# Configure Entra ID photo sync

{{% info-panel %}}
This feature is available from Salto IDM v3.2 onwards.
{{% /info-panel %}}

## 1: Overview {#1-overview}

Salto IDM can optionally synchronize user profile photos from [Microsoft Entra ID](https://www.microsoft.com/en/security/business/identity-access/microsoft-entra-id) (formerly Azure AD).
When enabled, user photos are imported and stored as part of the identity record in Salto IDM so that:

- User identities in IDM include an up-to-date photo
- Manual photo uploads are reduced
- Administrators have a consistent view of user identities across systems

Photo synchronization is opt-in and controlled via a dedicated setting in the Entra ID Automation configuration.

{{% info-panel %}}
Photo synchronization affects only Salto IDM.
No user photo data is pushed to [Salto Space](/space) as part of this feature.
{{% /info-panel %}}

## 2: Prerequisites {#2-prerequisites}

Before enabling photo synchronization:

- **Existing Entra ID automation**
  You must have a working Entra ID automation configured in Salto IDM that already synchronizes core identity attributes (name, email, identifiers, etc.).
- **Microsoft Entra ID permissions**
  The Entra ID application used by Salto IDM must have permissions to read user profile photos via the Microsoft Graph API.

  These permissions require explicit admin consent.
- **User Photos feature flag in IDM**
  The general User Photos feature in IDM must be enabled for your environment.

If you are unsure whether the correct permissions have been granted, contact your Entra ID administrator.

## 3: Configuration in Salto IDM {#3-configuration-in-salto-idm}

### 3.1 Location of the setting {#31-location-of-the-setting}

The setting is located in:

**Settings** > **Automations** > **Microsoft Entra ID (Entra ID Automation)**

![Entra ID photo](images/idm-entraid-photo-automations.png)
{.border}

Within the configuration:

- **User Photos** (renamed from User Picture)
- **Sync user photos** (new toggle)

![Entra ID photo toggle](images/idm-entraid-photo-toggle-on.png)
{.border}

### 3.2 'Sync user photos' toggle {#32-sync-user-photos-toggle}

A new toggle is available:

- **Label:** Sync user photos
- **Caption:** When enabled, the **User Photos** setting must be on for the photos to be synced.

#### Default behavior {#default-behavior}

- Existing automations: disabled
- New automations: disabled

No photos sync unless explicitly enabled.

## 4: How photo synchronization works {#4-how-photo-synchronization-works}

### 4.1 When the feature is enabled {#41-when-the-feature-is-enabled}

To enable:

1. Go to the Entra ID automation configuration.
2. Ensure **User Photos = ON**.
3. Enable **Sync user photos**.
4. Save and run/schedule the sync.

When both toggles are ON:

- IDM retrieves the user's profile photo from Entra ID via Microsoft Graph.
- The photo is stored in the identity record.
- On subsequent syncs:
  - If changed > updated
  - If unchanged > ignored

If **User Photos = OFF**, no photos sync even if the toggle is on.

### 4.2 When the feature is disabled {#42-when-the-feature-is-disabled}

- No photo retrieval
- No updates
- Existing photos remain unchanged

## 5: Error Handling and Logging {#5-error-handling-and-logging}

Photo sync is non-blocking:

- Errors affect only photo retrieval
- Core attribute sync continues

Logged information includes:

- Photo sync actions
- Detected changes
- Errors or permission issues

## 6: Security and privacy {#6-security-and-privacy}

- Access to photos follows Entra ID permissions and admin consent.
- No photos are pushed to Salto Space.
- Administrators should review privacy requirements before enabling.

## 7: Typical use cases {#7-typical-use-cases}

- Admin portals and dashboards
- Kiosk or terminal identity experiences
- Support teams identifying users

## 8: Troubleshooting {#8-troubleshooting}

### 8.1 No photos appear {#81-no-photos-appear}

Check:

- User Photos = ON
- Sync user photos = ON
- Graph permissions + admin consent
- User actually has a photo
- Automation logs

### 8.2 Only some users have photos {#82-only-some-users-have-photos}

- User has no photo
- Permission restrictions
- User-specific log entries

### 8.3 Photo not updating {#83-photo-not-updating}

- Sync has run after the change
- Logs show detection or errors