Restrict Editing of Office 365 Profile information

We use Office 365, and I have been tasked with implementing a new company policy whereby only the HR department is able to manage the profile/contact info for uses within the organization. They want to make sure that all user information is current and consistently applied (understandably).

So, my question is twofold:
1. How do I restrict users from modifying their profile info in O365?
2. How do I give HR staff the ability to modify that information -- without giving them additional permissions to user's accounts?

You have to make changes in Office 365's Remote Powershell. Let me know if you don't know how to do so. https://eightwone.com/2011/03/31/disabling-editing-account-information-in-owa/ gives some guidance on limiting user access to various functions, but it can get fairly complicated if you go beyond just removing access to modifying contact information (for instance, if there are options that you want to block that don't fall under the MyContactInfo role assignment, you'll have to be more granular). Granting HR access to Contact Information modification for other users is also a little tricky. It all involves making changes to the Role based access control system in Office 365 and modifying role assignment policies. You would basically need to create a group for HR, create a role, create a role assignment policy that allows users to modify contact info for all users (This usually involves adding Powershell cmdlets and options that the group is allowed to use), assign the policy to the role, then assign the role to the HR group. It's a huge subject, really: https://technet.microsoft.com/en-us/library/jj200692(v=exchg.150).aspx explains more

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

LVL 46

Adam BrownSenior Systems AdminCommented: 2017-03-27

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial

LVL 53

Vasil Michev (MVP)Commented: 2017-03-27

Well, it depends. In general when you have dirsync in place, attributes will be synced from the local AD and neither users nor admins can change them directly in O365. However, some things can still be changed by the users, such as their Delve profile, which is then synced back across the service(s). The set of attributes is controlled via the SPO admin center -> User Profiles section, you should be able to restrict them.

slattdogAuthor Commented: 2017-03-27

Thanks Adam and Vasil. We do not use DirSync, so that is not an issue in our environment. Browsing the links Adam sent it does look like it could get complicated. Our environment is not that large, and I'd prefer to stay away from creating that level of complexity. I think if I can at least restrict users fro modifying there info, then I can just have an admin work with HR to keep the info current.

Adam: The process outlined in the eightwone.com link would only restrict users, not admins correct?

It *shouldn't* impact Admin (Those rights are assigned using a different role assignment) users from making changes to other users, but they may lose the ability to change their own settings. I would test to make sure, though.

Restrict Editing of Office 365 Profile information

Who is Participating?