If you ever need to set the local Windows user account profile pictures from Azure AD, you can use the following script.

The script leverages the Graph API through a service principal (app) in Azure AD. There is some requirements before running the script:

An Azure AD App with “ read all users’ full profiles ” Graph API permission. More information, see https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal

” Graph API permission. More information, see https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal You must be able to get the object id (client id), key (client secret) and token endpoint (OAuth 2.0 Token Endpoint) from the Azure AD app.

The OS must be Windows 10.

The client must be able to contact the Azure AD.

You can run the script “manually” or deploy it with Azure Intune. You can run the script under your own or with the “nt authority\system” account. Just be sure that the account have access to write to the following registry path “HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users” and it child objects.

The only thing you need to change in the script is three variables (line 43, 44 and 45) for the Azure AD app information.

Here is a basic walk through of what the script actually does:

Create folder structure in “C:\Scripts\ProfilePicture” to store pictures, script and logs. The folder path can be changed to your liking on line 33, 34 and 39. Start transcript logs to “C:\Scripts\ProfilePicture\Logs\”. Get the access token for Graph API. Get user information (UPN, Username and SID) that have already logged in to the local device. Download user profile photo for each user in “C:\Scripts\ProfilePicture\Data\”. Sets registry keys to use the downloaded photo for each user. Create a task schedule (if it doesn’t exist) so it updates any picture change in Azure AD. Copy the script to location “C:\Scripts\ProfilePicture”.

You may need to compile the code into an executable, this will disguise the client secret used to retrieve the profile pictures. One way of turning a PowerShell script into an executable is to use this script, but remember to change the schedule task in the code to point to the .exe file instead of the .ps1 before compiling.