iTranslated by AI
Restricting File Downloads in SharePoint via Conditional Access
Introduction
As I introduced in a previous article, one way to restrict downloads from SharePoint sites is to use Conditional Access.
In this article, I will explain this method in more detail.
Conditional Access
From the SharePoint admin portal, you can configure settings to block downloads on unmanaged devices. Since this setting is saved as an Azure AD Conditional Access policy, it is customizable. Alternatively, you can configure and set up a new Conditional Access policy from scratch. There are two key points:
-
Assignments - Under Cloud apps or actions, select Office 365 SharePoint Online (The application ID is
00000003-0000-0ff1-ce00-000000000000) - Access controls - Under Session, check Use app-enforced restrictions (This allows delegation of access control to SharePoint Online)
Access Control
After delegating access control to SharePoint Online via a Conditional Access policy, you configure the site collection to block downloads. There are currently two ways to do this.
Site Collection Properties
There is a property called ConditionalAccessPolicy for site collections. It can be modified using the Set-SPOSite cmdlet in the SharePoint Online Management Shell. The value to restrict downloads is AllowLimitedAccess.
Sensitivity Labels
You can specify download restrictions by setting up a sensitivity label from Information protection in the Microsoft 365 compliance center. For the sensitivity label, select Groups & sites - Define external sharing and conditional access settings. Check Use Azure AD Conditional Access to protect labeled SharePoint sites. Select Allow limited, web-only access. Assign the sensitivity label to the site collection you want to restrict downloads from via the SharePoint admin center.
Power Platform Integration
Sometimes Power Apps or Power Automate needs to access files in SharePoint document libraries. Let's look at the behavior when downloads are restricted using the methods described above.
Power Apps
In Power Apps, you can use the Excel Online (Business) connector to use an Excel file as a data source. In this case, even if the SharePoint site has download restrictions enabled, it will not result in an error.
Power Automate
In Power Automate, there are ways to open Excel files using the Excel Online (Business) connector, as well as methods to open files using the SharePoint connector. The results for each are as follows:
| Connector | Action | Result |
|---|---|---|
| Excel Online (Business) | List rows present in a table | Available |
| SharePoint | Get file metadata | Available |
| SharePoint | Get file content | Unavailable |
As you can see, only the operation to open the file content is blocked.
Conclusion
Be aware that even if you restrict downloads, data can still be accessed from the Power Platform. As the Excel Online (Business) connector cannot be blocked or configured with endpoints via DLP policies, there currently seems to be no way to prevent this. I would appreciate it if you could let me know if there is a good solution for this.
Discussion