Block Download Policy for SharePoint Online and OneDrive

Block Download Policy for SharePoint Online and OneDrive

SharePoint Online is one of the greatest collaboration platforms that lets users work on files, folders, and pages. To sweeten the deal, SharePoint Online also allows users to download the documents in times of need. In certain cases, however, it is not a good idea for users to be able to download documents as it may lead to confidential data loss. Configuring conditional access policies is one method to prevent users downloading documents from specific sites. This process has been simplified with the new block download policy for SharePoint sites and OneDrive, which is currently in preview. Firstly, let’s examine how to create a CA policy to block SharePoint Online file downloading.


Block File Downloads in SharePoint and OneDrive using Conditional Access
Policy

To configure conditional access policies for blocking file downloads, follow the steps given below.

Step 1: Visit Azure Active Directory -> Security -> Conditional Access.
Step 2: Create a new policy by giving the appropriate name. I have named the policy ‘Restrict downloads’.
Step 3: Under ‘Assignments’, choose the users and groups you want to include in the policy.
Step 4: Include ‘Office 365 SharePoint Online’ under ‘Clouds apps or actions’.
Step 5: Select ‘Client apps’ under ‘Condition’ section. I have selected ‘browser’ (specific client on which the policy will get applied). Don’t forget to toggle the ‘Configure’ button to ‘Yes’.
Step 6: Go to ‘Session’ and select ‘Block downloads (preview)’ from the dropdown under ‘Use Conditional Access App Control’. This control works instantly for featured apps and can be self-onboarded for any app.
Step 7: Enable the policy and save it.

Session controls in conditional access policy


U
ser Experience

After this, when a user tries to access SharePoint, it shows the following error.

access monitored message for CA policy

When you pass this step by giving ‘Continue to Microsoft SharePoint Online, you are directed to the SharePoint site. There is now an error message displayed as shown below.

Download blocked after policy configuration


Block Download Policy for SharePoint
Sites and OneDrive

This feature is included in the new Microsoft Syntex SharePoint Advanced Management license and is currently in preview. Users will only be able to access files through a web browser, without the option to download, print, or sync files. Additionally, users will not be able to access the content through Microsoft desktop apps, considering the danger behind auto-download for desktop apps. A SharePoint administrator or a global administrator can block the download of files from SharePoint and OneDrive in Microsoft 365.


Set
Block Download Policy for SharePoint Sites Using PowerShell

To block file downloads using PowerShell, first, install and connect to SharePoint Online PowerShell. Unlike the conditional access policy, this method requires only a single cmdlet to do the job.

Connect to SharePoint Online by giving the credentials.

Connect-SPOService –Url https://yourdomain-admin.sharepoint.com/

Replace “yourdomain” with your organization’s domain.

Use the following cmdlet to block downloads for a particular SharePoint site.

Set-SPOSite -Identity <siteURL> -BlockDownloadPolicy $true 

Additionally, you can exempt site owners and groups from the policy by using the following cmdlet.

Set-SPOSite -Identity <siteURL> -ExcludeBlockDownloadPolicySiteOwners $true

Add this to the above cmdlet to exclude site owners from this policy.

Set-SPOSite -Identity <siteURL> -ExcludedBlockDownloadGroupIds <comma separated group ids>

This can be added to the cmdlet to exclude groups from this policy using group ids.


User Experience

Unlike applying conditional access policies, the effect of this policy takes off the ‘Download’ option and displays a message on the site saying Your organization’s security policy doesn’t allow you to download, print, or sync from this site. For help, contact your IT department

Before Applying the Policy:

before applying the block download policy for SharePoint


After Applying
the Policy:

message on sites after applying block download policy for SharePoint

after applying the block download policy for SharePoint


Points to Remember

I hope this blog post will provide you with a better understanding of how to prevent downloads from SharePoint and OneDrive. Also, consider creating SPO alerts to track site content changes and secure your sensitive content. Feel free to reach us in the comments for any assistance.

Block Download Policy for SharePoint Online and OneDrive

by Aima time to read: 3 min
0