How to show avatars only to internal users

In our organization we use Omnibus GitLab to store our projects in a central but private place and also use the system to keep track of users and the teams (-> groups) they belong to. We ask everyone to upload an actual picture of their face as their avatar, but some refuse to do so, because it is shown to the public at gitlab.domain/userpage. So I am looking for a way to reserve avatar visibility to internal users only.

In the Avatar API documentation it says

If: … Public visibility is restricted, response will be 403 Forbidden when unauthenticated.

This kind of states that it is possible to restrict public visibility of avatars, if I understand correctly. It just does not say how or where. So how can I do it? Any hints?