{"placeholder_text":"How much would you like to tip?","initial":{"instruction_type":"normal","instruction_message":"How much would you like to tip? Choose any currency."},"empty":{"instruction_type":"error","instruction_message":"How much would you like to tip? Choose any currency."},"invalid_curency":{"instruction_type":"error","instruction_message":"Please choose a valid currency."}},"recurring":{"placeholder_text":"Recurring","initial":{"instruction_type":"normal","instruction_message":"How often would you like to give this?"},"success":{"instruction_type":"success","instruction_message":"How often would you like to give this?"},"empty":{"instruction_type":"error","instruction_message":"How often would you like to give this?"}},"name":{"placeholder_text":"Name on Credit Card","initial":{"instruction_type":"normal","instruction_message":"Enter the name on your card."},"success":{"instruction_type":"success","instruction_message":"Enter the name on your card."},"empty":{"instruction_type":"error","instruction_message":"Please enter the name on your card."}},"privacy_policy":{"terms_title":"Terms and conditions","terms_body":null,"terms_show_text":"View Terms","terms_hide_text":"Hide Terms","initial":{"instruction_type":"normal","instruction_message":"I agree to the terms."},"unchecked":{"instruction_type":"error","instruction_message":"Please agree to the terms."},"checked":{"instruction_type":"success","instruction_message":"I agree to the terms."}},"email":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email address"},"success":{"instruction_type":"success","instruction_message":"Enter your email address"},"blank":{"instruction_type":"error","instruction_message":"Enter your email address"},"not_an_email_address":{"instruction_type":"error","instruction_message":"Make sure you have entered a valid email address"}},"note_with_tip":{"placeholder_text":"Your note here...","initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"empty":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"not_empty_initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"saving":{"instruction_type":"normal","instruction_message":"Saving note..."},"success":{"instruction_type":"success","instruction_message":"Note successfully saved!"},"error":{"instruction_type":"error","instruction_message":"Unable to save note note at this time. Please try again."}},"email_for_login_code":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email to log in."},"success":{"instruction_type":"success","instruction_message":"Enter your email to log in."},"blank":{"instruction_type":"error","instruction_message":"Enter your email to log in."},"empty":{"instruction_type":"error","instruction_message":"Enter your email to log in."}},"login_code":{"initial":{"instruction_type":"normal","instruction_message":"Check your email and enter the login code."},"success":{"instruction_type":"success","instruction_message":"Check your email and enter the login code."},"blank":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."},"empty":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."}},"stripe_all_in_one":{"initial":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"empty":{"instruction_type":"error","instruction_message":"Enter your credit card details here."},"success":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"invalid_number":{"instruction_type":"error","instruction_message":"The card number is not a valid credit card number."},"invalid_expiry_month":{"instruction_type":"error","instruction_message":"The card's expiration month is invalid."},"invalid_expiry_year":{"instruction_type":"error","instruction_message":"The card's expiration year is invalid."},"invalid_cvc":{"instruction_type":"error","instruction_message":"The card's security code is invalid."},"incorrect_number":{"instruction_type":"error","instruction_message":"The card number is incorrect."},"incomplete_number":{"instruction_type":"error","instruction_message":"The card number is incomplete."},"incomplete_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incomplete."},"incomplete_expiry":{"instruction_type":"error","instruction_message":"The card's expiration date is incomplete."},"incomplete_zip":{"instruction_type":"error","instruction_message":"The card's zip code is incomplete."},"expired_card":{"instruction_type":"error","instruction_message":"The card has expired."},"incorrect_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incorrect."},"incorrect_zip":{"instruction_type":"error","instruction_message":"The card's zip code failed validation."},"invalid_expiry_year_past":{"instruction_type":"error","instruction_message":"The card's expiration year is in the past"},"card_declined":{"instruction_type":"error","instruction_message":"The card was declined."},"missing":{"instruction_type":"error","instruction_message":"There is no card on a customer that is being charged."},"processing_error":{"instruction_type":"error","instruction_message":"An error occurred while processing the card."},"invalid_request_error":{"instruction_type":"error","instruction_message":"Unable to process this payment, please try again or use alternative method."},"invalid_sofort_country":{"instruction_type":"error","instruction_message":"The billing country is not accepted by SOFORT. Please try another country."}}}},"fetched_oembed_html":false}
In the Office 365 notification, they also mention changes to the global Teams policies. I am happy with the way they are set right now. E.g. I allow anonymous people to start the meeting and allow everyone to bypass the lobby.
If I understand this correctly, this policy will be changed and I have to check daily if that update has been applied to my tenant and revert it. Or is there a way to block the change or some other option?
If that info is in the book, please feel free to point me there, I must have missed it 🙂
The information isn’t in the book… I’m not sure how Microsoft will handle the policy update. I believe they’ll leave a policy that has non-default values alone because a tenant has made a decision to change the policy (like you). At least, I hope they will…
I asked… and Microsoft confirmed that the policy update will not apply if you have made changes to the meetings global policy.
Thank for investigating, that’s one thing less to worry about 🙂
Damn, did the the reply vs. new post blunder we all new from teams 😅
Any idea if this update has pushed to the GCC High Tenant? I’m having the same issue. I tested setting the policy which works for OWA but I can still go into teams and change the photo and it then populates to owa and everywhere else.
I don’t know if this is in GCC high. You could ask Microsoft…
So I have done this in a test environment because a client is requesting that this be stopped. I set the value to false and assigned it to my profile. When going into Teams from the fat client I am still able to update my profile picture. Is there something I missed or will this only apply if the users are using the web client?
Nevermind. Took time to propagate apparently. Ok. Next question. Does this policy need to be assigned by user or can it be assigned by group?
Do you mean an OWA mailbox policy? If so, it’s easy to assign this by group in PowerShell. Set up a group, retrieve its membership, and run Set-CASMailbox to assign the policy to each mailbox.
Is there a command that restricts / allows user pictures at OU or DL level?
The OWA mailbox policy controls the user ability to update photos, so you could create a DL of users you want to allow/block and then assign a relevant OWA mailbox policy to the members of the DL.
We still have Exchange 2016 on premise and have recently disabled OWA due to security concerns. How can user update their profile picture in O365 with OWA disabled? If you go to your profile in Delve the following message appears: “Can’t change photo
Your profile photo was provided by your IT or human resources department. To change your photo, contact them or your admin. Learn more”
Maybe you’ll have to do this for users by running the Set-UserPhoto cmdlet?
There must be more backdoors to upload/chage profile picture in O365. We have Picture upload blocked in our tenant via OWA policy, Remote PS is blocked for All users and Picture property is set to False in SPO Online profile Policy, Access to Azure portal /AAD is also blocked . But users are still able to upload the pics through some other method and we are struggling to determine the backdoor. Recently We noticed Though Access to Azure portal/AAD is blocked for our regular users but anyone can access Azure Entra portal (https://portal.azure.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/AllUsers) to change the profile picture OR upload a new one. We called Microsoft and reported the same. They appreciated the effort to report this backdoor and said product enginering is looking into this matter. This method to upload profile pic is also not capturing the events in audit logs which is another issue. The problem is how many more backdoors might have for users to change/upload pictures?
Well, if people can write some PowerShell or Graph code, they can update pictures. It’s all down to apps to block the ability to update photos through their UIs, including the admin portals.