Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
As a SharePoint Administrator in Microsoft 365, you can use the PowerShell (Set-SPOSite) to block the download of files from SharePoint sites or OneDrive. This feature allows you to control access without using Microsoft Entra Conditional Access policies. You can set this feature for individual sites, but not at the organization level.
When you deploy a policy to block downloads from SharePoint sites or OneDrive, it also prevents users from moving files to other SharePoint sites. File moves are also blocked through other means, such as by using Power Automate or Quick Steps.
Blocking file downloads allows users to remain productive while reducing the risk of accidental data loss. Users have browser-only access with no ability to download, print, or sync files. They also can't access content through apps, including the Microsoft 365 Apps (like Word, Excel, PowerPoint, and so on). When web access is limited, users see this message at the top of sites, "Your organization doesn't allow you to download, print, or sync from this site. For help, contact your It department."
You can also block the download of Microsoft Teams meeting recording files. See Block the download of Teams meeting recording files from SharePoint or OneDrive.
Before you begin
Make sure your organization meets the SharePoint Advanced Management prerequisites, including requirements for SharePoint Online PowerShell module.
Use PowerShell to set a block downloads policy
In PowerShell, run the following command:
Set-SPOSite -Identity <SiteURL> -BlockDownloadPolicy $true
Here's an example showing a site URL:
Set-SPOSite -Identity https://contoso.sharepoint.com/sites/research -BlockDownloadPolicy $true
To apply this command to OneDrive, change the URL, as shown in the following example:
Set-SPOSite -Identity https://contoso-my.sharepoint.com/personal/John -BlockDownloadPolicy $true
You can use certain parameters with this command, as shown in the following examples:
Example 1: Exclude site owners from the policy so they can download content from the site
Set-SPOSite -Identity <SiteURL> -BlockDownloadPolicy $true -ExcludeBlockDownloadPolicySiteOwners $true
Example 2: Exclude users in specific groups using group IDs so they can download content from the site
Set-SPOSite -Identity <SiteURL> -BlockDownloadPolicy $true -ExcludedBlockDownloadGroupIds <comma separated group IDs>
Example 3: Exclude users in specific groups by group name so they can download content from the site
Set-SPOSite -Identity <SiteURL> -BlockDownloadPolicy $true -ExcludeBlockDownloadSharePointGroups <comma separated group names>
Example 4: Mark a site as read-only in addition to preventing downloads from the site
Set-SPOSite -Identity <SiteURL> -BlockDownloadPolicy $true -ReadOnlyForBlockDownloadPolicy $true`
Example 5: Attach the block download policy to a site sensitivity label
Set-Label -Identity 'Internal' -AdvancedSettings @{BlockDownloadPolicy="true" | "false" }
Understand how blocking downloads can affect apps
Blocking download might affect the user experience in some apps, including some Office apps. We recommend that you turn on the policy for some users and test the experience with the apps used in your organization. In Office, make sure to check the behavior in Power Apps and Power Automate when your policy is on.
Note
Apps that run in "app-only" mode in the service, like antivirus apps and search crawlers, are exempted from the policy.
If you're using classic SharePoint site templates, site images might not render correctly. This issue can occur because the policy prevents the original image files from being downloaded to the browser.
Need more help?
Related article
Configure a default sensitivity label for a SharePoint document library