How to Control Updates for User Photos in Microsoft 365 Apps

Putting the Best Face on Every User

Updated 22 February 2023

In April 2020, Microsoft introduced a policy to stop users being able to update their photo through the Teams client. More accurately, Teams adopted the SetPhotoEnabled setting in the Exchange Online OWA mailbox policy to control if a user can update their photo. Since then, I have noticed a flood of questions (or complaints) from people asking why their attempts to upload a photo is “blocked by policy.” Of course, the answer is that it is, and they should talk to their tenant administrator to have their photo updated, but that’s seldom a welcome response.

Given that user photos show up in places as diverse as the GAL, the Office 365 profile card, and avatars in applications like SharePoint Online and Teams, it’s a good idea to make sure that appropriate photos are available for users. For example, if a user photo is available, Teams meetings show the photo on a user’s attendee card when their video feed is turned off instead of the more generic “two-initials in a circle” card (Figure 1).

Two Strategies

Organizations usually consider two approaches before deciding on a strategy for user photo management.

• User-driven. While this strategy involves less work for administrators, it exposes the danger that some users might make less than suitable photo choices. It’s a poor choice for schools and other educational establishments.
• Organization-driven. This strategy usually means that some tool updates user photos based on a repository such as HR data. The upside of the strategy is the high standard of user photos. The downside is the need to either write a tool or find one to do the job (like Code Two Software’s Photos for Office 365).

Of course, given that control is exerted by OWA mailbox policies, you can run a hybrid strategy where some users can update their photos, and some cannot through the simple step of deploying multiple OWA mailbox policies, some of which enable photo updates and the others which don’t.

The Role Played by Exchange Online

Exchange Online plays a key role in user photo management for other Microsoft 365 applications. The SetPhotoEnabled setting in the Exchange Online OWA mailbox policy assigned to the mailbox controls the ability for users to update their photo. By default, this setting is $False, meaning that users are unable to upload a photo from apps and their Office profile. Users barred by policy see a message such as “picture options are disabled by policy” if they try to change their photo. To allow users to upload and update their photos, either:

• Update the OWA mailbox policies so that SetPhotoEnabled is $True in all policies, or:
• Create or update an OWA mailbox policy with SetPhotoEnabled set to $True and assign this policy to the mailboxes of accounts you want to allow to upload photos.

For example, to update an OWA mailbox policy, run the Set-OWAMailboxPolicy cmdlet:

Set-OWAMailboxPolicy -Identity OWAFullAccess -SetPhotoEnabled $True

To assign an OWA mailbox policy to a mailbox, use the Set-CASMailbox cmdlet:

Set-CASMailbox -Identity Chris.Bishop -OWAMailboxPolicy OWAFullAccess

Changes to an OWA mailbox policy take up to 30 minutes before they are effective.

OWA mailbox policies in Exchange Online obviously don’t affect users with an on-premises Exchange mailbox. These users are therefore able to update their photos in apps like Teams.

Updating User Photos Programmatically

Several PowerShell cmdlets are available to administrators to update user photos.

• The Exchange Online Set-UserPhoto cmdlet updates the photo data in a mailbox. Set-UserPhoto can also update a photo for a group mailbox (be sure to specify the GroupMailbox switch). You cannot use Set-UserPhoto to update other mail-enabled objects, like distribution lists or mail contacts. Photos loaded into Exchange Online are synchronized to other workloads, including SharePoint Online and Teams.
• The Teams Set-TeamPicture cmdlet updates the image for a team. This is analogous to running Set-UserPhoto to update the photo for a group mailbox. In most cases, it’s best to use Set-UserPhoto to avoid the need to load another module. It’s a good idea to highlight important teams with an appropriate image which conveys the purpose of the team.
• The Azure AD Set-AzureADUserThumbnailPhoto cmdlet writes photo data to an Azure AD user account. Use this cmdlet when you wish to update photo data for an Azure AD account which doesn’t have an Exchange Online mailbox, like guest accounts. As the cmdlet name suggests, the cmdlet processes thumbnail (small) photos. It does not generate the larger size photos which look better in Teams meetings. For this reason, always use Set-UserPhoto to upload photos for tenant accounts.

Update: With the deprecation of the Azure AD PowerShell module, you should upgrade scripts to use the Set-MgUserPhotoContent cmdlet from the Microsoft Graph PowerShell SDK to update photos for guest accounts.

Exchange Online and Azure AD synchronize photo data to make sure that user accounts have the latest picture. After a short delay to allow the apps to refresh their caches, an updated photo will be active across the ecosystem.

Teams owners can change the picture for a team by clicking the existing picture and uploading a new file (Figure 2). Group owners can do the same for Microsoft 365 groups by editing group properties in OWA’s Manage groups section. In both cases, the picture data is in the group mailbox and will synchronize to other apps.

Image files for user photos can be JPEG or PNG format and should be:

• Resolution: 648 x 648 pixels. This is the largest resolution supported. Behind the scenes, Exchange Online generates smaller 64 x 64 and 96 x 96-pixel thumbnails for apps to use when small thumbnails are appropriate. Most digital photos are much larger (in pixels) so some resizing is needed. Square photos are best as they won’t be cropped. Usually, best results are obtained when the user faces directly into the camera.
• Size: Less than 500 KB.

Although it can take 30 seconds or more to update a picture for a mailbox, running Set-UserPhoto is simple:

Set-UserPhoto -Identity Chris.Bishop@office365itpros.com -PictureData ([System.IO.File]::ReadAllBytes("c:\Temp\ChrisBishop.jpg")) -Confirm:$False

If you want to check if a mailbox already has a picture (to avoid overwriting it), use the Get-UserPhoto cmdlet. This cmdlet returns $Null if the mailbox has no photo. Remember to include the GroupMailbox switch if checking a group mailbox (including team-enabled groups).

If (Get-UserPhoto -Identity Chris.Bishop@Office365Itpros.com) {Write-Host "Chris has a photo"}

If you make a mistake and upload the wrong image, you can restart by removing the image with the Remove-UserPhoto cmdlet:

Remove-UserPhoto -Identity Chris.Bishop@office365itpros.com -Confirm:$False

An example of how to scan user mailboxes to find mailboxes without photos can be downloaded from GitHub.

The Personal Side of Users

User photos are extremely personal, and it should come as no surprise that people should be upset when they cannot change their image. If you decide to clamp down on user-initiated photo updates, perhaps it might be a good idea to create a process to allow users to request photo changes. It might just keep people happier.