Skip to main content
< All Articles

How to prevent file download in SharePoint by creating a Custom Permission Level

Posted on May 13, 2024
SharePoint

As I work with clients and help them migrate to SharePoint, OneDrive, and Teams, one of the frequent requests after we set up security and permissions for the sites is usually a request to prevent the ability to download documents in SharePoint. There are several ways to achieve this in SharePoint. However, most require such capability to be set up at the global/admin level. The technique I would like to describe today can be implemented by SharePoint Site Owners themselves.

SharePoint Permissions out of the box

Before I explain the mechanism behind this option, I think it first makes sense to explain the default permissions. As documented previously, we have 3 main Permission Levels in SharePoint.

  • Site Visitors (Read and Download)
  • Site Members (Add/Edit/Delete)
  • Site Owners (Full Control)

Example of Mary being part of the Site Visitors Group

Example of Mary being part of the Site Visitors Group

Mary has the ability to download files as well

Mary can download files as well

So as we can see, users can download the documents from SharePoint even with the minimum Permission Level (Site Visitors).

Step 1: Create a Custom Permission Level that prohibits file download

We would need to create a custom permission level to get around the default permission setting. We will use the same steps and technique I outlined previously, when I demonstrated how to create a custom permission level to prevent file deletions. Here are the steps to achieve this.

  1. Click the Gear Icon > Site PermissionsPreventdownloadsharepointpermissionlevel3
  2. Click on Advanced permissions settingsPreventdownloadsharepointpermissionlevel4
  3. Click on Permission Levelsprevent file download in SharePoint by creating a Custom Permission Level
  4. You will see that people with the Read permission level can view and download, which we are trying to prevent.Preventdownloadsharepointpermissionlevel6
  5. While we can Create a Permission Level from scratch by clicking Add a Permission Level button, it would be far easier to make a few changes to the existing Read Permission Level instead. So click Read on the screenshot above. Next, click Copy Permission Level button at the bottom of the page.Preventdownloadsharepointpermissionlevel7
  6. Next, give the new Permission Level a name and then uncheck the checkbox next to Open Items.prevent file download in SharePoint by creating a Custom Permission Level
  7. Click Create at the bottom of the pagePreventdownloadsharepointpermissionlevel9
  8. You will now see the custom permission level createdprevent file download in SharePoint by creating a Custom Permission Level

Step 2: Assign a Custom Permission Level to the user(s)

Once the Custom Permission Level has been created, you must assign it to the users. We cannot use the modern interface to do so, as it only allows to add users to the three default permissions. So, we have to do so from within the classic page.

  1. Click on Grant Permissions buttonPreventdownloadsharepointpermissionlevel11
  2. Type in the User’s Name and choose the custom permission level from the drop-down. Then click the Share Button.prevent file download in SharePoint by creating a Custom Permission Level
  3. You will now see that the user has been assigned a custom permission level.Preventdownloadsharepointpermissionlevel13

Experience for the Users

Once the user has assigned the custom permission level, they will no longer see the Download Option appear in the file menu.

prevent file download in SharePoint by creating a Custom Permission Level

Likewise, the Sync button at the library level will disappear as well.

Preventdownloadsharepointpermissionlevel15

About Me

I’m Greg Zelfond, a U.S. based SharePoint consultant, and I provide affordable out-of-the-box SharePoint consulting, training, and configuration assistance to small and medium-sized businesses all over the world.

Need help?