This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
We have an Exchange hybrid organisation where all users are migrated to Exchange online. I have been using a script to update user photos in the local AD but because of the limitations with Azure AD Connect, I'd like to script the upload of photos to Exchange Online.
Since basic authentication isn't going to be supported for much longer I'd like to use modern authentication using the Exchange Online PowerShell V2 module that supports MFA and app-only authentication.
I have followed the guide on Docs on how to register an App in Azure AD and to be sure that there isn't a rights issue I have given the App the role of Global Administrator.
But I get an error message when trying to set the user photo.
These are the commands I use (sensitive data replaced with xxx):
Connect-ExchangeOnline -CertificateThumbPrint “xxxxxx” -AppID “xxx-xxx-xxx-xxx-xxxx” -Organization “myorg.onmicrosoft.com” -ConnectionUri https://outlook.office365.com/powershell-liveid/?proxyMethod=RPS
Set-UserPhoto -Identity hanstest -PictureData ([System.IO.File]::ReadAllBytes("C:\Install\be2.jpg")) -Confirm:$false
Which results in the following response:
Error on proxy command 'Set-UserPhoto -Identity:'hanstest' -PictureData:'255','216' ... ,'217' -Confirm:$False' to server AM6PR05MB5523.eurprd05.prod.outlook.com: Server version 15.20.337
0.0000, Proxy method RPS:
Connecting to remote server am6pr05mb5523.eurprd05.prod.outlook.com failed with the following error message : ば鸣˅ For more information, see the about
_Remote_Troubleshooting Help topic. [Server=DB8PR05MB6745,RequestId=311495a1-a0c5-4e8e-ba54-b8e539667afb,TimeStamp=2020-09-17 10:08:53] .
+ CategoryInfo : NotSpecified: (:) [Set-UserPhoto], CmdletProxyException
+ FullyQualifiedErrorId : [Server=DB8PR05MB6745,RequestId=311495a1-a0c5-4e8e-ba54-b8e539667afb,TimeStamp=2020-09-17 10:08:53] [FailureCategory=C
mdlet-CmdletProxyException] B833102,Microsoft.Exchange.Management.RecipientTasks.SetUserPhoto
+ PSComputerName : outlook.office365.com
To confirm that there's nothing wrong with the actual photo and command syntax I have tried with basic authentication and that works. Here are the commands I use for that:
$Credential = Get-Credential
$ExSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/?proxyMethod=RPS -Credential $Credential -Authentication Basic -AllowRedirection
Import-PSSession $ExSession
Set-UserPhoto -Identity hanstest -PictureData ([System.IO.File]::ReadAllBytes("C:\Install\be2.jpg")) -Confirm:$false
Assistance on how to make it work with the EXO V2 module would be most welcome. Thanks.
Try it without the ConnectionUri switch. You actually dont need to set that its the default
I have tried without but the result is the same.
Ok, I can reproduce this. Looks like a bug.
I would enable logging:
Connect-ExchangeOnline -EnableErrorReporting -LogDirectoryPath <Path to store log file> -LogLevel All
Then submit a bug report to:
exocmdletpreview@service.microsoft.com
Done!
Thanks.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
I submitted exactly the same issue on 9/17 14:30 CDT! Great timing!
Awesome. If you could, please close this up and mark any answer as accepted etc.... Thanks!
@Hans Hedman
Does above suggestion help? If above suggestion help, please be free to mark it as an answer for helping more people.
I don't know yet. I haven't received a reply to the e-mail I sent. Not even confirming that they have received my e-mail.
Agreed. My report of this bug appears to have gone unnoticed. No acknowledgement, no reply.
I have pinged someone directly who may be able to help. Once I hear back, I will respond here.
UPDATE: The Group that supports the new V2 module has been really busy with Ignite as you can imagine. Someone will respond to your emails as soon as they can, hopefully next week.
Hi
Set-UserPhoto cmdlet uses a unique authentication method internally during server to server calls. This method is currently not supported in Certificate Based Authentication flows. Only Set-UserPhoto is one such cmdlet not supported in CBA ( https://aka.ms/exov2-cba )
Can we update the title to "Set-UserPhoto doesn't work with CBA flow in EXO V2 module".
We believe Setting user photo may not be a high frequency automation scenario. Can you explain more about the use-case and why you need to do it un-attended scripting on a regular basis ?
That will help us prioritize.
Regards
Navin
Exchange Online Team
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 95%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHB%3C/text%3E%3C/svg%3E)
set-userphoto is very much a high frequency automation scenario for us.
Either AD->AD Connect -> Azure AD-> EXO sync needs to support pictures >10KB - or this needs to work with modern auth
Not being able to automate employee picture uploads when legacy auth is disabled is a blocker for disabling legacy auth.
we need it to be able to keep up with newhires and new pictures taken. probably need to update a few 100 pictures every month
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 78%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENP%3C/text%3E%3C/svg%3E)
I found another commandlet that doesn't support CBA (3 days of banging head)...
New-UnifiedGroup
The lack of CBA is prohibiting me from doing many things that I'm trying to automate.
CBA should be allowed across all the commandlets, and treated as a standard form of authenitcation.
Hey @Nate Pope
Thank you for sharing your issue. Can you share the complete script you are using to invoke New-UnifiedGroup in CBA ?
Exact parameters of New-UnifiedGroup as well as connection string will help.
Connect-ExchangeOnline -CertificateThumbPrint "XXXXXXXX" -AppID "XXXXXXX" -Organization "ORG.onmicrosoft.com"
$GroupParams = @{
AccessType = $AccessType;
Alias = $Name;
DisplayName = $Name;
EmailAddresses = "$EmailAddress";
Name = $Name;
Notes = $Description;
RequireSenderAuthenticationEnabled = $TRUE;
}
$newGroup = New-UnifiedGroup @GroupParams
Our automation scenario involves setting a photo for employees and contractors. When staff begin working, a photo for their badge is taken. It is named using a convention, and a daily process executes to associate the new badge photo with their Azure AD account and mailbox. In a company with tens of thousands of staff, having hundreds of staff changes each week, automation keeps administrative costs down.
The workaround is to create a cloud-only account. However, this account needs Exchange.ManageAsApp, effectively making the account an Exchange administrator. Security dictates that this account utilize MFA, and rightly so. Thus, the workaround is not a good long-term solution.
OK, title has been updated.
Our situation is the same as Pete's. The HR departments supply photos in a folder and a script updates each user. Since basic authentication is to be deprecated soon then it is essential that this works with certificate based authentication.
I wish I would have found this much earlier... Spent too much time trying to automate this exact problem of HR updating photos and needing the new photos to be uploaded to Azure.
How do we get set-userphoto to support CBA? @Navin Gupta
At this time AFAIK, there is no answer. We worked around the deficiency by creating a cloud-only account with Exchange-ManageAsApp (not sure I have the name of that permission correct), giving it a 32 character complex password and paying off the security group. Works like a charm. My process is updating 25k photos, has been running for 16 days and is 70% done, and now has built-in support for more than a dozen transient and retryable errors. It has crashed, been improved and restarted over 25 times during that time. There is a LOT to account for in a production-ready process.