App Enforced RestrictionsGenerally, these settings can be configured in the SharePoint Admin Center:
Options with Sensitivity LabelThe solution via Sensitivity Label means that the settings in the SharePoint Admin Center are no longer used. The label offers the same options as for example "Allow limited, web-only access":
Limitations of the solution with App Enforced Restrictions
- If you limit access on unmanaged devices, users on managed devices must use one of the supported OS and browser combinations, or they will also have limited access.
- If you limit access and edit a site from an unmanaged device, image web parts won't display images that you upload to the site assets library or directly to the web part.
- If you're using classic SharePoint site templates, site images may not render correctly. This is because the policy prevents the original image files from being downloaded to the browser.
- When Access Control for Unmanaged Devices in SharePoint is set to Allow limited, web-only access, SharePoint files cannot be downloaded but they can be previewed. The previews of Office files work in SharePoint but the previews do not work in Microsoft Yammer.
Use Conditional Access App ControlTo create rules more granular / with advanced options, "Block Download" can also be enforced with Cloud App Security. This is done by using the "Conditional Access App Control" options in Conditional Access in Azure AD:
This also allows scenarios such as assigning a sensitivity label as soon as a document is downloaded.Further options:
- Add file filters to the policy: Extension, File Name, File Size, Sensitivity Label
- Inspection Method: Can be used to configure include or exclude conditions
- Actions: Block, Protect (Apply sensitivity label to downloads & monitor all activities), require step-up authentication like MFA etc.,
- Configure Alerts