Recently, one of my clients asked me Is there a way to restrict the download option in SharePoint and OneDrive? They wanted users to view files online, but not be able to download them to their local device.
After doing some research and testing, I found that there are actually 4 different ways you can block or restrict downloads in SharePoint and OneDrive.
In this tutorial, I’ll show you how to restrict the download of documents:
- Share a File With Block Download Option in SharePoint and OneDrive
- Create a Custom Permission Level in SharePoint Online to Restrict Downloads
- Apply a Block Download Policy in SharePoint Online using PowerShell
- Configure Conditional Access in Microsoft Entra ID for SharePoint and OneDrive
Share a File With a Block Download Option in SharePoint
Follow these steps to share a file in SharePoint with the Block Download option enabled:
- Open your SharePoint site. Navigate to the document library where your file is stored. Select the file you want to share.
- In the sharing pop-up, select the People you choose. Make sure you set it to Can’t download access. Then, click Send.
- Then the user will receive an email with a document like:
- The recipient will only be able to view the file in the browser, but can’t download it.
Note: The Block download option only works with email links. If you grant Edit permission, the Block Download setting will be unavailable.
Create a Custom Permission Level in SharePoint Online to Restrict Downloads
Another way to restrict downloads in SharePoint is by creating a Custom Permission Level. This allows users to view documents in the browser but removes the option to download.
To do this, follow the steps below:
- Go to your SharePoint Online site. Click on the Settings gear icon (top right). Select Site permissions -> Advanced permissions settings.
- In the ribbon, click Permission Levels. You will see existing permission levels like Read, Contribute, and Edit.
- Click on the Read permission label. Next, click the Copy Permission Level button at the bottom of the page.
- Then provide below:
- Give it a name, for example: Restricted View – No Download.
- Add a short description like: Users can view pages and documents, but cannot download.
- Uncheck the checkbox next to Open Items.
- Then, click the create button.
- Go back to your Document Library settings. Under Permissions for this document library, select ‘Stop inheriting permissions’ from the parent site.
- Click on the Grant Permissions button. Type in the User’s Name and choose the custom permission level from the drop-down. Then click the Share Button.
- You will now see that the user has been assigned a custom permission level.
Users with this custom permission level will be able to open and view documents online, but will not see the Download options.
Note:
- This method works best when applied to specific libraries or folders that contain sensitive documents.
- If a user has higher-level permissions elsewhere (like Edit at the site level), they may still be able to download.
- Always test your new permission level with a test user before applying it to a larger audience.
Apply a Block Download Policy in SharePoint Online using PowerShell
For large organizations, applying Block Download policies at scale using PowerShell is the most efficient approach. This method allows SharePoint administrators to configure restricted access policies across sites, document libraries, or even for all users.
To apply a Block Download policy in SharePoint Online using PowerShell, your tenant must have the Microsoft 365 Advanced Management Add-on. IF you do not have a license, the PowerShell command alone will not block downloads.
Follow these steps:
- If you don’t already have it, download and install the SharePoint Online Management Shell from Microsoft’s official site.
- Connect to your SharePoint Online admin center. Run the following command:
Connect-SPOService -Url https://yourtenant-admin.sharepoint.com- Replace your tenant with your actual SharePoint tenant name.
- Sign in with your SharePoint Administrator account.
- Apply the Block Download Policy. Use one of the following commands:
Set-SPOSite -Identity https://yourtenant.sharepoint.com/sites/SiteName -ConditionalAccessPolicy BlockAccess
When the command runs correctly, users accessing SharePoint/OneDrive from unmanaged or non-compliant devices will only be able to view files in the browser. The Download, Print, and Sync options will be blocked.
Important Notes: This option requires enrollment in the Microsoft 365 Advanced Management Add-on.
Configure Conditional Access in Microsoft Entra ID for SharePoint and OneDrive
This method provides a centralized and scalable way for users to view files in the browser without the need to download, print, or sync them. It’s ideal for organizations seeking robust data protection across their Microsoft 365 (M365) estate.
Now follow the steps below:
- Go to Admin centers -> Identity.
- This will open the Microsoft Entra admin center. In the left-hand menu, click on Risk-based Conditional Access under ID Protection. Then, click + New policy.
- Give your policy a name, then click on Users so you can assign the policy to specific users.
- Here you can choose to apply the policy to:
- None
- All users
- Selected users and groups
- For my scenario, I assigned the policy to a single user, Patti Fernandez. You can also apply it to a group of users or external/guest users, depending on your specific needs.
- In the policy, click on Target resources. Choose Select resources. In the search box, type Office. From the results, check the box for Office 365 SharePoint Online (this also includes OneDrive for Business). Once selected, click the Select button to confirm.
- In the policy, click on the Session. Check the box for Use Conditional Access App Control. From the dropdown menu, choose Block downloads. Scroll down and click the Select button at the bottom of the page to save your settings.
- Scroll to the bottom of the page and switch the Enable policy toggle to On. Finally, click the Create button.
- Once enabled, a policy will appear in the list.
Your Conditional Access policy is now active. Once it takes effect (which may take a few hours), users assigned to the policy will only be able to view files in the browser; the Download, Print, and Sync options will be disabled.
After Applied Policy User Experience
Once the Conditional Access policy is in place, here’s what the users will experience:
- When a user tries to access a SharePoint site, they will see a banner message at the top of the screen: “Access to Microsoft SharePoint Online is monitored.”
- After logging in, if the user tries to download a file or a folder.
- The user immediately gets the following screen:
- The user will also receive a separate ‘Download blocked’ message in a separate window.
Restricting downloads in SharePoint and OneDrive is an essential step for organizations that need to safeguard sensitive information. Depending on your requirements, you can use sharing options, custom permission levels, PowerShell policies, or Conditional Access in Microsoft Entra ID. Each method has its strengths, ranging from quick file-level restrictions to tenant-wide controls.
Additionally, you may find the following interesting tutorials:
- Create Sensitivity Labels in Microsoft 365
- Import Terms into the Term Store in SharePoint
- Enable Sensitivity Labels On PDF Using PowerShell
- Add Synonyms to SharePoint Term Store Metadata Terms
- Create SPFx Dynamic Accordion Webpart Using PnP Controls React
- Create a Choice Column With Fill-in Options in SharePoint Document Library
Hey! I’m Bijay Kumar, founder of SPGuides.com and a Microsoft Business Applications MVP (Power Automate, Power Apps). I launched this site in 2020 because I truly enjoy working with SharePoint, Power Platform, and SharePoint Framework (SPFx), and wanted to share that passion through step-by-step tutorials, guides, and training videos. My mission is to help you learn these technologies so you can utilize SharePoint, enhance productivity, and potentially build business solutions along the way.
