When sharing files with external users in SharePoint Online and OneDrive, organizations may want to prevent downloads to protect sensitive information. PnP PowerShell allows administrators to enforce view-only access for external users, restricting downloads while still permitting online viewing.
Step 1: Install and Connect PnP PowerShell
Before running any script, ensure that you have PnP PowerShell installed:
Install-Module -Name PnP.PowerShell -Force -AllowClobber
Update-Module -Name PnP.PowerShell
Connect to SharePoint Online with admin credentials:
Connect-PnPOnline -Url "https://yourtenant-admin.sharepoint.com" -Interactive
Step 2: Enable View-Only Sharing for External Users
SharePoint Online allows external users to view files in the browser without the ability to download. This can be enforced using “BlockDownload” policies on file-sharing links.
Set-PnPTenant -ViewOnlyFileTypes "PDF, DOCX, XLSX, PPTX"
✔ Limits downloads for specified file types when shared externally.
Step 3: Restrict Download for a Specific SharePoint Site
If you want to restrict downloads only on a specific site, use the following command:
Set-PnPSite -Identity "https://yourtenant.sharepoint.com/sites/YourSite" -DisableSharingForNonOwners $true
✔ Prevents non-owners from sharing and downloading content.
Step 4: Create View-Only Sharing Links (Prevent Downloads)
To generate a view-only link for a specific file, use:
$siteUrl = "https://yourtenant.sharepoint.com/sites/YourSite"
$fileUrl = "/Shared Documents/SensitiveFile.pdf"
# Connect to the site
Connect-PnPOnline -Url $siteUrl -Interactive
# Create a view-only link that blocks download
Grant-PnPFileSharingLink -FileUrl $fileUrl -LinkType View -BlockDownload $true
✔ External users can only view the file online and cannot download it.
Step 5: Restrict Download Permissions for Guest Users at the Tenant Level
To enforce this restriction globally for all external users, apply the following:
Set-PnPTenant -BlockDownloadLinksForGuests $true
✔ Blocks download links for all guest users across SharePoint and OneDrive.
Step 6: Audit External Sharing and Block Downloads on Existing Files
To check which files are shared externally, use:
$siteUrl = "https://yourtenant.sharepoint.com/sites/YourSite"
# Connect to the site
Connect-PnPOnline -Url $siteUrl -Interactive
# Get externally shared files
$sharedFiles = Get-PnPListItem -List "Documents" | Where-Object { $_.FieldValues["SharedWithUsers"] -ne $null }
foreach ($file in $sharedFiles) {
Set-PnPFileCheckedOut -Url $file.FieldValues["FileRef"]
Grant-PnPFileSharingLink -FileUrl $file.FieldValues["FileRef"] -LinkType View -BlockDownload $true
Set-PnPFileCheckedIn -Url $file.FieldValues["FileRef"] -CheckinType MajorCheckIn
}
Write-Host "Download restrictions applied to all externally shared files."
✔ Updates existing files to prevent external users from downloading them.
Step 7: Automate Enforcement Using Task Scheduler
To ensure external sharing links always block downloads, schedule this script to run periodically:
- Save the script as
RestrictDownload.ps1. - Open Task Scheduler → Create Basic Task.
- Set Trigger → Weekly or Daily.
- Set Action → Start a Program.
- Use the following PowerShell command:
-ExecutionPolicy Bypass -File "C:\Scripts\RestrictDownload.ps1"
✔ Ensures all newly shared files have download restrictions applied.