Read Only And Document Download Restrictions in SharePoint Online
Both SharePoint Online (including OneDrive for Business) and Exchange Online allow a read only mode to be implemented based on certain user or device or network conditions. For these settings in Exchange Online see my other post at https://c7solutions.com/2018/12/read-only-and-attachment-download-restrictions-in-exchange-online.
When this is enabled documents can be viewed in the browser only and not downloaded.
So how to do this.
Step 1: Create a Conditional Access Policy in Azure AD
You need an Azure AD Premium P1 licence for this feature.
Here I created a policy that applied to one user and no other policy settings. This would mean this user is always in ReadOnly mode. In real world scenarios you would more likely create a policy that applied to a group and not individual users and forced ReadOnly only when other conditions such as non-compliant device (i.e. home computer) where in use.
The steps for this are:
The pictures, as you cannot create the policies in the cmdline, are as follows:
a) New policy with a name. Here it is “Limited View for ZacharyP”
b) Under “Users and Groups” I selected my one test user. Here you are more likely to pick the users for whom data leakage is an issue
c) Under “Cloud apps” select Office 365 SharePoint Online. I have also selected Exchange Online, as the same idea exists in that service as well
d) Under Session, and this is the important one, select “Use app enforced restrictions”. SharePoint Online will then implement read only viewing for all users that fall into this policy you have just created.
Step 3: View the results
Ensure the user is licensed for SharePoint Online (and a mailbox if you are testing Exchange Online) and an Azure AD Premium P1 licence and ensure there is a document library with documents in it for testing! Login as the user under the conditions you have set in the policy (in my example, the conditions where for the specific user only, but you could do network or device conditions as well.
SharePoint and OneDrive Wizard Driven Setup
For reference, in the SharePoint Admin Centre and Policies > Access Control > Unmanaged Devices, here you turn on “Allow limited web-only access” or “Block access” to do the above process of creating the conditional access rule for you, but with pre-canned conditions:
In the classic SharePoint Admin Center it is found under that Access Control menu, and in SharePoint PowerShell use
Set-SPOTenant -ConditionalAccessPolicy AllowLimitedAccess
Turning the settings on in SharePoint creates the Conditional Access policies for you, so for my demo I disabled those as the one I made for had different conditions and included SharePoint as well as a service.
This is as shown for SharePoint – the banner is across the top and the Download link on the ribbon is missing:
And for OneDrive, which is automatic when you turn it on for SharePoint: