Skip to content

Instantly share code, notes, and snippets.

@machv

machv/photo-sync.ps1

Created March 28, 2022 08:02
Show Gist options
  • Save machv/dcab5de5957c2b32d39c33e329b15d65 to your computer and use it in GitHub Desktop.
Save machv/dcab5de5957c2b32d39c33e329b15d65 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
photo-sync.ps1
<# setup
Connect-AzureAD
$PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
$PasswordProfile.Password = "<SecretPassword>"
$PasswordProfile.ForceChangePasswordNextLogin = $false
$user = New-AzureADUser `
-DisplayName "Photo Syncer" `
-PasswordProfile $PasswordProfile `
-UserPrincipalName "<UserName>" `
-AccountEnabled $true `
-MailNickName "photo-syncer"
Connect-ExchangeOnline
Add-RoleGroupMember "Recipient Management" -Member "<UserName>"
$cert = New-SelfSignedCertificate -Subject "CN=PhotoSyncerCert" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature -HashAlgorithm SHA256
Export-Certificate -Cert $cert -FilePath aad-photo-syncer.crt
#>
#region Prereq
$photo = [byte[]](Get-Content test.jpg -Encoding byte)
Set-ADUser test.test -Replace @{thumbnailPhoto=$photo}
Start-ADSyncSyncCycle -PolicyType Delta
$u = Get-ADUser test -Properties thumbnailPhoto
$u.thumbnailPhoto | Set-Content preview.jpg -Encoding byte
Invoke-Item preview.jpg
Connect-AzureAD
Get-AzureADUserThumbnailPhoto -ObjectId "test@contoso.com" -View $true
#endregion
#region Credentials
$ecpUser = "<UserName>"
$ecpPassword = "<SecretPassword>"
$Tenant = "<TenantName>"
$ClientId = "<ClientId>"
$ClientSecret = "<ClientSecret>"
$CertificateThumbprint = "<CertificateThumbprint>"
<#
(https://docs.microsoft.com/en-us/sharepoint/dev/sp-add-ins/add-in-permissions-in-sharepoint)
create app at
https://m365x906820-admin.sharepoint.com/_layouts/15/appregnew.aspx
and then approve at
https://m365x906820-admin.sharepoint.com/_layouts/15/appinv.aspx
with this metadata:
<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
<AppPermissionRequest Scope="http://sharepoint/social/tenant" Right="FullControl" />
</AppPermissionRequests>
#>
$spTenantHandle = "m365x906820"
$spClientId = "70e53759-612c-46e5-b086-c23046ec62b1"
$spClientSecret = "<SharePointClientSecret>"
#endregion
#region Functions
function Invoke-OnBehalfOfFlowcertificate {
# https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-oauth2-on-behalf-of-flow
param(
[Parameter(Mandatory = $true)]
[string]$Tenant,
[Parameter(Mandatory = $true)]
[string]$ClientId,
[Parameter(Mandatory = $true)]
[string]$CertificateThumbprint,
[Parameter(Mandatory = $true)]
[string]$AccessToken,
[Parameter()]
[string]$Resource = "https://graph.microsoft.com"
)
$certificate = Get-ChildItem Cert:\CurrentUser\My\$CertificateThumbprint
$jwt = New-Jwt -Subject $ClientId -Issuer $ClientId -ValidforSeconds 180 -Certificate $certificate -Audience "https://login.microsoftonline.com/$($Tenant)/oauth2/token"
$payload = @{
grant_type = "urn:ietf:params:oauth:grant-type:jwt-bearer"
requested_token_use = "on_behalf_of"
scope = "openid"
assertion = $AccessToken
client_assertion_type = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
client_assertion = $jwt
resource = $Resource
client_id = $ClientId
}
$response = Invoke-RestMethod -Method Post -Uri "https://login.microsoftonline.com/$Tenant/oauth2/token" -Body $payload
$response
}
function Get-ReadableSize($Size) {
$suffix = "B", "kB", "MB", "GB", "TB"
$index = 0
while ($Size -gt 1kb) {
$Size = $Size / 1kb
$index++
}
"{0:N1} {1}" -f $Size, $suffix[$index]
}
function ConvertFrom-Timestamp {
param(
[Parameter(Mandatory = $true)]
[int]$Timestamp
)
$utc = (Get-Date 01.01.1970) + ([System.TimeSpan]::fromseconds($Timestamp))
$datetime = [datetime]::SpecifyKind($utc, 'Utc').ToLocalTime()
$datetime
}
function New-Jwt {
param(
$Type = "JWT",
[Parameter(Mandatory = $True)]
[string]$Issuer = $null,
[int]$ValidforSeconds = 180,
[Parameter(Mandatory=$true)][System.Security.Cryptography.X509Certificates.X509Certificate2]$Certificate,
$Audience = $null,
$Subject = $null
)
$Algorithm = "RS256"
$exp = [int][double]::parse((Get-Date -Date $((Get-Date).addseconds($ValidforSeconds).ToUniversalTime()) -UFormat %s)) # Grab Unix Epoch Timestamp and add desired expiration.
[hashtable]$header = @{
alg = $Algorithm
typ = $type
x5t = [System.Convert]::ToBase64String($Certificate.GetCertHash())
}
[hashtable]$payload = @{
iss = $Issuer
exp = $exp
aud = $Audience
sub = $Subject
}
$headerjson = $header | ConvertTo-Json -Compress
$payloadjson = $payload | ConvertTo-Json -Compress
$headerjsonbase64 = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($headerjson)).Split('=')[0].Replace('+', '-').Replace('/', '_')
$payloadjsonbase64 = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($payloadjson)).Split('=')[0].Replace('+', '-').Replace('/', '_')
$jwt = $headerjsonbase64 + "." + $payloadjsonbase64
$toSign = [System.Text.Encoding]::UTF8.GetBytes($jwt)
$rsa = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($Certificate)
if ($null -eq $rsa) { # Requiring the private key to be present; else cannot sign!
throw "There's no private key in the supplied certificate - cannot sign"
}
else {
try {
$signed = $rsa.SignData($toSign, [Security.Cryptography.HashAlgorithmName]::SHA256, [Security.Cryptography.RSASignaturePadding]::Pkcs1)
$sig = [Convert]::ToBase64String($signed) -replace '\+','-' -replace '/','_' -replace '='
} catch { throw "Signing with SHA256 and Pkcs1 padding failed using private key $rsa" }
}
$jwt = $jwt + '.' + $sig
return $jwt
}
# https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow
function Invoke-ClientCredentalsCertificateFlow {
param(
[Parameter(Mandatory = $true)]
[string]$Tenant,
[string]$ClientId,
[string]$CertificateThumbprint,
[string]$Resource = "https://graph.microsoft.com"
)
$certificate = Get-ChildItem Cert:\CurrentUser\My\$CertificateThumbprint
$jwt = New-Jwt -Subject $ClientId -Issuer $ClientId -ValidforSeconds 180 -Certificate $certificate -Audience "https://login.microsoftonline.com/$($Tenant)/oauth2/token"
$authUrl = "https://login.microsoftonline.com/{0}/oauth2/token" -f $Tenant
$parameters = @{
grant_type = "client_credentials"
resource = $Resource
client_id = $ClientId
client_assertion_type = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
client_assertion = $jwt
}
$response = Invoke-RestMethod -Uri $authUrl -Method Post -Body $parameters
$expires = ConvertFrom-Timestamp -Timestamp $response.expires_on
$result = [PSCustomObject]@{
Expires = $expires
AccessToken = $response.access_token
}
$result
}
function Invoke-ClientCredentialsFlow {
param(
[string]$Tenant,
[Parameter(ParameterSetName='ClientCredential')]
[pscredential]$Client,
[Parameter(ParameterSetName='ClientExplicit')]
[string]$ClientId,
[Parameter(ParameterSetName='ClientExplicit')]
[string]$ClientSecret,
[string]$Resource = "https://graph.microsoft.com",
[string]$AuthorizationEndpoint = "https://login.microsoftonline.com/{0}/oauth2/token"
)
$authUrl = $AuthorizationEndpoint -f $Tenant
$parameters = @{
grant_type = "client_credentials"
client_secret = $ClientSecret
resource = $Resource
client_id = $ClientId
}
$response = Invoke-RestMethod -Uri $authUrl -Method Post -Body $parameters
$expires = ConvertFrom-Timestamp -Timestamp $response.expires_on
$result = [PSCustomObject]@{
Expires = $expires
AccessToken = $response.access_token
}
$result
}
function Update-SpoUserProperty {
param(
$Endpoint,
$Headers,
$User,
$Property,
$Value
)
$payload = @{
accountName = ("i:0#.f|membership|" + $User)
propertyName = $Property
propertyValue = $Value
}
$url = "https://$($Endpoint)/_api/SP.UserProfiles.PeopleManager/SetSingleValueProfileProperty"
Invoke-WebRequest -Uri $url -Method Post -Headers $Headers -Body ($payload | ConvertTo-Json) -ContentType "application/json;odata=nometadata"
}
#endregion
#region Option 1: On-Prem AD -> ExO
$startTime = Get-Date
[securestring]$secStringPassword = ConvertTo-SecureString $ecpPassword -AsPlainText -Force
[pscredential]$credentials = New-Object System.Management.Automation.PSCredential ($ecpUser, $secStringPassword)
Connect-ExchangeOnline -Credential $credentials -ShowBanner:$false -ConnectionUri "https://outlook.office365.com/powershell-liveid/?proxyMethod=RPS"
$allMailboxes = Get-EXOMailbox -ResultSize Unlimited
$usersWithPhoto = Get-ADUser -Properties thumbnailPhoto -Filter "thumbnailPhoto -like '*'" # -and ms-ds-consistencyguid -like '*'"
$user = $usersWithPhoto | Select -First 1
foreach($user in $usersWithPhoto) {
$photo = $user.thumbnailPhoto
$mailbox = $allMailboxes | Where-Object UserPrincipalName -EQ $user.UserPrincipalName
if(-not $mailbox) {
Write-Host -ForegroundColor Yellow " - skipping $($user.UserPrincipalName) as no mailbox detected"
continue
}
Write-Host -ForegroundColor Gray " - trying to update a picture of $($user.UserPrincipalName) [$(Get-ReadableSize -Size $photo.Length)]"
Set-UserPhoto -Identity $user.UserPrincipalName -PictureData $photo -Confirm:$false
}
$endTime = Get-Date
$duration = $endTime - $startTime
Write-Host ("Total sync duration: {0}" -f $duration)
#endregion
#region Option 2: On-Prem -> Microsoft Graph API
$startTime = Get-Date
$token = Invoke-ClientCredentialsFlow -Tenant "<TenantName>" -ClientId "<ClientId>" -ClientSecret "<ClientSecret>"
$headers = @{
"Authorization" = "Bearer $($token.AccessToken)"
"Content-Type" = "image/jpeg"
}
$usersWithPhoto = Get-ADUser -Properties thumbnailPhoto,Mail -Filter "thumbnailPhoto -like '*'" # -and ms-ds-consistencyguid -like '*'"
$user = $usersWithPhoto | Select -First 1
foreach($user in $usersWithPhoto) {
$photo = $user.thumbnailPhoto
if(-not $user.Mail) {
Write-Host -ForegroundColor Yellow " - skipping $($user.UserPrincipalName) as no e-mail address is set on the user"
continue
}
Write-Host -ForegroundColor Gray " - trying to update a picture of $($user.UserPrincipalName) [$(Get-ReadableSize -Size $photo.Length)]"
Invoke-WebRequest -Method Patch -Uri "https://graph.microsoft.com/v1.0/users/$($user.UserPrincipalName)/photo/`$value" -Headers $headers -Body $photo
}
$endTime = Get-Date
$duration = $endTime - $startTime
Write-Host ("Total sync duration: {0}" -f $duration)
#endregion
#region Option 3: AAD Graph API -> Microsoft Graph API (which goes to ExO mailbox)
$startTime = Get-Date
# MS Graph
$msgToken = Invoke-ClientCredentialsFlow -Tenant "<TenantName>" -ClientId "<ClientId>" -ClientSecret "<ClientSecret>" -Resource "https://graph.microsoft.com"
$msgHeaders = @{
"Authorization" = "Bearer $($msgToken.AccessToken)"
"Content-Type" = "image/jpeg"
}
# AAD Graph API
$aadToken = Invoke-ClientCredentialsFlow -Tenant "<TenantName>" -ClientId "<ClientId>" -ClientSecret "<ClientSecret>" -Resource "https://graph.windows.net"
$aadHeaders = @{
"Authorization" = "Bearer $($aadToken.AccessToken)"
"Content-Type" = "image/jpeg"
}
$url = "https://graph.windows.net/myorganization/users/?`$filter=dirSyncEnabled eq true&`$top=500&api-version=1.6"
$r = Invoke-RestMethod -Method Get -Uri $url -Headers $aadHeaders
$users = $r.value
while($r.'odata.nextLink')
{
$nextLink = $r.'odata.nextLink'+'&api-version=1.6'
$r = Invoke-RestMethod -Uri "https://graph.windows.net/myorganization/$($nextLink)" -Headers $aadHeaders -Method Get
$users += $r.value
}
$user = $users | ? UserPrincipalNAme -eq "test@contoso.com"
foreach($user in $users) {
$user.userPrincipalName
$exch = $user.assignedPlans | Where-Object service -EQ "exchange"
if(-not $exch) {
Write-Host -ForegroundColor Yellow " - user without Exchange license -> skipping"
continue
}
$photo = $null
$url = "https://graph.windows.net/myorganization/users/$($user.userPrincipalName)/thumbnailPhoto?api-version=1.6"
try {
$r = Invoke-WebRequest -Method Get -Uri $url -Headers $aadHeaders
$photo = $r.Content
} catch {
if($_.Exception.Response.StatusCode.value__ -eq 404) {
Write-Host -ForegroundColor Yellow " - no photo available -> skipping"
}
else {
Write-Host -ForegroundColor Red "Error while loading pic: $($_.Exception)"
}
continue
}
if($photo) {
Write-Host " - updating a picture [$(Get-ReadableSize -Size $photo.Length)]... " -NoNewline
try {
$r = Invoke-WebRequest -Method Patch -Uri "https://graph.microsoft.com/v1.0/users/$($user.UserPrincipalName)/photo/`$value" -Headers $msgHeaders -Body $photo
if($r.StatusCode -eq 200) {
Write-Host "OK"
}
} catch {
Write-Host ""
Write-Host -ForegroundColor Red (" - server returned {0} -> probably user does not have an ExO mailbox?" -f $_.Exception.Response.StatusCode)
}
}
}
$endTime = Get-Date
$duration = $endTime - $startTime
Write-Host ("Total sync duration: {0}" -f $duration)
#endregion
#region Option 4: AAD Graph API -> SPO
$spPhotosDocumentLibrary = "User Photos"
$spPhotosFolder = "Profile Pictures"
# Connect to AAD Graph
$aadToken = Invoke-ClientCredentalsCertificateFlow -Tenant $Tenant -ClientId $ClientId -CertificateThumbprint $CertificateThumbprint -Resource "https://graph.windows.net"
$aadHeaders = @{
"Authorization" = "Bearer $($aadToken.AccessToken)"
"Content-Type" = "image/jpeg"
}
$url = "https://graph.windows.net/myorganization/tenantDetails?api-version=1.6"
$r = Invoke-RestMethod -Method Get -Uri $url -Headers $aadHeaders
$tenantId = ($r.value | Select -First 1).objectId
# Load all AAD users
$url = "https://graph.windows.net/myorganization/users/?`$filter=dirSyncEnabled eq true&`$top=500&api-version=1.6"
$r = Invoke-RestMethod -Method Get -Uri $url -Headers $aadHeaders
$users = $r.value
while($r.'odata.nextLink')
{
$nextLink = $r.'odata.nextLink'+'&api-version=1.6'
$r = Invoke-RestMethod -Uri "https://graph.windows.net/myorganization/$($nextLink)" -Headers $aadHeaders -Method Get
$users += $r.value
}
$AuthorizationEndpoint = "https://accounts.accesscontrol.windows.net/$($tenantId)/tokens/OAuth/2"
$spoAdminToken = Invoke-ClientCredentialsFlow -AuthorizationEndpoint $AuthorizationEndpoint -ClientId "$($spClientId)@$($tenantId)" -ClientSecret $spClientSecret -Resource "00000003-0000-0ff1-ce00-000000000000/$($spTenantHandle)-admin.sharepoint.com@$($tenantId)"
$spoAdminHeaders = @{
"Authorization" = "Bearer $($spoAdminToken.AccessToken)"
"Accept" = "application/json;odata=nometadata"
}
$spoMyToken = Invoke-ClientCredentialsFlow -AuthorizationEndpoint $AuthorizationEndpoint -ClientId "$($spClientId)@$($tenantId)" -ClientSecret $spClientSecret -Resource "00000003-0000-0ff1-ce00-000000000000/$($spTenantHandle)-my.sharepoint.com@$($tenantId)"
$spoMyHeaders = @{
"Authorization" = "Bearer $($spoMyToken.AccessToken)"
"Accept" = "application/json;odata=nometadata"
}
$spoPictures = @{
"_SThumb" = "48"
"_MThumb" = "72"
"_LThumb" = "200"
}
$user = $users | ? UserPrincipalNAme -eq "test@contoso.com"
foreach($user in $users) {
$user.userPrincipalName
$photo = $null
$url = "https://graph.windows.net/myorganization/users/$($user.userPrincipalName)/thumbnailPhoto?api-version=1.6"
try {
$r = Invoke-WebRequest -Method Get -Uri $url -Headers $aadHeaders
$photo = $r.Content
} catch {
if($_.Exception.Response.StatusCode.value__ -eq 404) {
Write-Host -ForegroundColor Yellow " - no photo available -> skipping"
}
else {
Write-Host -ForegroundColor Red "Error while loading pic: $($_.Exception)"
}
continue
}
# https://docs.microsoft.com/en-us/sharepoint/dev/sp-add-ins/working-with-folders-and-files-with-rest
#$url = "https://m365x906820-my.sharepoint.com/_api/web/GetFolderByServerRelativeUrl('/User%20Photos/Profile%20Pictures')/Files('lisa_test_litware_ml_LThumb.jpg')/`$value"
#$r = Invoke-WebRequest -Uri $url -Method Get -Headers $spoMyHeaders
# check if user is present in SPO
$url = "https://$($spTenantHandle)-admin.sharepoint.com/_api/SP.UserProfiles.PeopleManager/GetPropertiesFor(accountName=@v)?@v='i:0%23.f|membership|$($user.userPrincipalName)'"
$r = Invoke-RestMethod -Uri $url -Method Get -Headers $spoAdminHeaders -ContentType "application/json;odata=nometadata"
if(-not $r.AccountName) {
Write-Host -ForegroundColor Yellow " - user not present in SPO (probably newly created account?) -> skipping"
continue
}
<#
$exchState = ($r.UserProfileProperties | Where-Object Key -EQ "SPS-PictureExchangeSyncState").Value
if($exchState -eq 1) {
Write-Host -ForegroundColor Yellow " - already in sync with ExO -> skipping"
continue
}
#>
$userNamePrefix = $user.userPrincipalName.Replace("@", "_").Replace(".", "_")
#$size = @{Name = "_MThumb";Value = 200}
foreach($size in $spoPictures.GetEnumerator()) {
# setup path
$fileName = "$($userNamePrefix)$($size.Name).jpg"
Write-Host " - resizing $fileName"
# Covert image into different size of image
[System.IO.MemoryStream]$stream = [System.IO.MemoryStream]::new($photo)
$img = [System.Drawing.Image]::FromStream($stream)
[int32]$new_width = $size.Value
[int32]$new_height = $size.Value
$img2 = New-Object System.Drawing.Bitmap($new_width, $new_height)
$graph = [System.Drawing.Graphics]::FromImage($img2)
$graph.DrawImage($img, 0, 0, $new_width, $new_height)
#Covert image into memory stream
$stream = New-Object -TypeName System.IO.MemoryStream
$format = [System.Drawing.Imaging.ImageFormat]::Jpeg
$img2.Save($stream, $format)
$streamseek = $stream.Seek(0, [System.IO.SeekOrigin]::Begin)
$resizedPhoto = $stream.ToArray()
# https://docs.microsoft.com/en-us/sharepoint/dev/sp-add-ins/working-with-folders-and-files-with-rest
$url = "https://$($spTenantHandle)-my.sharepoint.com/_api/web/GetFolderByServerRelativeUrl('/$($spPhotosDocumentLibrary)/$($spPhotosFolder)')/Files/add(url='$($fileName)',overwrite=true)"
$r = Invoke-WebRequest -Uri $url -Headers $spoMyHeaders -Method Post -Body $resizedPhoto
}
# Update properties
Write-Host " - Updating SPO properties for user"
$pictureUrl = "https://$($spTenantHandle)-my.sharepoint.com:443/$($spPhotosDocumentLibrary)/$($spPhotosFolder)/$($userNamePrefix)_MThumb.jpg"
$x = Update-SpoUserProperty -Endpoint "$($spTenantHandle)-admin.sharepoint.com" -Headers $spoAdminHeaders -User $user.userPrincipalName -Property "PictureURL" -Value $pictureUrl
$x = Update-SpoUserProperty -Endpoint "$($spTenantHandle)-admin.sharepoint.com" -Headers $spoAdminHeaders -User $user.userPrincipalName -Property "SPS-PicturePlaceholderState" -Value "0"
}
<#
https://techcommunity.microsoft.com/t5/sharepoint/profile-photo-sync-spo/m-p/78585
https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/upload-user-profile-pictures-sample-app-for-sharepoint
- https://github.com/pnp/PnP/tree/master/Samples/Core.ProfilePictureUploader
$spoMyToken = Invoke-ClientCredentalsCertificateFlow -Tenant $Tenant -ClientId $ClientId -CertificateThumbprint $certThumbprint -Resource "https://m365x906820-my.sharepoint.com"
$spoMyHeaders = @{
"Authorization" = "Bearer $($spoMyToken.AccessToken)"
#"accept" = "application/json;odata=verbose"
}
$spoAdminToken = Invoke-ClientCredentalsCertificateFlow -Tenant $Tenant -ClientId $ClientId -CertificateThumbprint $certThumbprint -Resource "https://m365x906820-admin.sharepoint.com"
$spoAdminHeaders = @{
"Authorization" = "Bearer $($spoAdminToken.AccessToken)"
#"accept" = "application/json;odata=verbose"
}
# Get Refresh Token for the service account
#$tokenResponse = Invoke-CodeGrantFlow -RedirectUrl "https://localhost:15484/auth" -ClientId $ClientId -ClientSecret $ClientSecret -Tenant $Tenant -Resource $ClientId -AlwaysPrompt $true
#$spgTok = Invoke-OnBehalfOfFlowcertificate -Tenant $Tenant -ClientId $clientId -CertificateThumbprint $CertificateThumbprint -AccessToken $tokenResponse.access_token -Resource "https://$($spTenantHandle)-admin.sharepoint.com" | ConvertTo-AuthorizationHeaders
$url = "https://m365x906820-my.sharepoint.com/_api/web/GetFolderByServerRelativeUrl('/User%20Photos/Profile%20Pictures')/Files('lisa_test_litware_ml_LThumb.jpg')"
$url = "https://m365x906820-my.sharepoint.com/_api/web/GetFolderByServerRelativeUrl('/User%20Photos/Profile%20Pictures')/Files('lisa_test_litware_ml_LThumb.jpg')/`$value"
$r = Invoke-WebRequest -Uri $url -Method Get -Headers $spoMyHeaders
#https://m365x906820-my.sharepoint.com/_api/web/GetFolderByServerRelativeUrl('/User Photos/Profile Pictures')/Files('lisa_test_litware_ml_LThumb.jpg')/$value
# properties
# Install-Module -Name SharePointOnline.CSOM
Load-SPOnlineCSOMAssemblies
$uri = New-Object System.Uri -ArgumentList "https://m365x906820-admin.sharepoint.com/"
$context = New-Object Microsoft.SharePoint.Client.ClientContext($uri)
$context.AuthenticationMode = [Microsoft.SharePoint.Client.ClientAuthenticationMode]::Anonymous
$context.FormDigestHandlingEnabled = $false
$context.add_ExecutingWebRequest({
$EventArgs.WebRequestExecutor.RequestHeaders["Authorization"] = "Bearer " + $spoAdminToken.AccessToken;
})
$context.Load()
$url = "https://m365x906820-admin.sharepoint.com/_api/SP.UserProfiles.PeopleManager/GetUserProfilePropertyFor(accountName=@v,propertyName='PictureURL')?@v=%27i:0%23.f|membership|lisa.test@contoso.com%27"
$response = Invoke-WebRequest -Uri $url -Method Get -Headers $spoAdminHeaders # "https://m365x906820.sharepoint.com/_layouts/15/userphoto.aspx?accountname=lisa.test@contoso.com&size=S" -Headers $headers
$PictureURL = $SiteURL + $DocLibName + "/" + $foldername + "/" + $username + "_MThumb" + $Extension
$payload = @{
accountName = ("i:0#.f|membership|" + "lisa.test@contoso.com")
propertyName = "PictureURL"
propertyValue = "https://m365x906820-my.sharepoint.com:443/User%20Photos/Profile%20Pictures/bart_test_litware_ml_MThumb.jpg"
}
$url = "https://m365x906820-admin.sharepoint.com/_api/SP.UserProfiles.PeopleManager/SetSingleValueProfileProperty"
Invoke-WebRequest -Uri $url -Method Post -Headers $spoAdminHeaders -Body ($payload | ConvertTo-Json) -ContentType "application/json;odata=nometadata"
###
# https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly#what-are-the-limitations-when-using-app-only
# User Profile CSOM write operations do not work with Azure AD application - read operations work. Both read and write operations work through SharePoint App-Only principal
###
$ctx = New-Object Microsoft.SharePoint.Client.ClientContext($WebUrl)
$ctx.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($username, $password)
$ctx.add_ExecutingWebRequest({
param($Source, $EventArgs)
$request = $EventArgs.WebRequestExecutor.WebRequest
$request.UserAgent = "NONISV|CsomPs|TestDecorate/1.0"
})
$ctx.ExecuteQuery()
$peopleManager = New-Object Microsoft.SharePoint.Client.UserProfiles.PeopleManager($ctx)
$targetAccount = ("i:0#.f|membership|" + $targetAcc)
$peopleManager.SetSingleValueProfileProperty($targetAccount, $PropertyName, $Value)
UpdateUserProfile -targetAcc $Identity -PropertyName SPS-PictureExchangeSyncState -Value 0 -SPOAdminPortalUrl $SPOAdminPortalUrl -Creds $Creds
UpdateUserProfile -targetAcc $Identity -PropertyName SPS-PictureTimestamp -Value 63605901091 -SPOAdminPortalUrl $SPOAdminPortalUrl -Creds $Creds
Connect-PnPOnline -Url "https://m365x906820-admin.sharepoint.com/" -ClientId $ClientId -Thumbprint $CertificateThumbprint -Tenant $Tenant
Connect-PnPOnline -Url "https://m365x906820-admin.sharepoint.com/" -AppId $spClientId -AppSecret $spClientSecret
Set-PnPUserProfileProperty -Account lisa.test@contoso.com -PropertyName PictureURL -Value "https://m365x906820-my.sharepoint.com:443/User%20Photos/Profile%20Pictures/bart_test_litware_ml_MThumb.jpg"
Set-PnPUserProfileProperty -Account lisa.test@contoso.com -PropertyName "SPS-PictureExchangeSyncState" -Value "1"
https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly#what-are-the-limitations-when-using-app-only
#>
#endregion
#region Tests
$user = "test@contoso.com"
$filePattern = "pic_{0}_{{0}}.jpg" -f ($user -split "@")[0]
$show = $true
# AAD Graph API
$token = Invoke-ClientCredentialsFlow -Tenant "<TenantName>" -ClientId "<ClientId>" -ClientSecret "<ClientSecret>" -Resource "https://graph.windows.net"
$headers = @{
"Authorization" = "Bearer $($token.AccessToken)"
"Content-Type" = "image/jpeg"
}
$file = $filePattern -f "aadgraph"
$url = "https://graph.windows.net/myorganization/users/$($user)/thumbnailPhoto?api-version=1.6"
$r = Invoke-WebRequest -Method Get -Uri $url -Headers $headers
$r.Content | Set-Content $file -Encoding byte
if($show) { Invoke-Item $file }
# Microsoft Graph API v1
$file = $filePattern -f "msgraph_v1"
$token = Invoke-ClientCredentialsFlow -Tenant "<TenantName>" -ClientId "<ClientId>" -ClientSecret "<ClientSecret>"
$headers = @{
"Authorization" = "Bearer $($token.AccessToken)"
"Content-Type" = "image/jpeg"
}
$r = Invoke-WebRequest -Method Get -Uri "https://graph.microsoft.com/v1.0/users/$($user)/photo/`$value" -Headers $headers
$r.Content | Set-Content $file -Encoding byte
if($show) { Invoke-Item $file }
# MS Graph beta
$file = $filePattern -f "msgraph_beta"
$r = Invoke-WebRequest -Method Get -Uri "https://graph.microsoft.com/beta/users/$($user)/photo/`$value" -Headers $headers
$r.Content | Set-Content $file -Encoding byte
if($show) { Invoke-Item $file }
# Local AD
$file = $filePattern -f "ad"
$u = Get-ADUser (($user -split "@")[0]) -Properties thumbnailPhoto
$u.thumbnailPhoto | Set-Content $file -Encoding byte
if($show) { Invoke-Item $file }
# EWS
$file = $filePattern -f "ews"
[securestring]$secStringPassword = ConvertTo-SecureString $ecpPassword -AsPlainText -Force
[pscredential]$credentials = New-Object System.Management.Automation.PSCredential ($ecpUser, $secStringPassword)
Connect-ExchangeOnline -Credential $credentials -ShowBanner:$false -ConnectionUri "https://outlook.office365.com/powershell-liveid/?proxyMethod=RPS"
$r = Get-UserPhoto -Identity $user
$r.PictureData | Set-Content $file -Encoding byte
if($show) { Invoke-Item $file }
# SPO
$AuthorizationEndpoint = "https://accounts.accesscontrol.windows.net/$($tenantId)/tokens/OAuth/2"
$spoAdminToken = Invoke-ClientCredentialsFlow -AuthorizationEndpoint $AuthorizationEndpoint -ClientId "$($spClientId)@$($tenantId)" -ClientSecret $spClientSecret -Resource "00000003-0000-0ff1-ce00-000000000000/$($spTenantHandle).sharepoint.com@$($tenantId)"
$spoAdminHeaders = @{
"Authorization" = "Bearer $($spoAdminToken.AccessToken)"
# "Accept" = "application/json;odata=nometadata"
}
$url = "https://$($spTenantHandle).sharepoint.com/_layouts/15/UserPhoto.aspx?size=L&AccountName=$($user)"
$r = Invoke-WebRequest -Uri $url -Method Get -Headers $spoAdminHeaders
$file = $filePattern -f "spo"
$r.Content | Set-Content $file -Encoding byte
if($show) { Invoke-Item $file }
$token = Invoke-ClientCredentalsCertificateFlow -Tenant $Tenant -ClientId $ClientId -CertificateThumbprint $certThumbprint -Resource "https://m365x906820.sharepoint.com"
#$token = Invoke-ClientCredentialsFlow -Tenant "<TenantName>" -ClientId "<ClientId>" -ClientSecret "<ClientSecret>" -Resource "https://m365x906820.sharepoint.com"
$headers = @{
"Authorization" = "Bearer $($token.AccessToken)"
#"accept" = "application/json;odata=verbose"
}
$url = "https://m365x906820.sharepoint.com/_api/SP.UserProfiles.PeopleManager/GetUserProfilePropertyFor(accountName=@v,propertyName='PictureURL')?@v=%27i:0%23.f|membership|lisa.test@contoso.com%27"
$response = Invoke-WebRequest -Uri $url -Method Get -Headers $headers # "https://m365x906820.sharepoint.com/_layouts/15/userphoto.aspx?accountname=lisa.test@contoso.com&size=S" -Headers $headers
$url = "https://m365x906820.sharepoint.com/_layouts/15/UserPhoto.aspx?size=L&accountname=$($user)"
$r = Invoke-WebRequest -Uri $url -Method Get -Headers $headers
$file = $filePattern -f "spo"
$r.Content | Set-Content $file -Encoding byte
if($show) { Invoke-Item $file }
Get-FileHash pic_* | Sort-Object Hash | Select Hash, Path
#endregion
# Get All mailboxes with picture
Get-Mailbox -ResultSize Unlimited | where-object HasPicture -EQ $true
<#
Note The thumbnailPhoto attribute can store a user photo as large as 100 kilobytes (KB).
The thumbnailPhoto attribute is synced only one time between Azure AD and Exchange Online. Any later changes to the attribute from the on-premises environment are not synced to the Exchange Online mailbox.
Exchange Online accepts only a photo that's no larger than 10 KB from Azure AD.
SP:
https://docs.microsoft.com/en-us/sharepoint/sharepoint-admin-role
https://docs.microsoft.com/en-us/sharepoint/dev/general-development/work-with-user-profiles-in-sharepoint
https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread
set current user photo: https://docs.microsoft.com/en-us/previous-versions/office/developer/sharepoint-rest-reference/dn790354(v=office.15)?redirectedfrom=MSDN#setmyprofilepicture-method
The Picture Timestamp, Picture Placeholder State, and Picture Exchange Sync State profile properties for the user are set or updated to reflect the profile picture synchronization state.
http://www.techrobbers.com/2019/07/sharepoint-user-profile-fields-with.html
Picture PictureURL URL
Picture Timestamp SPS-PictureTimestamp string single value
Picture Placeholder State SPS-PicturePlaceholderState integer
Picture Exchange Sync State SPS-PictureExchangeSyncState integer
Get specific size of MSG photo:
Sizes: 48x48, 64x64, 96x96, 120x120, 240x240, 360x360, 432x432, 504x504, and 648x648
- https://graph.microsoft.com/v1.0/users/lisa.test@contoso.com/photos/64x64/$value
references:
- https://support.microsoft.com/en-gb/help/3062745/user-photos-aren-t-synced-from-the-on-premises-environment-to-exchange
- https://support.microsoft.com/en-us/office/information-about-profile-picture-synchronization-in-microsoft-365-20594d76-d054-4af4-a660-401133e3d48a?ui=en-us&rs=en-us&ad=us
- https://docs.microsoft.com/en-us/skypeforbusiness/deploy/integrate-with-exchange-server/high-resolution-photos
- https://outlook.office.com/owa/service.svc/s/GetPersonaPhoto?email=bart.test@contoso.com&UA=0&size=HR648x648
Multiple locations of photos in 365:
- AAD directly (synced with AD [thumbnailPhoto attribute] via AAD Connect
- Exchange Online mailbox (only for users with ExO mailbox) - synced once with AAD
- SharePoint Online - synced in 24h intevals from ExO mailbox and stored in 3 sizes in Document Library https://m365x906820-my.sharepoint.com/User%20Photos/Forms/Thumbnails.aspx?id=%2FUser%20Photos%2FProfile%20Pictures
Delve, Teams respects Ex0 policy and fetch avatars from there
Microsoft Graph API (both 1.0 and beta) reads ExO mailbox photo
Azure AD Graph API reads directly from AAD storage
Other APIs:
- Outlook rest api:
* https://docs.microsoft.com/en-us/previous-versions/office/office-365-api/api/version-2.0/photo-rest-operations
* https://docs.microsoft.com/en-us/previous-versions/office/office-365-api/api/beta/use-outlook-rest-api-beta#DefineOutlookRESTAPI
#>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment