How to Update Your Azure AD Guest Account Photo in Another Microsoft 365 Tenant

Posted on by Tony Redmond

Self-Service Photo Updates

It’s easy for tenant administrators to add photos for guest accounts using the Azure AD portal. They can also run the Set-AzureADUserThumbnailPhoto cmdlet to do the same job. The difference is that apps can display Azure AD guest photos where otherwise they’d show the default initials (Figure 1).

Initials or photo - which is a better way to recognize a guest?
Figure 1: Initials or photo – which is a better way to recognize a guest?

What isn’t easy is for people who have guest accounts in other Microsoft 365 tenants to update their photo without administrator intervention. Microsoft blocks guest users from the features built into apps like Teams to allow users to update their photos, probably because guest accounts are not subject to the OWA mailbox policies which control this feature for tenant accounts.

Then MVP Yannick Reekmans published a blog to explain how he used the Azure AD portal to update a guest account in another tenant. The article explains how to find the GUID of the guest account in the target tenant and how to use the GUID to update the account. The method certainly works, but it’s a tad overcomplicated for my taste.

PowerShell makes the task very easy. Here’s how to do the job in three steps.

Sign into the Target Tenant

The key to this method is to use cmdlets in the Azure AD or Azure AD Preview modules. Make sure to download and install one of these modules on your workstation. Then, run the Connect-AzureAD cmdlet to connect to the service domain of the target tenant.

The service domain is the sub-domain in onmicrosoft.com used by the tenant. For example, to connect to the Office365ITPros.com tenant, we’d use the command:

Connect-AzureAD -Tenant Office365ITPros.onmicrosoft.com

Azure AD prompts you to authenticate. Use your normal account and sign in with its password (and MFA, if required by the tenant). Your normal account connects to the guest account, so when you authenticate, you use the guest account to access the target tenant. If you don’t know the service domain for the target tenant, use the What’s My Tenant ID site to find tenant GUID and use it to sign in. For example:

Connect-AzureAD -Tenant 72f988bf-86f1-41af-91ab-2d7cdxab647

Then run the Get-AzureADTenantDetail cmdlet and examine the VerifiedDomains property to find the service domain.

(Get-AzureADTenantDetail | Select-Object -ExpandProperty VerifiedDomains | Where-Object {$_.name -match "onmicrosoft"}).Name

Figure Out the User Principal Name

You can reference Azure AD accounts with the GUID (object identifier) or user principal name (UPN). The UPN is usually easier to figure out because it follows a set format. For instance, the guest account for the account with UPN Tony.Redmond@office365itpros.com is:

tony.redmond_office365itpros.com#EXT#@xxxxx.onmicrosoft.com

Where “xxxxx” is the name of the target tenant.

To make things easier, we put the UPN into a variable:

$UPN = "tony.redmond_office365itpros.com#EXT#@xxxxx.onmicrosoft.com"

Update the Photo for the Guest Account

Azure AD needs a suitable photo file (JPEG or PNG) to update a user’s image. Unlike Exchange Online, which stores a higher resolution form of photo data for use by Microsoft 365 apps, Azure AD stores only small thumbnail images. These images are acceptable for the small photos seen in Teams conversations or in browser menu bars, but not for attendee cards used in Teams meetings, so they do not appear everywhere within Microsoft 365.

The maximum size of the input file is 100 KB. I’ve had good results with square photos measuring 500 x 500 pixels. You might have to play with a photo editor to create a good photo of the right size, but once you have one, you can write it into Azure AD using the Set-AzureADUserThumbnailPhoto cmdlet:

Set-AzureADUserThumbNailPhoto -ObjectId $UPN -FilePath c:\temp\MyPhoto.jpg

If you don’t see an error, you know Azure AD is happy with the photo. To check, you can run the Get-AzureADUserThumbnailPhoto cmdlet. Any response is good:

Get-AzureADUserThumbnailPhoto -ObjectId $UPN

Tag                  :
PhysicalDimension    : {Width=500, Height=500}
Size                 : {Width=500, Height=500}
Width                : 500
Height               : 500
HorizontalResolution : 95.9866
VerticalResolution   : 95.9866
Flags                : 77842
RawFormat            : [ImageFormat: b96b3caf-0728-11d3-9d7b-0000f81ef32e]
PixelFormat          : Format32bppArgb
Palette              : System.Drawing.Imaging.ColorPalette
FrameDimensionsList  : {7462dc86-6180-4c7e-8e3f-ee7333a7a483}
PropertyIdList       : {769, 305, 20752, 20753...}
PropertyItems        : {769, 305, 20752, 20753...}

Like any operation involving photo manipulation for Azure AD accounts, it takes some time for applications to refresh their caches and pick up new photos. You should expect that this will happen within a day. And once it does, you’ll see your bright smiling face in places where only your initials were before (Figure 2).

Teams displays photos for a guest user when listing channel conversations
Figure 2: Teams displays photos for a guest user when listing channel conversations

And then all you need to do is to rinse and repeat the process for every tenant where you have a guest account (possibly some of which you have forgotten). For whatever reason, some tenants always seem to be slower than others to respect photo updates. I have no idea why this happens. Stay patient and the photos should turn up eventually.

Not Too Much for Administrators to Worry About

It’s good when guest accounts have photos. People like to know with whom they collaborate, and a photo is a much better reminder of a person than their initials can ever be. Tenant administrators might be concerned that guest users can sign into their tenant to update their photos. It’s true that guests could exploit this technique to display an inappropriate image. If they do, I’m sure that action will follow quickly, just like it would if a tenant user selected a distasteful photo. Another concern might be that guests might be able to update other account properties, like the display name. Much as I would like to do this, I haven’t been able to in any of the tenants where I tried. Azure AD allows me to update my photo but stops me doing anything else to my guest account. Which is how it should be.

Need to know more about managing guest accounts in an Office 365 tenant? The Office 365 for IT Pros eBook is packed full of advice and guidance on this and many other topics.

6 Replies to “How to Update Your Azure AD Guest Account Photo in Another Microsoft 365 Tenant”

    1. You can only upload a photo using the technique described here if you have a guest account in another tenant. If you want to update the photo for your account in your home tenant, there are other ways (modified form of this PowerShell, OWA, Teams, etc.)

      Reply
  2. Pingback: SharePoint Online Embraces Azure B2B Collaboration for External Sharing - Office 365 for IT Pros

  3. To check the thumbnail you need the $userid variable set.
    This command helps
    Get-AzureADUser -ObjectId $UPN

    Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.