SharePoint Online is one of the greatest collaboration platforms that lets users work on files, folders, and pages. To sweeten the deal, SharePoint Online also allows users to download the documents in times of need. In certain cases, however, it is not a good idea for users to be able to download documents as it may lead to confidential data loss. Configuring conditional access policies is one method to prevent users downloading documents from specific sites. This process has been simplified with the new block download policy for SharePoint sites and OneDrive, which is currently in preview. Firstly, let’s examine how to create a CA policy to block SharePoint Online file downloading.
To configure conditional access policies for blocking file downloads, follow the steps given below.
Step 1: Visit Azure Active Directory -> Security -> Conditional Access.
Step 2: Create a new policy by giving the appropriate name. I have named the policy ‘Restrict downloads’.
Step 3: Under ‘Assignments’, choose the users and groups you want to include in the policy.
Step 4: Include ‘Office 365 SharePoint Online’ under ‘Clouds apps or actions’.
Step 5: Select ‘Client apps’ under ‘Condition’ section. I have selected ‘browser’ (specific client on which the policy will get applied). Don’t forget to toggle the ‘Configure’ button to ‘Yes’.
Step 6: Go to ‘Session’ and select ‘Block downloads (preview)’ from the dropdown under ‘Use Conditional Access App Control’. This control works instantly for featured apps and can be self-onboarded for any app.
Step 7: Enable the policy and save it.
After this, when a user tries to access SharePoint, it shows the following error.
When you pass this step by giving ‘Continue to Microsoft SharePoint Online’, you are directed to the SharePoint site. There is now an error message displayed as shown below.
This feature is included in the new Microsoft Syntex SharePoint Advanced Management license and is currently in preview. Users will only be able to access files through a web browser, without the option to download, print, or sync files. Additionally, users will not be able to access the content through Microsoft desktop apps, considering the danger behind auto-download for desktop apps. A SharePoint administrator or a global administrator can block the download of files from SharePoint and OneDrive in Microsoft 365.
To block file downloads using PowerShell, first, install and connect to SharePoint Online PowerShell. Unlike the conditional access policy, this method requires only a single cmdlet to do the job.
Connect to SharePoint Online by giving the credentials.
Connect-SPOService –Url https://yourdomain-admin.sharepoint.com/
Replace “yourdomain” with your organization’s domain.
Use the following cmdlet to block downloads for a particular SharePoint site.
Set-SPOSite -Identity <siteURL> -BlockDownloadPolicy $true
Additionally, you can exempt site owners and groups from the policy by using the following cmdlet.
Set-SPOSite -Identity <siteURL> -ExcludeBlockDownloadPolicySiteOwners $true
Add this to the above cmdlet to exclude site owners from this policy.
Set-SPOSite -Identity <siteURL> -ExcludedBlockDownloadGroupIds <comma separated group ids>
This can be added to the cmdlet to exclude groups from this policy using group ids.
Unlike applying conditional access policies, the effect of this policy takes off the ‘Download’ option and displays a message on the site saying “Your organization’s security policy doesn’t allow you to download, print, or sync from this site. For help, contact your IT department”
- This policy can be set only for individual sites and cannot be set at the organizational level.
- You can also block the download of Teams meeting recording files specifically from SharePoint or OneDrive.
I hope this blog post will provide you with a better understanding of how to prevent downloads from SharePoint and OneDrive. Also, consider creating SPO alerts to track site content changes and secure your sensitive content. Feel free to reach us in the comments for any assistance.