Restrict Editing of Office 365 Profile information

slattdog
slattdog used Ask the Experts™
on
We use Office 365, and I have been tasked with implementing a new company policy whereby only the HR department is able to manage the profile/contact info for uses within the organization.  They want to make sure that all user information is current and consistently applied (understandably).  

So, my question is twofold:
1. How do I restrict users from modifying their profile info in O365?
2. How do I give HR staff the ability to modify that information -- without giving them additional permissions to user's accounts?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Senior Systems Admin
Top Expert 2010
Commented:
You have to make changes in Office 365's Remote Powershell. Let me know if you don't know how to do so. https://eightwone.com/2011/03/31/disabling-editing-account-information-in-owa/ gives some guidance on limiting user access to various functions, but it can get fairly complicated if you go beyond just removing access to modifying contact information (for instance, if there are options that you want to block that don't fall under the MyContactInfo role assignment, you'll have to be more granular). Granting HR access to Contact Information modification for other users is also a little tricky. It all involves making changes to the Role based access control system in Office 365 and modifying role assignment policies. You would basically need to create a group for HR, create a role, create a role assignment policy that allows users to modify contact info for all users (This usually involves adding Powershell cmdlets and options that the group is allowed to use), assign the policy to the role, then assign the role to the HR group. It's a huge subject, really: https://technet.microsoft.com/en-us/library/jj200692(v=exchg.150).aspx explains more
Most Valuable Expert 2015
Distinguished Expert 2018
Commented:
Well, it depends. In general when you have dirsync in place, attributes will be synced from the local AD and neither users nor admins can change them directly in O365. However, some things can still be changed by the users, such as their Delve profile, which is then synced back across the service(s). The set of attributes is controlled via the SPO admin center -> User Profiles section, you should be able to restrict them.

Author

Commented:
Thanks Adam and Vasil.  We do not use DirSync, so that is not an issue in our environment.  Browsing the links Adam sent it does look like it could get complicated.  Our environment is not that large, and I'd prefer to stay away from creating that level of complexity.  I think if I can at least restrict users fro modifying there info, then I can just have an admin work with HR to keep the info current.

Adam:  The process outlined in the eightwone.com link would only restrict users, not admins correct?
Adam BrownSenior Systems Admin
Top Expert 2010

Commented:
It *shouldn't* impact Admin (Those rights are assigned using a different role assignment) users from making changes to other users, but they may lose the ability to change their own settings. I would test to make sure, though.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial