Implement Conditional access in SPO to prevent download and printing files

Implement Conditional access in SPO to prevent download and printing files

To implement conditional access in SharePoint Online (SPO) to prevent downloading and printing of documents in a library, you typically apply session controls in a Microsoft Entra ID (Azure AD) Conditional Access policy that restricts actions such as printing and downloading when accessing SharePoint. This cannot be done directly on a SPO site only with simple SPO cmdlets but requires creating a Conditional Access policy via Microsoft Graph PowerShell and enabling "Limited Access" mode (also called "AllowLimitedAccess" or "Block Download").

Here is a step-by-step approach using PowerShell and SharePoint Online cmdlets:

Step 1: Connect to SharePoint Online Management Shell

powershell

Connect-SPOService -Url https://yourtenant-admin.sharepoint.com -Credential (Get-Credential)

Step 2: Set Conditional Access on the SPO site to allow limited access (this will restrict download and printing)

powershell

Set-SPOSite -Identity https://yourtenant.sharepoint.com/sites/yoursite -ConditionalAccessPolicy AllowLimitedAccess

This sets the site to use the limited access policy enforced via Conditional Access.

Step 3: Create or configure a Conditional Access policy in Azure AD (Microsoft Entra) to enable session controls for SharePoint Online

This step requires the use of Microsoft Graph PowerShell module, because Conditional Access policies are managed through Azure AD (Entra), not directly on SPO.

Connect to Microsoft Graph PowerShell

powershell

Install-Module Microsoft.Graph -Scope CurrentUser

Import-Module Microsoft.Graph

$permissions = @("Policy.ReadWrite.ConditionalAccess", "Policy.Read.All", "Application.Read.All")

Connect-MgGraph -Scopes $permissions

Define the policy restricting download and printing by enforcing "Use app enforced restrictions" session control on SharePoint Online app

Example policy creation cmdlet (adjust JSON to your needs):

powershell

$conditions = @{

    Applications = @{

        IncludeApplications = @("00000003-0000-0ff1-ce00-000000000000") # SharePoint Online App ID

    }

    Users = @{

        IncludeUsers = @("All")

    }

}

$sessionControls = @{

    CloudAppSecurity = @{

        Type = "mcas"

        Mode = "blockDownloads"

    }

}

$grantControls = @{

    BuiltInControls = @("block")

}

$params = @{

    DisplayName = "Block Download and Printing for SPO"

    State = "enabled"

    Conditions = $conditions

    SessionControls = $sessionControls

    GrantControls = $grantControls

}

New-MgIdentityConditionalAccessPolicy @params

This policy ensures that when users access SharePoint Online, download and printing is blocked via session controls enforced by Microsoft Defender for Cloud Apps (MCAS).

Summary

• Use Set-SPOSite -ConditionalAccessPolicy AllowLimitedAccess to enable limited access mode on the SPO site.
• Configure a Conditional Access policy using Microsoft Graph PowerShell to apply session controls on SharePoint Online to block downloads and printing.