How to block the download of documents in SharePoint and OneDrive via Conditional Access

As data integrity and privacy become prevalent in the corporate world, companies are implementing various mechanisms to prevent data loss and protect their intellectual property. One such solution that would help mitigate the issue above is the ability to prevent or block the download of content to the user’s computer. I have previously published a few posts on this topic. However, those methods outlined were limited in terms of scalability. The option I would like to describe today is the one that will allow you to block the download of documents through the entire tenant (all SharePoint Sites and OneDrive). Let me explain.

Conditional Access Policies in Microsoft Entra ID

The feature that would allow us to block the download of documents in SharePoint and OneDrive is called Conditional Access Policies. It is a pretty extensive toolset that enables IT administrators to either grant or block specific actions based on various conditions. For example, if you are trying to log in to Microsoft 365 applications from an unapproved device or from an unprotected Wi-Fi network, you will not be able to do so. One such policy you can set up in Microsoft Entra ID is the ability to prevent the download of content from SharePoint and OneDrive. Let me explain how to set it up.

Set up a Conditional Access Policy to block download

1. Click Microsoft 365 App Launcher > Admin
2. Under Admin centers, choose Identity
3. Once inside the Microsoft Entra ID, click on Conditional Access under Protection.
4. On the Conditional Access page, click on Create new policy
5. Give your policy a name, then click on Users so you can assign the policy to specific users
6. You can apply the policy to users or groups of users. In my case, I assign the policy to one individual, John.
7. Next, click on Target resources. This is where you select the applications to which you want to apply this policy.
8. You can assign the policy to various Microsoft 365 apps; in my case, I want to apply it to SharePoint/OneDrive. Make sure to type Office into the search field, as the official name of SharePoint is Office 365 SharePoint Online within the selector pane. Click Select at the bottom of the page.
9. Next, click on Session tab, then check the box next to Use Conditional Access App Control. Within the dropdown, choose the Block downloads option. Then Select at the bottom of the page.
10. Finally, enable the toggle at the bottom to On and click Create to create a policy.
11. Once enabled, you will see a policy appear in the list.
12. It might take several hours for the police to take effect.

Experience for the users

Once the Conditional Policy takes effect, this will be the user’s experience.

1. When users try to log in to a SharePoint Site, they get the warning message below: Access to Microsoft SharePoint Online is monitored.
2. Once on a site, the user tries to download a file or a folder
3. The user immediately gets below screen
4. The user will also get a separate Download blocked message in a separate window.
5. The user will also get similar messages when printing or syncing the documents from SharePoint and OneDrive.