Update: This post was updated on July 22, 2020.
When you set up user photos in Microsoft 365 (Office 365), they propagate through the whole Microsoft 365 tenant and apps integrated with Azure AD. This means that they are displayed in Outlook, Teams, SharePoint, and more. By default, any user can change their photo to anything they like. This might be a problem for admins who want to keep everything in order. In this article, I’ll show you why and how to block users from changing their photos in Microsoft 365.

Why to prevent users fromchanging photos in Microsoft 365?
The mostimportant reason to lock the ability of users to change their profile photos isto ensure a unified visual identity. If you don’t restrict permissions, anyuser can overwrite the photo that you (the admin) set up for them in Microsoft365 to comply with your organization’s guidelines. When users control theirprofile pictures, it’s impossible to maintain the same quality across the wholeorganization. What’s more, since users can change their photos from a few differentplaces, they might end up having different photos in various Microsoft 365 apps(photos can take up to 72 hours to sync or can run into sync issues). That’swhy setting restrictions on user profile photo management in Microsoft 365 iscrucial for many companies.
Where can users changetheir profile photo?
Thechallenging part with preventing users from changing their Office/Microsoft 365photos is that users can change them from more than one place independently:
Delve:

Microsoft365 profile:

SharePointOnline

MicrosoftTeams:

Luckily, since April 2020 Microsoft Teams honor the Outlook on the web (OWA) policy settings, so there are only two settings that need to be changed to take full control of user photos in Microsoft 365.
Important: Users can also change their photos using the following URL: https://outlook.office.com/mail/changephoto. That’s where blocking gets tricky, but I will get to that.
How to block users fromchanging their photos in Microsoft 365
To successfully prevent users from changing their own profile photos, you need to:
- Change your Outlook on the web policy.
- Set up SharePoint Online permissions.
- Block access to the direct photo settings link.
To do so, you’ll need to use PowerShell, Microsoft 365 admin center, and do something about the URL which can be used as a backdoor.
Change Outlook on the webpolicy settings
First, you need to start a remote PowerShell session to your Microsoft 365 (Exchange Online). See instructions in this article.
If you wantto prevent all users from changing their profile photos, you need to change thedefault OWA (Outlook on the Web) policy. The default policy’s name isOwaMailboxPolicy-Default. While its name can be changed, the default policygets recreated with the default name and will be applied to newly createdusers. Since you can have other policies that apply to a subset of users only,let’s first check what policies you have by running:
Get-OwaMailboxPolicy | FL name,SetPhotoEnabled

The resultssuggest that I only have the default Outlook on the web mailbox policy, and itallows users to change their profile photos.
To preventall users from changing their pictures, I can run:
Set-OwaMailboxPolicy OwaMailboxPolicy-Default -SetPhotoEnabled $false
And that’sit. Within up to 60 minutes, all users who try to change their profile photowill fail to do so (unless they use SharePoint, but I’ll get to this in thenext section).
If you want to prevent only a subset of users from changing their photos, you need to create a new mailbox policy, change its SetPhotoEnabled attribute and assign it to the subset of users. See instructions below.
Note: You can create a new Outlook on the web policy in the Exchange admin center (EAC) and assign it to users. However, currently, you cannot change the SetPhotoEnabled parameter using this interface, so I’ll show the whole procedure using PowerShell only.
First,create a new Outlook on the web policy with the SetPhotoEnabled attribute set to $false:
New-OwaMailboxPolicy "Prevent users from changing their photos" | Set-OwaMailboxPolicy -SetPhotoEnabled $false
To applythe policy for a single user (j.doe in the example below), run the followingcmdlet:
Set-CASMailbox -Identity [emailprotected] -OwaMailboxPolicy “Prevent users from changing their photos”
To apply the OWA mailbox policy to more users, it’s easiest to use the Foreach loop. In the example below, I use PowerShell to get all members of the Microsoft 365 group called “Marketing” and apply the new policy to them:
$members=(Get-UnifiedGroupLinks "Marketing" -LinkType members).UserPrincipalName;Foreach ($member in $members) {Set-CASMailbox -Identity $member -OwaMailboxPolicy "Prevent users from changing their photos"};
Once you apply the change, you can use the following cmdlet to check if the right OWA mailbox policy has been applied to users:
Get-CASMailbox | FL name,OwaMailboxPolicy
This concludes changing the Outlook on the web mailbox policy to prevent users from changing profile photos. It should wor for all places other than SharePoint. The next step is to change your SharePoint Online settings.
SharePoint Online profilepolicy
Setting upyour SharePoint Online profile policy requires you to use the Microsoft 365 admincenter interface.
- Go to Microsoft 365 admin center, click Show all in the left menu and choose SharePoint to access the SharePoint Online admin center.

- Inthe SharePoint Online admin center, click More features, and click Open in the User profiles section.

- Goto Manage User Properties.

- Click Picture and then click Edit Policy.

In thePolicy settings, clear the Allow users to edit values for this property checkbox,scroll down and click OK.

From now on, users should no longer be able to edit their profile photos from SharePoint. This applies to all users in your Microsoft 365 organization. Currently, there is no method to fine-tune this policy to prevent only specific users from changing their profile photos in SharePoint Online.
Block the URL that links to the photo settings
Now, this is a tricky part. Any user who visits the https://outlook.office.com/mail/changephoto URL will be able to change their Microsoft 365 photo. Most solutions used to block URLs, like editing the hosts file or changing the DNS settings, will not work for a specific URL, but for a whole domain. Blocking the whole outlook.office.com domain will make Outlook on the web inaccessible. Besides, you will need to block this domain for mobile devices, too. So, to completely prevent your users from changing their Microsoft 365 photo, you can:
- Use Client Access Rules to completely block access to Outlook on the Web and its settings. Users will still be able to use Outlook for their mailing needs.
- Block the specific URL with a firewall. This seems like the most elegant solution, but requires a firewall with such a feature and being able to use this firewall for all users’ connections to Microsoft 365.
Changing all these settings stops users from editing their photos but still allows everyone to see the assigned profile images. Since users can no longer edit their picture attribute, you can manage user photos without worrying that someone will overwrite them.
How to manage user photosin Microsoft 365
CodeTwo User Photos is a free tool that allows you to centrally manage profile photos in Microsoft 365 for all users. If you’re an admin, you can use this app after preventing users from changing their profile images. It will help you easily upload user photos to Microsoft 365, so that they will appear in SharePoint, Exchange Online, Outlook on the web, Microsoft Teams and practically any Microsoft 365-connected app and service.
What’s more, the tool will let you automatically rotate and resize images, so that they always meet Microsoft 365 photo requirements.
Download it here for free
See more:
- How toadd user profile photos to email signatures
- How to add user photosto Office 365 without PowerShell
- How to prevent Office365 users from sending emails outside the organization?