3 ways to block download of documents in SharePoint and OneDrive

As I help my clients transition to SharePoint, OneDrive, and Teams, one of the recurring requests after we set up security and permissions for the sites is usually a request to prevent the ability to download documents in SharePoint and OneDrive. Historically, this was not an easy thing to do in SharePoint. However, with the recent changes and developments in SharePoint and Microsoft 365 eco-system, we now have a few ways to achieve this. So, in this article, I list all the available options and clarify the pros and cons for each.

Option 1: Custom Permission Level

We have had this option for quite some time since we have SharePoint on-premises. It allows for a “cheap” way to prevent file downloads. The idea is that you create a custom permission level with the SharePoint Site that would prevent the download. I provided step-by-step instructions on how to achieve this here.

Pros

• Can be configured by Site Owners themselves
• It does not cost extra (compared to the options below)

Cons

• Requires to deviate from the SharePoint default permission levels
• Requires manual configuration on every site where you want to prevent download
• It does not work for users with an Edit Permission level or above

Option 2: Block Download Policy via PowerShell

This is by far my favorite option. With a simple PowerShell command, you can prevent the download option on any SharePoint site. The only downside is that it requires the organization to enroll in the Advanced Management add-on, which costs extra money. Please find the instructions on how to execute the Block Download Policy via PowerShell here.

Pros

• Relatively simple to implement
• It does not require to deviate from the default permission levels (Read, Edit, Full Control)
• Works for all users on a site, regardless of their role and permissions (Visitors, Members, Owners)

Cons

• Costs extra money
• Requires the command to be run for every site where you want to prevent download of content
• Requires IT assistance (implemented via PowerShell)

Option 3: Conditional Access in Microsoft Entra ID

The third way to block the download of content from SharePoint and OneDrive would be via Conditional Access your IT would set up within Microsoft Entra ID. This is the most sophisticated option, allowing for various settings and configurations. IT can configure this policy based on the group and roles users have, as well as many other conditions (network or device they are using). I explained how to set up Conditional Access in Microsoft Entra ID here.

Pros

• The most configurable option
• Allows the creation of a policy based on a variety of conditions (i.e., network or device used by the user)
• It can be applied to multiple users at once
• The policy can be applied to other apps within Microsoft 365 (not just SharePoint or OneDrive)

Cons

• Requires IT to set this up in Microsoft Entra ID
• You cannot exclude or specify certain sites