Use app enforced restrictions vs. Use Conditional Access App Control

Blocking downloads or at least blocking them on unmanaged devices is a common requirement in the context of Microsoft Teams and SharePoint. Different features can be used to implement such requirements.

App Enforced Restrictions

Generally, these settings can be configured in the SharePoint Admin Center:

If this setting is used, the system automatically creates two conditional access policies in Azure AD:

These policies can be customized and thus also used as a starting point for a more detailed conditional access policy that, for example, only applies to selected users or groups.

The first screenshot above also shows the following message: We will automatically change the "Apps that don't use modern authentication" setting to block access (because these apps can't enforce this device-based restriction). The background is that apps that do not use modern authentication cannot enforce any device-based setting. If such apps remain allowed, the created conditional access policies can be bypassed.

Another information in the screenshot above makes clear that not all detailed settings are available via the UI in the SharePoint Admin Center: "If you don't want to limit or block access organization-wide, you can do so for specific sites". The link behind "Learn how" is to the documentation of the options via PowerShell.

Example: Set-SPOSite -Identity https://<SharePoint online URL>/sites/<name of site or OneDrive account> -ConditionalAccessPolicy AllowLimitedAccess

Options with Sensitivity Label

The solution via Sensitivity Label means that the settings in the SharePoint Admin Center are no longer used. The label offers the same options as for example "Allow limited, web-only access":

This setting has the following effect both in the SharePoint Admin Center and in the label configuration:

Users on unmanaged devices can only access the designated website through the browser, without being able to download, print, or sync files. They also cannot access content through apps, including Office desktop apps.

In this scenario, the corresponding label is assigned to one or more SharePoint sites. The label then enforces the configured setting. If the label and the settings in the SharePoint Admin Center conflict, the label wins.

With both options, it is thus possible to prevent downloading content from pages explicitly configured using PowerShell or labeled with a sensitivity label that enforces web-only access. It may take 5-10 minutes for the policy to take effect. It will not take effect for users who are already signed in from unmanaged devices.

Limitations of the solution with App Enforced Restrictions

The following restrictions apply when using App Enforced Restrictions:

• If you limit access on unmanaged devices, users on managed devices must use one of the supported OS and browser combinations, or they will also have limited access.
• If you limit access and edit a site from an unmanaged device, image web parts won't display images that you upload to the site assets library or directly to the web part.
• If you're using classic SharePoint site templates, site images may not render correctly. This is because the policy prevents the original image files from being downloaded to the browser.
• When Access Control for Unmanaged Devices in SharePoint is set to Allow limited, web-only access, SharePoint files cannot be downloaded but they can be previewed. The previews of Office files work in SharePoint but the previews do not work in Microsoft Yammer.

Use Conditional Access App Control

To create rules more granular / with advanced options, "Block Download" can also be enforced with Cloud App Security. This is done by using the "Conditional Access App Control" options in Conditional Access in Azure AD:

Cloud App Security then acts as a broker that is in front of the access to Office 365:

This also allows scenarios such as assigning a sensitivity label as soon as a document is downloaded.

Further options:

• Add file filters to the policy: Extension, File Name, File Size, Sensitivity Label
• Inspection Method: Can be used to configure include or exclude conditions 
• Actions: Block, Protect (Apply sensitivity label to downloads & monitor all activities), require step-up authentication like MFA etc.,
• Configure Alerts

Further details and how to implement the solution are described in this blogpost: Secure your environment by Conditional Access & App Controls

What is the difference between "Use app enforced restrictions" and "Use Conditional Access App Control"?

If the focus is only to prevent downloading on a unmanaged device, this can be achieved with both methods. The method via Microsoft Cloud App Security offers more detailed options, is not limited to SharePoint and Exchange, and does not have the limitations of App Enforced Restrictions. (see Limitations of the solution with App Enforced Restrictions) Another significant difference is the license required in each case. App Enforced Restrictions in combination with Azure AD Conditional Access required only an Azure AD P1 license. The Conditional Access App Control solution requires a Cloud App Security license for all affected users.