Sometimes file just need to have extra protection. Maybe there are legal reasons, or compliance reasons, or perhaps just a bit of paranoia. The result is the same: A call from above that files on a particular SharePoint site or OneDrive account should block downloads.
Luckily, there’s a great option that makes this incredibly easy. There’s a block downloads policy available in SharePoint Advanced Management that prevents downloads, but also other “tricks” to download content to the browser or computer accessing the content. It will require a few PowerShell commands, so assuming you’re a little comfortable with that, you’ll be able to enable this feature.
What is SharePoint Advanced Management
SharePoint Advanced Management is a feature set within SharePoint Premium that offers a range of AI-driven capabilities designed to enhance governance, data processing, and content creation. This feature set doesn’t involve Copilot but provides powerful tools for managing and controlling various aspects of SharePoint sites. It also happens to be included with all Microsoft 365 Copilot licenses starting in January 2024. Previously, it required a separate license.
In addition to the block download policy, SharePoint Advanced Management includes various other governance features. These features help administrators manage site lifecycle, apply retention labels, and control access to content. While this is technically not a free feature, Microsoft’s latest announcement during Microsoft Ignite makes this very relevant and important to all organizations using or planning to implement Copilot for Microsoft 365. It offers a comprehensive set of tools for organizations looking to enhance their SharePoint governance and data protection.
Enable The Block Download Policy
Once you’ve got SharePoint Advanced Management available, either through the separate license or through M365 Copilot licensing, open PowerShell and…
Enabling the policy
1. Connect to SharePoint
Using the SharePoint Online Management Shell, connect to your admin tenant (<tenantname>-admin.sharepoint.com)
Connect-SPOService https://contoso-admin.sharepoint.com
2. Enable the policy
To apply this to a SharePoint Site, use:
Set-SPOSite -Identity <SiteURL> -BlockDownloadPolicy $true
Alternatively, to apply this to a OneDrive site:
https://contoso-my.sharepoint.com/personal/John
Advanced Scenarios
Suppose you want to let certain users still have access to download files? There are a few parameters you can pass to allow scenarios like this:
-ExcludeBlockDownloadPolicySiteOwners $true
The above command still allows site owners to download files.
-ExcludedBlockDownloadGroupIds <comma separated group IDs>
The above command lets you specify group IDs (security groups or M365 groups) that should be excluded from this policy.
-ExcludeBlockDownloadSharePointGroups <comma separated group names>
Still using SharePoint groups? No problem. The above command lets you specify SP groups that should still be able to download.
-ReadOnlyForBlockDownloadPolicy $true
Want the nuclear option? This parameter not only blocks downloads, but it also makes the site read only.
Warnings for the block download policy
One other thing to note is that Microsoft states that some Office applications may have issues accessing the content (since it always wants to be in Edit mode). I recommend testing this out on a test site where you can observe the impacts within your applications and decide from there whether this is appropriate for your organization.
Personally, I see a lot of scenarios where this is fantastic and doesn’t involve creating custom SharePoint permission levels across all SharePoint sites. It’s an easy option to “set and forget”. Try it out if you’ve got SharePoint Advanced Management available and see for yourself!
More Information
For more information on this feature, check the official documentation here.