The new SharePoint Online block download policy is a key feature of the Syntex Advanced Management license. It prohibits users from downloading files from a SharePoint site or OneDrive for Business account. The feature is primarily intended to protect highly confidential sites by requiring users to work with the files on-site using browsers. It's noteworthy that even Office desktop apps are not permissible under this system, since they would still necessitate the download of temporary files on local drives.
You can learn more about this feature here.
The application of this download prevention measure was tested on a newly created team named Project Aurora. The site owned by this team had the block download policy applied with an exclusion for site owners, illuminating that although site members are barred from downloading files from its document libraries, site owners are exempt.
Site owners also have potential to grant exceptions to groups via the ExcludedBlockDownloadGroupIds parameter, although this setup might not be recommended due to potential issues with SharePoint group-connected sites.
When the block download policy was subsequently applied, the site flagged the restrictions in place, while simultaneously removing the options for file downloads. It's worth mentioning that while the download alternative is absent with this policy, Teams Files channel tab doesn't informatively display any banner about the restrictions.
The effects extend to applications like Power Apps and Power Automate, which may be affected by the download block. Conditional access policies can replace the download block, as they provide equivalent protection. Nevertheless, organizations might find simpler, site-level blocks a more manageable and targeted approach.
The author presents a practical example of how block download policies can be broadly applied, assuming a stringent sensitivity label across all sites. A script is shared for applying the policy to all sites assigned the Confidential Access sensitivity label. The script moves through each site, checking the sensitivity label before applying the policy if a match is found.
An important reminder from the author is about the obligatory possession of a Syntex Advanced Management License for every member of a site using the block download policy. This condition seems relatively manageable as this restriction is likely to be applied to a select number of sites.
SharePoint Online's block download policy is a feature designed to enhance data protection. It restricts user access to private files, permitting only in-browser access. Although the feature is currently in the preview stage, it has been tested on newly created teams, reaffirming its primary objective. With conditional access policies being a popular alternative, some might argue that simple, site-level download blocking presents a more viable and manageable route.Read the full article SharePoint Online’s New Block Download Policy
The latest implementation within SharePoint Online addresses increased security demands. It has introduced a new policy, known as the 'Block Download Policy'. This advanced feature is provided under the license of Syntex Management and can be managed through PowerShell.
To protect sensitive and confidential data stored within the SharePoint site, or on a OneDrive for Business account, the new feature aims to prevent downloads of files. The users are forced to work with the documents directly on the site through browsers. This feature is even more secure as the use of Office desktop apps isn't possible, as they require a temporary copy of the files for local operation.
This game-changing tool is currently in testing and can be enabled for a site by using the Set-SPOSite cmdlet from the up-to-date version of the SharePoint Management PowerShell module.
This block-download feature was tested with the creation of a new team, Project Aurora. After configuring the site, certain commands were run to find all sites, choose the URL for Project Aurora's site, and use it to set up block download protocols, with exclusion for site owners. This means regular site members cannot download files from libraries, but site owners have that privilege.
The preview guide suggests that site owners could grant exclusions to groups through the ExcludedBlockDownloadGroupIds parameter. However, issues might arise as Microsoft has always advised users to avoid updating the membership of group-connected sites via SharePoint. Additionally, including a Microsoft 365 group to a site membership leads to the unsupported condition of nested Microsoft 365 groups. So, it's safer to solely concentrate on site-owner exclusions.
Post the populate command, logging in with a member account flagged restrictions in place and removed download options. The Teams Files channel tab followed suit but didn't display a banner informing users about the restrictions. The tab removed the option to use an Office desktop app to open a document.
It's noted that before implementing a restrictive download policy, users must ensure potential effects are checked on other applications, including Power Apps and Power Automate.
Similar to using a conditional access policy to limit access when users try to access SharePoint content from an unmanaged device, these file download restrictions secure your data more strictly. Plus, you don't need conditional access policies for this level of protection anymore. Although these policies are efficient in managing user interaction after they connect to Microsoft 365, organizations end up grappling with assorted policies. Hence, replacing conditional access policy with a simple download block at the site level is a sensible move for those seeking better control on which sites can block file downloads.
For instance, assuming you wanted to halt downloads for all sites marked with the strictest sensitivity label - say, "Confidential Access"- you need the label identifier (GUID), which allows Microsoft 365 to connect with sensitivity labels.
In this particular event, a script is used to apply the block download policy to all sites using the "Confidential Access" sensitivity label. The process begins with ascertaining the sites connected with Microsoft 365 groups. The Get-SPOSite cmdlet does not provide all site properties when multiple sites are processed. So, we need to scan each site to check the sensitivity label and enforce the policy when a corresponding label is found.
It's crucial that all members of a site using a block download policy to enforce download restrictions to site owners or groups have a Syntex Advanced Management license. But given that such restrictions will likely apply to a few sites, this shouldn’t be a big issue.
The constant shift in the world of Microsoft 365 and Office 365 must be monitored, analyzed, and documented thoroughly. The unique features in SharePoint not only pique our interests but also lead us to understand that we can anticipate more innovative solutions in the future, transforming the way enterprises secure their data.
SharePoint Online, Block Download Policy, New SharePoint Features, SharePoint Updates, SharePoint Security, Prevent Download in SharePoint, Secure SharePoint Online, SharePoint Online Policy, SharePoint File Control, Enhancements in SharePoint Online.