Photo Update Settings Policy is Long-term Unified Replacement for Other Controls

Given the historical foundation of Microsoft 365 in several on-premises applications, it probably wasn’t surprising that we ended up with a confusing mish-mash of routes by which it was possible to update the profile photos for user accounts through SharePoint, Exchange, Teams, Delve, PowerShell, and so on. Looking back, it took a surprising amount of time before Microsoft acknowledged that the situation was untenable.

A new approach that worked across Microsoft 365 was necessary. That process began in October 2023 with the retirement of the Exchange Online cmdlets to update photos for mailboxes. The foundation for the new approach was a set of Graph APIs surfaced as cmdlets in the Microsoft Graph PowerShell SDK, like Set-MgUserPhotoContent.

A New Photo Update Settings Policy to Control User Profile Updates

In June 2024, Microsoft introduced a new Entra ID policy based on the photoUpdateSettings resource to control who can update photos and the allowed sources for updates. Managing the photo update settings policy requires the PeopleSettings.ReadWrite.all scope. The settings for a tenant can be retrieved as follows:

$Uri = “https://graph.microsoft.com/beta/admin/people/photoupdatesettings”
$Settings = Invoke-MgGraphrequest -Uri $Uri -Method Get
$Settings

Name Value
—- —–
allowedRoles {}
@odata.context https://graph.microsoft.com/beta/$metadata#admin/people/photoUpdateSettings/$entity
Source

The settings shown above are the default. The supported values are described in the photoUpdateSettings documentation.

Controlling From Where Photos Can Be Updated

The source for photo updates can be undefined, meaning that photo updates can be sourced from applications running in either the cloud or on-premises (synchronized to Entra ID from Active Directory). Alternatively, you can set the source to be either cloud or on-premises. For example, to update the settings so that photo changes are only possible through cloud applications, create a hash table with a single item to change the source to cloud and use the hash table as the payload to patch the policy:

$Body = @{}
$Body.Add(“Source”, “Cloud”)
$Settings = Invoke-MgGraphrequest -Uri $Uri -Method Patch -Body $Body

Like any update to an Entra ID policy, it can take 24 hours before the policy update is effective across a tenant.

Controlling Who Can Update Photos

By default, any user can update the photo for their account and the value for AllowedRoles is blank. If you want to restrict who can update photos, you can select one or more directory roles and include the GUIDs for these roles in the AllowedRoles property (a string collection).

The roles defined in AllowedRoles must hold the permission to set user photos. In Graph terms, these permissions are either microsoft.directory/users/photo/update or microsoft.directory/users/allProperties/allTasks (only held by the Global administrator role). The following roles can be used:

Directory writers (9360feb5-f418-4baa-8175-e2a00bac4301).

Intune administrator (3a2c62db-5318-420d-8d74-23affee5d9d5).

Partner Tier1 Support (4ba39ca4-527c-499a-b93d-d9b492c50246) – not intended for general use.

Partner Tier2 Support (e00e864a-17c5-4a4b-9c06-f5b95a8d5bd8) – not intended for general use

User administrator (fe930be7-5e62-47db-91af-98c3a49a38b1).

Global administrator (62e90394-69f5-4237-9190-012177145e10).

All are privileged roles, meaning that these are roles that enjoy a heightened level of access to sensitive information.

To update the photo settings policy to confine updates to specific roles, create a hash table to hold the GUIDs of the selected roles. Create a second hash table to hold the payload to update the settings and include the hash table with the roles. Finally, patch the policy.

$Roles = @{}
$Roles.Add(“62e90394-69f5-4237-9190-012177145e10”, $null)
$Roles.Add(“fe930be7-5e62-47db-91af-98c3a49a38b1”, $null)
$Body =@{}
$Body.Add(“allowedRoles”, $Roles)
$Settings = Invoke-MgGraphrequest -Uri $Uri -Method Patch -Body $Body

To reverse the restriction by removing the roles, run this code:

$Body = ‘{
“allowedRoles”: []
}’
$Settings = Invoke-MgGraphrequest -Uri $Uri -Method Patch -Body $Body

The result of limiting photo updates for user accounts to the user administrator and global administrator roles means that after the new policy percolates throughout the tenant, any account that doesn’t hold a specified role cannot change their profile photo.

The Teams client is probably the best example. The implementation here is not yet optimal. The block on photo updates imposed by an OWA mailbox policy causes Teams to inform the user that administrative restrictions stop photo updates. If the photo update settings policy restricts updates to specific roles, Teams allows the user to go through the process of selecting and uploading a photo before failing (Figure 1).

Figure 1: A failure to update a profile photo due to policy restrictions

An Early Implementation of the Photo Update Settings Policy

This kind of thing happens in the early stages of implementation. It will take time for Microsoft to update clients to allow and block profile updates based on the photo settings policy. And it will take time for tenants to move from the previous block imposed by OWA mailbox policies. In doing so, you’ll notice that the only restriction supported by the new policy is through roles. The OWA mailbox policy setting allows per-user control and multiple policies can exist within a tenant. We’re therefore heading to a less granular policy.

Maybe a less granular mechanism will be acceptable if it helps with the rationalization of photo updates across Microsoft 365. However, I can’t help thinking that this is a retrograde step. Perhaps Microsoft will address the need for more granular control through Entra ID administrative units, which seems to be the answer for this kind of requirement everywhere else in Entra ID.

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.