Adding a Default Photo to Azure Active Directory Guest User Accounts

Guest Accounts Deserve to be Highlighted

Last year I wrote about how to add photos to the Azure Active Directory accounts created for guest users to make contributions from those users in apps like Teams more attractive. The article prompted a reader to ask if it was possible to set a default photo for guest accounts to use instead of the two-initial logo (for example, TR for Tony Redmond) that apps otherwise display.

The answer is “yes” if you’re willing to use PowerShell and run the Set- AzureADUserThumbnailPhoto cmdlet to add a default photo to all guest accounts. Let’s see how it’s done.

Visual Warning for Collaboration

The idea is to create a visual clue for tenant users that a person they communicate with in apps like Office 365 Groups, Planner, and Teams is not part of the company. In effect, we want to highlight the need for our users to be careful when sharing information with guests in case something confidential leaks.

Thinking About a Script

In approaching the problem, it’s important not to overwrite photos that might already exist for guest accounts. If a photo has been uploaded for a guest account, it’s likely there for a good reason and we should leave it alone unless told otherwise.

The outline for our code is clear. Find guest accounts in the tenant and check each to see if it already has a photo. If not, update the account with the default photo. Here’s the PowerShell script that I came up with:

$Guests = Get-AzureADUser -Filter "Usertype eq 'Guest'" -All $True
ForEach ($Guest in $Guests) {
   # Does a photo exist?
   $PhotoExists = $Null
   Try {$PhotoExists = Get-AzureADUserThumbnailPhoto -ObjectId $Guest.ObjectId }
       Catch {  # Nope - so update account with default picture
       Write-Host "Photo does not exist for" $Guest.DisplayName "- updating with default guest logo"
       Set-AzureADUserThumbnailPhoto -ObjectId $Guest.ObjectId -FilePath C:\Temp\DefaultGuestPicture.jpg  }}

The Effect of a Default Photo

The script doesn’t take long to run. The longest part in the process is the background synchronization between Azure Active Directory and the Office 365 apps, which can take anything from a few minutes to many hours depending on service load and workcycle scheduling. Be patient and the default photos will make their way to the apps and start to appear.

Figure 1 shows the intended effect. In this case, I have an Office 365 Group used by 50 MVPs, all who are guests in my tenant. Photos are already present for some guests and now we see that OWA displays the default photo for the others. It would be nicer to have individual photos for each guest, but at least I now have a nice visual indicator of a guest’s status (everyone trusts an MVP, right?).

How a default picture for guest accounts show up in OWA
Figure 1: How a default photo for guest accounts show up in OWA (image credit: Tony Redmond)

Ongoing Maintenance

Running a script is a one-time operation to update guest accounts that don’t already have a photo. To be effective, you should run the script every week or so to find and update newly added guest accounts.

I’m always amazed when administrators tell me that they don’t like PowerShell and won’t use it to help manage Office 365. Scripts fill in the gaps left by Microsoft or improve functionality to make life just a little easier, as in this case.