Removing user photos from Office 365
As O365 continues to grow and explode into the business scene (think Teams, summer 2020), the need to control and limit user options will be an increasingly important task for many administrators. It is not uncommon for businesses to need to set parameters for users to maintain company policy and sometimes even a politically correct policy. User photos are one such control that you may find the need to implement. User photos within O365 show up in the user profile picture within Teams, Azure AD, Outlook and SharePoint. When the photos are managed by HR or some internal department and all photos are consistent, photos can be very helpful in the workplace. User pictures are designed to help others easily recognize users at meetings and events. When photos become pictures of your cat or favorite college football team – the helpfulness begins to wane.
If the need to remove user photos from O365 becomes a need, there are several places you need to make changes: PowerShell, SharePoint, Exchange Online and Active Directory.
PowerShell
If you only want to remove a photo from a user profile, you can use the PowerShell to do so.
First, sign into Exch Online and Azure AD:
$cred = get-Credential
Connect-AzureAD -Credential $cred
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $cred -Authentication Basic -AllowRedirection
Import-PSSession $Session
Run the following command:
Remove-UserPhoto -Identity <userprincipalname> -Confirm:$false
This will remove the picture for an individual user. The user can still follow up this action and add a picture to their profile if they wanted.
If you need to remove pictures for multiple users, you could use the following:
$Users = Get-AzureADUser -All $True | Where {$_.AssignedLicenses -ne $null}
foreach ($user in $Users) {Remove-UserPhoto -Identity $user.UserPrincipalName -Confirm:$false}
Note: for larger tenants this command will time out. If this happens you can add Start-Sleep -m 500
SharePoint
The first place to start is in the SharePoint Admin Center. Select “More features” on the left-hand side of the SharePoint Admin Center, then select Open under “User Profiles.”
Now select “Manage User Properties” under People
Look for “Picture” and select the arrow to expand. Then select “Edit.”
Look for “Edit Settings” and uncheck the box [Allow users to edit values of this property]
Exchange Online
The final step is editing the Outlook Web App Policy applied to users.
Previously Microsoft used this setting to control the photo setting in Outlook. With the evolution of the O365 suite Microsoft has moved most of the control over to SharePoint, meaning this feature in Exchange Online does very little these days.
To set for a specific OWA policy, use:
Get-OwaMailboxPolicy -identity <Name> -SetPhotoEnabled $false
To set for all OWA policies:
Get-OwaMailboxPolicy | Set-OwaMailboxPolicy -SetPhotoEnabled $false
Active Directory
On-premises Active Directory has traditionally been the place to add user photos. AD still has the capability and with on-prem Exchange Server the feature was used quite often. Each user object in AD has a property called ThumbnailPhoto which may contain a user image. If it does, and if you sync the attribute to Azure AD/O365 (which is the default), the user photo will be populated into Azure AD, even if all the settings above have been set. There are several self-service management tools such as Manage Engine and Adaxes that can be configured to allow users to edit properties in AD, including their photo. If this is the case, and you do not want those photos syncing to any of the O365 products, then you can disable this attribute from syncing in your Azure AD Connect settings.
From the Start Menu, select Synchronization Service
Select Connectors at the top
Highlight your on-prem Directory and select properties on the right-hand side.
Choose “Select Attributes” and then uncheck thumbnailPhoto
A final note on Active Directory. If you would like to remove user photos from Active Directory, you can do so by running the following command:
$users = get-aduser -searchbase “ou=xyz,DC=company,DC=com” -filter *
$users | foreach { Get-aduser -Identity $_.SamAccountName | set-aduser -Clear thumbnailphoto}
Hope this is helpful!
Cliff
