Easier Than Running Set-SPOSite to Configure Individual Sites with the Block Download Policy

In February 2023, I wrote about the SharePoint Online Block Download policy. At the time, the only way to assign the block download policy to a site was to run the Set-SPOSite cmdlet to update site settings. This isn’t a difficult operation and it’s likely that relatively few sites contain the level of confidential information that creates the need to block users from downloading documents.

Using PowerShell to maintain the block access policy for individual sites is not a problem. However, managing which sites have a block download policy is easier with a container management label. If configured for a container management label, SharePoint Online applies the block download policy automatically along with all the other controls set in the label to each site that receives the label.

Configuring a Container Management Label to Block Downloads

When Microsoft introduces new controls to control site behavior through container management labels, PowerShell is often the initial method chosen to apply the settings. External sharing is an example of a setting first enabled in PowerShell and later configurable through the GUI for sensitivity labels in the Microsoft Purview portal. Even though the block download policy has been available for a while, the block download policy is still considered an advanced setting that must be configured through PowerShell.

The first step is to connect to Exchange Online PowerShell and to the compliance endpoint:

Connect-ExchangeOnline
Connect-IPPSSession

To update the block download policy, run the Set-Label cmdlet to configure the advanced settings for the labels that will apply the control. In the following example, I configure settings for a label with the display name Limited Access to:

• Set the block download policy to True (the policy is active).
• Exclude site owners from the block download policy.
• Exclude the members of a selected group from the block download policy. Pass the object identifier for the group. If you want to specify several groups, separate the object identifiers with commas. You can use security or Microsoft 365 groups.

Set-Label -Identity 'Limited Access' -AdvancedSettings @{BlockDownloadPolicy="true"}
Set-Label -Identity 'Limited Access' -AdvancedSettings @{ExcludeBlockDownloadPolicySiteOwners = "true"}
Set-Label -Identity 'Limited Access' -AdvancedSettings @{ExcludedBlockDownloadGroupIds="2c2f5287-a88a-4e14-ba22-503d8b0bf3b3"}

The Effect on Users

After updating label settings, it takes about 24 hours for the policy to become effective. A background timer job detects that new label settings are available and applies them to the sites with the label. Afterward, when a user opens a site with a label that contains the block download policy settings, SharePoint Online checks if the user is a site owner or is on the excluded user list. If not, SharePoint Online applies the block download policy, and the user is restricted to working with content online (Figure 1).

The most obvious effect of the block download policy is that users must edit Office files with the browser apps. This is because SharePoint cannot download temporary copies of files for the Office desktop apps to work with.

If you don’t know if sites have assigned container management labels, run the script described in this article. For more details about how the Block Download policy works, read Microsoft’s documentation.

Advantages of Policy Assignment via Sensitivity Labels

The advantage of applying settings through sensitivity labels is obvious: once an administrator assigns a label to a container, the container inherits all the label settings. There’s no need for administrators to discover the syntax to apply individual settings to sites. You still can apply the block download policy to sites by running the Set-SPOSite cmdlet, but policy assignment via sensitivity labels is more convenient and less prone to error. It also means greater consistency in site settings because administrators know that once they apply a container management label to a site, the site automatically picks up all the settings from the label.

Using the Block Download policy requires the Microsoft SharePoint advanced management license for all users who “benefit from the policy.” In other words, anyone who connects to a site where the policy is active must have an appropriate license.

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.