Restricting download access in SharePoint is crucial when dealing with sensitive or confidential information. SharePoint provides multiple methods to prevent users from downloading files while still allowing them to view documents online.
This guide explains how to:
✔ Use View-Only permissions
✔ Enable Information Rights Management (IRM)
✔ Configure SharePoint Sensitivity Labels
✔ Restrict downloads for external users
✔ Use Conditional Access Policies
1. Use “View-Only” Permission Level
SharePoint provides a built-in View-Only permission level that allows users to view files but not download them.
Steps to Assign View-Only Permissions:
1️⃣ Go to your SharePoint site.
2️⃣ Click Settings (Gear Icon) > Site Permissions.
3️⃣ Click Advanced permissions settings.
4️⃣ Select the document library and click Stop Inheriting Permissions if necessary.
5️⃣ Click Grant Permissions and enter the user or group name.
6️⃣ Select View Only from the permission levels.
7️⃣ Click Share.
Limitations:
- Users can still take screenshots or manually copy content.
- PDF files may still be downloaded, as they do not fully respect View-Only mode.
2. Enable Information Rights Management (IRM)
Information Rights Management (IRM) provides stronger download restrictions by encrypting documents and controlling file actions.
Steps to Enable IRM in SharePoint:
1️⃣ Go to SharePoint Admin Center (https://admin.microsoft.com) and navigate to Settings.
2️⃣ Click Classic settings page.
3️⃣ Under Information Rights Management (IRM), enable IRM services.
4️⃣ Go to your document library in SharePoint.
5️⃣ Click Library Settings > Information Rights Management.
6️⃣ Check Restrict permission to documents in this library.
7️⃣ Choose the appropriate restrictions (prevent downloading, disable printing, block offline access).
8️⃣ Click OK to save settings.
Benefits of IRM:
✔ Prevents downloads, screenshots, and unauthorized sharing.
✔ Works with Microsoft Office files (Word, Excel, PowerPoint, PDFs).
✔ Controls document expiration and access revocation.
Limitations:
- IRM does not work for all file types.
- Users may need Microsoft 365 Apps to enforce restrictions.
3. Use SharePoint Sensitivity Labels
Microsoft Sensitivity Labels allow you to classify and restrict files based on their sensitivity level.
Steps to Apply Sensitivity Labels in SharePoint:
1️⃣ Open Microsoft Purview Compliance Portal (https://compliance.microsoft.com).
2️⃣ Navigate to Information Protection > Labels.
3️⃣ Click Create Label and configure:
- Prevent file download
- Allow view-only access
4️⃣ Publish the label to SharePoint sites.
5️⃣ Users assigned this label will have download restrictions applied automatically.
Benefits of Sensitivity Labels:
✔ Enforce access control policies across SharePoint, Teams, and OneDrive.
✔ Works with Data Loss Prevention (DLP) policies.
✔ No need for manual permission management.
4. Restrict Download Access for External Users
If you share files externally, you can prevent guests from downloading content while still allowing them to view files online.
Steps to Restrict Downloads for External Users:
1️⃣ Go to SharePoint Admin Center.
2️⃣ Click Policies > Sharing.
3️⃣ Under File and Folder Links, select “View-only, no download”.
4️⃣ Go to the document library and select the file or folder.
5️⃣ Click Share > People you choose and enable “Block download”.
6️⃣ Click Apply and send the link.
Benefits:
✔ Prevents external users from downloading shared files.
✔ Works with OneDrive and Microsoft Teams.
✔ Can be applied per file or folder.
Limitations:
- Only works with Microsoft 365 external sharing links.
- Does not work for internal users unless enforced with IRM or DLP.
5. Use Conditional Access Policies (Azure AD)
For advanced security, Conditional Access Policies allow you to block downloads based on device, location, or user role.
Steps to Create a Conditional Access Policy:
1️⃣ Open Microsoft Entra Admin Center (https://entra.microsoft.com).
2️⃣ Go to Security > Conditional Access.
3️⃣ Click New Policy and name it “Restrict Downloads in SharePoint”.
4️⃣ Under Assignments, select:
✔ Users or Groups (e.g., External users, Guest accounts).
✔ Cloud Apps > Select SharePoint Online.
5️⃣ Under Session Controls, choose Use App Enforced Restrictions.
6️⃣ Click Create Policy.
Benefits:
✔ Prevents downloads on untrusted devices or locations.
✔ Enforces restrictions based on user roles and security posture.
✔ Works across SharePoint, Teams, and OneDrive.
Limitations:
- Requires Azure AD Premium licensing.
- Applies only in browser-based sessions (not the desktop app).
6. Additional Security Measures
🔹 Enable Multi-Factor Authentication (MFA) – Prevents unauthorized access.
🔹 Audit and Monitor File Access – Track who is viewing or attempting to download files.
🔹 Use Data Loss Prevention (DLP) Policies – Automatically block downloads of sensitive content.
7. Conclusion
Restricting downloads in SharePoint is critical for data security and compliance. The best method depends on your specific needs:
✔ Use View-Only permissions for basic restrictions.
✔ Enable IRM for stronger document protection.
✔ Apply Sensitivity Labels to enforce policy-driven restrictions.
✔ Restrict external sharing with “Block Download” links.
✔ Use Conditional Access for advanced security controls.
By combining these methods, you can protect sensitive files while maintaining collaboration in SharePoint.