Newcomer

Question

Sync Profile pictures from Azure AD

Forum|Forum|4 years ago
November 16, 2021
22 replies
1 view

I am trying to Sync Azure AD Profile pictures for all users to Zoom

I am trying to find info on this but cannot find any valid documentation anywhere.

I found articles with people using ADFS to do this but i got rid of ADFS not going back.

Does anyone have any information on whether this is possible, I have an ongoing tickect with support but were going in circles

R

rn-zm

Community Manager

Hey @ctaveras, The best way for your picture mapping is on your organization public running in HTTPS, so you can path the picture on your mapping using the HTTPS (secure channel) and also accessible publicly (not behind the firewall).

Also on the mapping, you should use the transformation. And follow the info below:
Name: profilepic
Source: Transformation
Transformation: Join()
Parameter1: https://your-image-server/picture example https://mydomain.com/picture (your naming convention for your save picture on the server should be same as on your user principal name)
Parameter2: user.principalname. . You can see the user principal name at user profile -> "User Principal Name"

You just need to have the direct URL for each photo of the users. Let me know if this provides you with some guidance!

-

-aa-

Newcomer

After researching this issue for weeks, it's clear that your customers don't want to erect a web server OUTSIDE OF OUR FIREWALL just to host some profile pictures. For a company as large as this, it seems absurd to me (and everyone else here) that we simply cannot use a SAML attribute (say 'thumbnailPhoto' - which already exists in AD) and use that as our profile picture.

The reason why is because that attribute is stored as an octet string and it would require you to convert that image to base64 in order for the image to be viewable. Here's the issue: When you convert that attribute to base64, it's too large to store in AD. It ends up being triple the allotted size for an extensionattribute.

So, why not convert the image to base64 on the backend?

I'm pretty sure this won't get a response given the thread, I'm just keeping this post alive.

R

rn-zm

Community Manager

Hey @ctaveras, just checking in on my reply! Just curious if this was helpful! 🙂

D

DDIT

Newcomer

Hello. I found this discussion from a google search. I understand the reply from @ctaveras , but that assumes we host our users profile pictures on a public website, which we don't. We would like to use the Azure AD profile picture, which can be discovered in the Graph API here: https://graph.microsoft.com/beta/me/photo/$value

However, simply creating a new claim in Azure AD and setting this as the value and creating a mapping in the ZOOM SAML Mappings doesn't work. When logging in as a user, the claim resolves to the value of "https://graph.microsoft.com/beta/me/photo/$value", not the actual user photo.

I'm obviously doing something wrong here. Has anyone got this working? Please post your suggestions and tips.

Thanks.

glynch27

Partner

Was there ever a resolution to this where Graph was successful?

D

DDIT

Newcomer

Hi @glynch27 I'm still waiting for someone to post an answer. Considering Zoom's popularity, I'm surprised more people aren't asking this question and/or offering the answer. Some huge org's must have achieved this. Perhaps I'll raise a support ticket or ask on reddit.com/r/Zoom as well. I'll post the answer here when I find it!

glynch27

Partner

I am surprised as well and from a Graph API standpoint, it's fairly easy to implement into Zoom (from a dev perspective). I'll bring this up to the channel teams as a feature request, but I think the subreddit request and in other places may create more traction.

For what we're able to do currently (SAML assertion), we would need to broker the image somewhere and get the user values which is crazy for us supporting large orgs (ourselves as a partner and MSSP/MSP). Since the graph permissions are already in-place, it's an easy association of pulling the largest photo from graph and applying it to the Zoom user and could be an easy option to toggle on/off.

J

JCarvell

Newcomer

Very keen on some assistance here myself. It's almost 2am and I'm struggling to believe how difficult this is to achieve. We've enabled Single Sign-on, auto provisioning, and SAML response mappings and all of those are working... but I'm really struggling to find further guidance for the Profile Picture. I will watch this thread with eager anticipation of a simple solution for what seems like it should be a trivial problem.

cheers all

D

DDIT

Newcomer

@JCarvell or @glynch27

Whilst I don't have an answer to this yet, I'm wondering if you could offer some advice on a related matter. Although we provision Zoom user accounts automatically from Azure AD, I still need to go into each account in Zoom, manually set the time zone, preferred date format (dd/mm/yyyy) and set the time zome to 24-hours. Have you worked out a way to automate or sync this from Azure? These configurable options don't appear under SAML mappings, nor anywhere else in Zoom Accounts Settings as far as I am aware. Thanks in advance.

glynch27

Partner

@DDIT @JCarvell -- Hopefully this thread will bring traction from the team, and I still need to ping my resources at Zoom to see if this is road mapped.

A majority of this is very easy work but like most, it's in a bucket of hundreds of other to-do's and prioritizing it to the top can be difficult. Especially with recent larger deals of 100k+ seats from Citi and other orgs, I find it difficult to understand some of the core basics still need addressing but, I have full confidence that they will eventually iron this out.

The big ones are ones you already mentioned-->

Allow the ability to sync profile picture and grant access on behalf of the company to allow all users to share profile pictures. This process is the same as what's used for OAuth calendar and contacts sync.
Ability to set default time zone and / or pull IdP integration time zone (Okta, Duo, Azure, etc.) for the user

Then there's the one not really related to this thread but is in the same bucket for me to fix the "oddly not here" settings-->

Ability to set default caller ID (a frequent one in the forums

SAML response is limited on some of this, however, I could see time zone being incorporated and updated upon login in case the user has changed time zones.

T

TFBjp

Newcomer

anyone hear what the plans are? I assume at this point it will be with the JWT to Oath change that is due before July 2023.

H

haakebecks

Newcomer

Another entity looking for picture sync via Azure AD. Has anyone made progress on this? Has Zoom taken any notice at all?

A

alakhani

Newcomer

Was anybody able to get the azure profile pictures on Zoom?