Updating your profile photo as Guest via the Microsoft Graph SDK for PowerShell

June is a busy month for the authors of the Office 365 for IT Pros book, as not only they have to prepare updates for the next incremental release, but rework them to better fit in the overall vision for the next edition, scheduled for July 2022 release. My job as a tech editor is even tougher, as I need to go over each and every one of the chapters and flesh them out (mostly because I slack during the reminder of the year). On the other hand, this can be a rewarding experience, as it serves as a refresher for many of the new functionalities Microsoft has released over the course of the year. Another big part of the experience is replacing old code with newer examples, and this year in particular we’re doubling down on this effort, due to some impending PowerShell module deprecation.

After this long introduction, cue the topic at hand. One of the examples in the Groups chapter revolves around sample code that Guests can use in order to update their profile picture within the host tenant. The current version involves the use of the Set-AzureADUserThumbNailPhoto cmdlet, which is no good anymore. Instead, a replacement is needed, either via the Microsoft Graph SDK for PowerShell, or a direct Graph API call. Long story short, here’s how you can achieve this task via the former.

First, you will need to authenticate in order to obtain a valid access token for the tenant you’d like to make the change in. Remember, we are doing this as Guest, so we need an access token valid for the corresponding resource tenant. The Connect-MgGraph cmdlet allows you to specify the -TenantId parameter, however it continues to disappoint with the overall experience, as it will reuse the token cache even when you specify additional parameters, such as -ForceRefresh or -UseDeviceAuthentication. To ensure you will obtain the proper token, it pays to issue the Disconnect-MgGraph cmdlet first. Then, use the following to connect as a Guest:

Connect-MgGraph -TenantId 922712ba-352a-4eda-bece-09d1684d0cfb -ForceRefresh -UseDeviceAuthentication
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code D48YXLLW3 to authenticate.
Welcome To Microsoft Graph!

Since we’re utilizing the -UseDeviceAuthentication parameter here, you will need to complete the authentication process by opening the /devicelogin endpoint in a separate browser window, where you need to paste the provided code, and then provide credentials for the account you want to use. At this point, you can specify the UPN of an account that already has a matching Guest user object within the resource tenant. If everything goes as planned, you will be connected in the context of the guest user, which you can verify by issuing the Get-MgContext cmdlet.

Once connected, you will be able to use the Set-MgUserPhotoContent cmdlet to perform the photo upload, however one vital piece of information is needed for that – your user Id. Generally speaking, you can use the UserPrincipalName value instead of the id, which is something you can obtain from various UI bits, or guesstimate based on your UPN value within your home tenant and the MOERA domain of the host organization. Getting the id value on the other hand might prove a bit more difficult. Generally speaking, you can obtain it from the access token itself. The Graph API allows you to also use the /me endpoint, which will spill out your details, however I’m not aware of any way to leverage that via the PowerShell SDK. Instad, you can use the Get-MgUser cmdlet, which even in the most restricted scenario will allow you to query your own user object.

In the example below, the first cmdlet will fail as the host tenant is using the most restrictive guest access setting, limiting guest users to only being able to see their own user object, as explained in the documentation. If we provide the correct UPN value for the guest user, we can actually get the needed details:

Get-MgUser -UserId vasil@michevdev3.onmicrosoft.com
Get-MgUser_Get1: Insufficient privileges to complete the operation.

Get-MgUser -UserId vasil_michevdev3.onmicrosoft.com#EXT#@michev.onmicrosoft.com

Id DisplayName Mail UserPrincipalName UserType
-- ----------- ---- ----------------- --------
d0b22cd9-32fc-42fd-82d1-6121d92af3fc Vasil Michev vasil@michevdev3.onmicrosoft.com vasil_michevdev3.onmicrosoft.com#EXT#@michev.onmicrosoft.com

And with that, you are ready to update your profile photo. Don’t forget that there are certain limitations in terms of the photo size! Once you have the photo prepared, simply issue the Set-MgUserPhotoContent cmdlet as follows:

Set-MgUserPhotoContent -UserId d0b22cd9-32fc-42fd-82d1-6121d92af3fc -InFile "D:\Downloads\photo.jpg"

To confirm the change was successful, use the UI or the Get-MgUserPhoto cmdlet:

Get-MgUserPhoto -UserId d0b22cd9-32fc-42fd-82d1-6121d92af3fc

Id Height Width
-- ------ -----
default 1103 1135

And in case you are wondering why we needed to provide the Id value, it’s because the PowerShell SDK is crap. Not only it does not accept the UPN as a valid input for the Set-MgUserPhotoContent cmdlet, but the error message thrown is completely off:

Set-MgUserPhotoContent -UserId "vasil_michevdev3.onmicrosoft.com#EXT#@michev.onmicrosoft.com" -InFile "D:\Downloads\photo.jpg"
Set-MgUserPhotoContent_Set2: {
"errorCode": "ImageNotFound",
"message": "Exception of type 'Microsoft.Fast.Profile.Core.Exception.ImageNotFoundException' was thrown.",
"target": null,
"details": null,
"innerError": null,
"instanceAnnotations": []

But that’s what you get with the great AutoRest…

One important thing to note here. Unlike the Azure AD PowerShell, which every tenant can use out of the box, the Graph SDK is NOT a built-in app, as in the resource tenant has to have added it first. And, consent needs to be granted to the corresponding scopes for the above cmdlets to work. In particular, you need the User.ReadWrite permissions in order to set the photo. And given the known caveats of the /photo endpoint, even the Get-MgUserPhoto cmdlet might fail without User.ReadWrite access.

This entry was posted in Azure AD, Graph API, Microsoft 365, Office 365, PowerShell. Bookmark the permalink.

One Response to Updating your profile photo as Guest via the Microsoft Graph SDK for PowerShell

  1. Pingback: Why Azure AD Guest Accounts Can't Update Their Photos

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.