This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
We have an Exchange hybrid organisation where all users are migrated to Exchange online. I have been using a script to update user photos in the local AD but because of the limitations with Azure AD Connect, I'd like to script the upload of photos to Exchange Online.
Since basic authentication isn't going to be supported for much longer I'd like to use modern authentication using the Exchange Online PowerShell V2 module that supports MFA and app-only authentication.
I have followed the guide on Docs on how to register an App in Azure AD and to be sure that there isn't a rights issue I have given the App the role of Global Administrator.
But I get an error message when trying to set the user photo.
These are the commands I use (sensitive data replaced with xxx):
Connect-ExchangeOnline -CertificateThumbPrint “xxxxxx” -AppID “xxx-xxx-xxx-xxx-xxxx” -Organization “myorg.onmicrosoft.com” -ConnectionUri https://outlook.office365.com/powershell-liveid/?proxyMethod=RPS
Set-UserPhoto -Identity hanstest -PictureData ([System.IO.File]::ReadAllBytes("C:\Install\be2.jpg")) -Confirm:$false
Which results in the following response:
Error on proxy command 'Set-UserPhoto -Identity:'hanstest' -PictureData:'255','216' ... ,'217' -Confirm:$False' to server AM6PR05MB5523.eurprd05.prod.outlook.com: Server version 15.20.337
0.0000, Proxy method RPS:
Connecting to remote server am6pr05mb5523.eurprd05.prod.outlook.com failed with the following error message : ば鸣˅ For more information, see the about
_Remote_Troubleshooting Help topic. [Server=DB8PR05MB6745,RequestId=311495a1-a0c5-4e8e-ba54-b8e539667afb,TimeStamp=2020-09-17 10:08:53] .
+ CategoryInfo : NotSpecified: (:) [Set-UserPhoto], CmdletProxyException
+ FullyQualifiedErrorId : [Server=DB8PR05MB6745,RequestId=311495a1-a0c5-4e8e-ba54-b8e539667afb,TimeStamp=2020-09-17 10:08:53] [FailureCategory=C
mdlet-CmdletProxyException] B833102,Microsoft.Exchange.Management.RecipientTasks.SetUserPhoto
+ PSComputerName : outlook.office365.com
To confirm that there's nothing wrong with the actual photo and command syntax I have tried with basic authentication and that works. Here are the commands I use for that:
$Credential = Get-Credential
$ExSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/?proxyMethod=RPS -Credential $Credential -Authentication Basic -AllowRedirection
Import-PSSession $ExSession
Set-UserPhoto -Identity hanstest -PictureData ([System.IO.File]::ReadAllBytes("C:\Install\be2.jpg")) -Confirm:$false
Assistance on how to make it work with the EXO V2 module would be most welcome. Thanks.
Try it without the ConnectionUri switch. You actually dont need to set that its the default
I have tried without but the result is the same.
Hi
Set-UserPhoto cmdlet uses a unique authentication method internally during server to server calls. This method is currently not supported in Certificate Based Authentication flows. Only Set-UserPhoto is one such cmdlet not supported in CBA ( https://aka.ms/exov2-cba )
Can we update the title to "Set-UserPhoto doesn't work with CBA flow in EXO V2 module".
We believe Setting user photo may not be a high frequency automation scenario. Can you explain more about the use-case and why you need to do it un-attended scripting on a regular basis ?
That will help us prioritize.
Regards
Navin
Exchange Online Team
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 95%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHB%3C/text%3E%3C/svg%3E)
set-userphoto is very much a high frequency automation scenario for us.
Either AD->AD Connect -> Azure AD-> EXO sync needs to support pictures >10KB - or this needs to work with modern auth
Not being able to automate employee picture uploads when legacy auth is disabled is a blocker for disabling legacy auth.
we need it to be able to keep up with newhires and new pictures taken. probably need to update a few 100 pictures every month
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 78%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENP%3C/text%3E%3C/svg%3E)
I found another commandlet that doesn't support CBA (3 days of banging head)...
New-UnifiedGroup
The lack of CBA is prohibiting me from doing many things that I'm trying to automate.
CBA should be allowed across all the commandlets, and treated as a standard form of authenitcation.
Hey @Nate Pope
Thank you for sharing your issue. Can you share the complete script you are using to invoke New-UnifiedGroup in CBA ?
Exact parameters of New-UnifiedGroup as well as connection string will help.
Connect-ExchangeOnline -CertificateThumbPrint "XXXXXXXX" -AppID "XXXXXXX" -Organization "ORG.onmicrosoft.com"
$GroupParams = @{
AccessType = $AccessType;
Alias = $Name;
DisplayName = $Name;
EmailAddresses = "$EmailAddress";
Name = $Name;
Notes = $Description;
RequireSenderAuthenticationEnabled = $TRUE;
}
$newGroup = New-UnifiedGroup @GroupParams
I wish I would have found this much earlier... Spent too much time trying to automate this exact problem of HR updating photos and needing the new photos to be uploaded to Azure.
How do we get set-userphoto to support CBA? @Navin Gupta
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
At this time AFAIK, there is no answer. We worked around the deficiency by creating a cloud-only account with Exchange-ManageAsApp (not sure I have the name of that permission correct), giving it a 32 character complex password and paying off the security group. Works like a charm. My process is updating 25k photos, has been running for 16 days and is 70% done, and now has built-in support for more than a dozen transient and retryable errors. It has crashed, been improved and restarted over 25 times during that time. There is a LOT to account for in a production-ready process.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 37%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMJ%3C/text%3E%3C/svg%3E)
My company also relies on a daily automation to keep user photos in sync with our HR system. As we are migrating all our Exchange related PowerShell scripts to the new module and certificate based automation it was disappointing to discover that these cmdlets were not available.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 69%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEJ%3C/text%3E%3C/svg%3E)
Add me to this list too. We are trying to updated our automated process which can process up to 10-15 pictures per day and now they're all broken. Microsoft, this is definitely a "high frequency automation scenario" and needs to be addressed.
Ours is an organization of about 30K users - we averaged about 23 a day over the last week. Our cloud-only account workaround is a life-saver.