How to Block Users from Updating Their Photo in Teams

Also, Microsoft Updates Teams to Allow Organizers to End Meetings

Some interesting responses to customer requests have appeared on Teams User Voice recently. Apart from the first acknowledgement that Teams will add extra participants to the video view for meetings, now confirmed to be a 3 x 3 view with an expanded view coming, the Teams developers have moved to close off two irritations.

Block Teams Users from Changing Their Account Picture

First, they’re bringing back the feature that existed in Skype for Business Online where the SetPhotoEnabled setting in the Exchange Online OWA Mailbox policy assigned to accounts controls whether users can change the avatar (picture) in Teams settings (Figure 1).

Where to change an account picture in Teams settings
Figure 1: Where to change an account picture in Teams settings

Although it might not seem a big thing to stop users updating their photos, changing the user picture in Teams creates a ripple effect as the picture is updated for all Office 365 apps.

Updating and Assigning a OWA Mailbox Policy to Block Photo Upload

According to Office 365 notification MC209349, this change will roll out in mid-April. When the update is available in a tenant, if you want to block users from updating their picture, you’ll have to change the value for the SetPhotoEnabled setting to False in existing OWA mailbox policies. Alternatively, you can create a new OWA mailbox policy, update it with the setting, and assign it to selected mailboxes. Here’s how to update a policy and assign it to a mailbox:

Set-OWAMailboxPolicy -Identity "OWAMailboxPolicy-Default" -SetPhotoEnabled $False
Set-CASMailbox -Identity Kim.Akers -OwaMailboxPolicy OWAMailboxPolicy-Default

When the new policy is in place, users won’t be able to update their photo anywhere in Office 365 (for instance, in the Personal Info page).

Guest User Photos

Guest users don’t get to change their picture. However, administrators can do this by uploading pictures to guest user accounts. You can even use PowerShell to assign a default picture to all guests in a tenant.

Organizers Can End Teams Meetings

Teams meetings last until the last user has left the meeting (if the meeting is recorded, the recording lasts a maximum of four hours). I often forget to stop meetings that I organize and only realize the fact when I switch tenants (this automatically terminates calls).

Microsoft has recently satisfied the user request to allow organizers to terminate meetings. The request is:

People should not have to manually leave meetings in order for them to end. We have had several people forget to manually leave meetings, and the channel continues to show that a meeting is in progress when in fact it has ended.

On April 9, Microsoft announced that the ability for organizers to terminate meetings was being distributed to tenants. Organizers should see the End meeting option in the meeting menu now (Figure 2).

Ending a Teams meeting
Figure 2: Ending a Teams meeting

Lots of changes are happening in Teams right now. Stay up to date with important developments by subscribing to the Office 365 for IT Pros eBook.

17 Replies to “How to Block Users from Updating Their Photo in Teams”

  1. In the Office 365 notification, they also mention changes to the global Teams policies. I am happy with the way they are set right now. E.g. I allow anonymous people to start the meeting and allow everyone to bypass the lobby.

    If I understand this correctly, this policy will be changed and I have to check daily if that update has been applied to my tenant and revert it. Or is there a way to block the change or some other option?

    If that info is in the book, please feel free to point me there, I must have missed it 🙂

    1. The information isn’t in the book… I’m not sure how Microsoft will handle the policy update. I believe they’ll leave a policy that has non-default values alone because a tenant has made a decision to change the policy (like you). At least, I hope they will…

    2. I asked… and Microsoft confirmed that the policy update will not apply if you have made changes to the meetings global policy.

  2. Any idea if this update has pushed to the GCC High Tenant? I’m having the same issue. I tested setting the policy which works for OWA but I can still go into teams and change the photo and it then populates to owa and everywhere else.

  3. So I have done this in a test environment because a client is requesting that this be stopped. I set the value to false and assigned it to my profile. When going into Teams from the fat client I am still able to update my profile picture. Is there something I missed or will this only apply if the users are using the web client?

    1. Nevermind. Took time to propagate apparently. Ok. Next question. Does this policy need to be assigned by user or can it be assigned by group?

      1. Do you mean an OWA mailbox policy? If so, it’s easy to assign this by group in PowerShell. Set up a group, retrieve its membership, and run Set-CASMailbox to assign the policy to each mailbox.

    1. The OWA mailbox policy controls the user ability to update photos, so you could create a DL of users you want to allow/block and then assign a relevant OWA mailbox policy to the members of the DL.

  4. We still have Exchange 2016 on premise and have recently disabled OWA due to security concerns. How can user update their profile picture in O365 with OWA disabled? If you go to your profile in Delve the following message appears: “Can’t change photo
    Your profile photo was provided by your IT or human resources department. To change your photo, contact them or your admin. Learn more”

  5. There must be more backdoors to upload/chage profile picture in O365. We have Picture upload blocked in our tenant via OWA policy, Remote PS is blocked for All users and Picture property is set to False in SPO Online profile Policy, Access to Azure portal /AAD is also blocked . But users are still able to upload the pics through some other method and we are struggling to determine the backdoor. Recently We noticed Though Access to Azure portal/AAD is blocked for our regular users but anyone can access Azure Entra portal ( to change the profile picture OR upload a new one. We called Microsoft and reported the same. They appreciated the effort to report this backdoor and said product enginering is looking into this matter. This method to upload profile pic is also not capturing the events in audit logs which is another issue. The problem is how many more backdoors might have for users to change/upload pictures?

    1. Well, if people can write some PowerShell or Graph code, they can update pictures. It’s all down to apps to block the ability to update photos through their UIs, including the admin portals.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.