Restrict Editing of Office 365 Profile information
We use Office 365, and I have been tasked with implementing a new company policy whereby only the HR department is able to manage the profile/contact info for uses within the organization. They want to make sure that all user information is current and consistently applied (understandably).
So, my question is twofold:
1. How do I restrict users from modifying their profile info in O365?
2. How do I give HR staff the ability to modify that information -- without giving them additional permissions to user's accounts?
So, my question is twofold:
1. How do I restrict users from modifying their profile info in O365?
2. How do I give HR staff the ability to modify that information -- without giving them additional permissions to user's accounts?
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
You have to make changes in Office 365's Remote Powershell. Let me know if you don't know how to do so. https://eightwone.com/2011/03/31/disabling-editing-account-information-in-owa/ gives some guidance on limiting user access to various functions, but it can get fairly complicated if you go beyond just removing access to modifying contact information (for instance, if there are options that you want to block that don't fall under the MyContactInfo role assignment, you'll have to be more granular). Granting HR access to Contact Information modification for other users is also a little tricky. It all involves making changes to the Role based access control system in Office 365 and modifying role assignment policies. You would basically need to create a group for HR, create a role, create a role assignment policy that allows users to modify contact info for all users (This usually involves adding Powershell cmdlets and options that the group is allowed to use), assign the policy to the role, then assign the role to the HR group. It's a huge subject, really: https://technet.microsoft.com/en-us/library/jj200692(v=exchg.150).aspx explains more
Well, it depends. In general when you have dirsync in place, attributes will be synced from the local AD and neither users nor admins can change them directly in O365. However, some things can still be changed by the users, such as their Delve profile, which is then synced back across the service(s). The set of attributes is controlled via the SPO admin center -> User Profiles section, you should be able to restrict them.
Thanks Adam and Vasil. We do not use DirSync, so that is not an issue in our environment. Browsing the links Adam sent it does look like it could get complicated. Our environment is not that large, and I'd prefer to stay away from creating that level of complexity. I think if I can at least restrict users fro modifying there info, then I can just have an admin work with HR to keep the info current.
Adam: The process outlined in the eightwone.com link would only restrict users, not admins correct?
Adam: The process outlined in the eightwone.com link would only restrict users, not admins correct?
Premium Content
You need an Expert Office subscription to comment.Start Free Trial