Office 365 Photo Integration

Microsoft offers Azure Active Directory Connect (AADC) to synchronize your the users and their attributes from your local Active Directory to Azure and, thus, Office 365. You can include your user’s thumbnailPhoto attribute. Unfortunately, Microsoft imposes some limits on the photo file size that is uploaded to files smaller than 10KB; that is generally a photo less than about 150x150 pixels

Directory Update v3.1 includes code that allows a user to save 2 photo files; one that is smaller and can be loaded to your local Active Directory and a second, larger photo that can be uploaded to Office 365. Our Office 365 code loads the photo and stores it in the Exchange Online portion of O365; the photo is stored as a property of the mailbox

A photo that is uploaded directly using the correct O365 proxy to Office 365 can be up to 648x648 in size and about 500Kb. The larger photo provides you O365 applications with a better quality photo and will be used by Outlook / Exchange, Teams, Skype for Business, SharePoint, and Delve.

While we have build this feature using our Directory Update code, we have leveraged some .NET Framework and PowerShell libraries in order to provide the simplest mechanism for uploading photos. The underlying code is not customizable by the customer.


Patience!

Even before we began developing this add-on, simply sycn’ing the photo from the local Active Directory, uploading it via the O365 management portal, or loading it via PowerShell, the nature of the O365 synchronization, replication, and and browser caching is a bit maddening. A photo may show up in various O365 apps anywhere between a few minutes and a few days.

And, if you are looking at your photo through a web browser, remember to flush your cache so that new photos will display sooner.

Advise your users that photo uploads may not be visible immediately.

We recommend reading this article by Paul Ryan to learn a bit more about the mysteries of photos in O365.


Prerequisites

Getting started with O365 photo uploads does not take long. A few simple prerequisites must be met.

Local User’s UPN Must Match the UPN in O365

Directory Update is primarily an on-premises solution; we authenticate users against your local Active Directory domain. When a user logs on to Directory Update, we match up the local user with the O365 account using the user’s user principal name (UPN). The local UPN name must match the O365 UPN name, otherwise we cannot determine what the user’s name is in O365.

Office 365 Admin Account

You will need an Office 365 user with admin privileges and that is enabled for for remote PowerShell in the Exchange Online component. This account is used to upload photos on behalf of the user. The account will be in the form of an email address / UPN name, like this: youraccount@yourdomain.com

HTTPS Connectivity to Office 365

The server on which you will host Directory Update or Directory Manager must have Internet connectivity on TCP port 443 (HTTPS). This is necessary to connect to Office 365 and upload user’s photos.

  Warning: Microsoft allows a maximum of 3 simultaneously open remote PowerShell sessions for any organization. If you open a session, make sure that you disconnect it when you are finished.
Minimum PowerShell Version

We leverage some of the underlying .NET libraries that PowerShell also uses. The server should have a minimum of PowerShell v3 or later installed. You can determine the current version of PowerShell by opening a PowerShell prompt and typing this:

$psversiontable.psversion


Configuring the Office 365 Connection

One Directory Update is installed and you have met the prerequisites, it is a simple matter to enable Directory Update to upload photos to O365.

Add Office 365 Admin Credentials and URI Path

You will need to securely store your admin credentials much the same way you store your Directory Update service/proxy account. You do that by running the Configuration wizard and selecting “Add / Edit External Credentials”. The Configuration Wizard, by default, is found in the c:\inetpub\wwwroot\DirectoryUpdate\Configuration folder.

The default Exchange Connection URI should be valid for almost all O365 customers.

Office 365 credentials


Configuring Directory Update

To enable Directory Update to upload photos to O365, edit the DirectorySettings.XML file. Locate the photo tag. Under the Office 365 section, set the enabled value to “true”.

<photo label="Photo" attribute="thumbnailPhoto" visible="true" editable="true" width="128" height="128"
  quality="80" defaultvalue="Images/noPhoto.jpg">
  <office365 enabled="true" width="648" height="648" quality="80" />
</photo>

The height and width values are set at 648 x 648 by default. This is the maximum size that O365 currently allows.


Testing

We have provided a couple of scripts to help you test your O365 connection. All scripts are found under the .\Scripts\PowerShell folder. While you are welcome to edit and customize these, please make backups of the original scripts. Any changes and updates you make are unsupported.

Allowing Scripts to Run

Depending on your Windows Server security policies, PowerShell scripts from untrusted sources or PowerShell scripts that are not digitally signed may not run. This is due to your system’s PowerShell Execution Policy. You can view the Execution Policy from the PowerShell prompt by typing:

Get-ExecutionPolicy

You can change the execution policy to either “remote signed” (more secure) or “unrestricted” which is less secure. However, we recommend always reviewing PowerShell scripts and determine that you understand what the script is doing.

You can change the execution policy like this:

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
Or
Set-ExecutionPolicy -ExecutionPolicy unsigned

You can also right click on the script file, choose properties, and view the General properties. If Windows detects that the script is from an external source, it will be blocked. Simply click the Unblock button.

Script file properties


Validating Office 365 Photo Uploads

Waiting on O365 photos that have been uploaded to be available in all O365 applications can be something similar to watching paint dry. It seems new photos are fairly quickly available in OWA, Delve, Teams, etc… but can be up to a day before they are available in Outlook and Skype for Business. And even longer before they are available in SharePoint.

Outlook and Skype for Business is to be expected, though. After the photo is uploaded, the clients have to sync their configuration and download updates to the Global Address List. So, ask your users to be patient.

Once a user has a photo, web browser-based applications will cache the photo. So, if the user uploads a new photo, the old photo will still display in cache.

Waiting for the photos to become available will test your patience. And, make you question whether or not the photo actually got uploaded.

We have provided a PowerShell script called Check-O365photos.ps1 that will check O365 to see if a photo has been uploaded. If it has, it will download it to the current folder as a JPG file so that you can check it.

Open a PowerShell prompt as an administrator and change to the .\scripts\PowerShell folder. By default, this script is found in the c:\inetpub\wwwroot\DirectoryUpdate\Scripts\PowerShell folder.

The script takes one parameter. The local username. Here is an example.
.\check-o365photos.ps1 <username>


Common Questions

Should I upload both a local AD photo and an O365 photo?

It certainly does not hurt to upload a photo to your local Active Directory as well as to Office 365. Most of our customers want to do both. Even if you have previously synchronized photos from your local Active Directory using Azure Active Directory Connect (AADC), once you have directly uploaded a photo using Directory Update, all O365 services will use that photo instead.

3 Admin Sessions

Office 365 currently allows a maximum of 3 remote admin sessions from any O365 tenant.This means it is important to ensure that any session that is opened is also closed. Directory Update automatically terminates the session immediately after a photo upload.

Higher Resolution Photos

Any photo that is resized is going to a smaller size is going to lose some resolution. In the Office 365 tag in the DirectorySettings.XML file, the quality “dial” is set to 80, which produces a good quality photo. You can increase this up to 100, but as you increase the photo file size will typically get larger. A 648x648 photo at a quality level of 80 is typically between 55KB and 70KB.

Last Review: 26 Dec 2018