+ Title: Block the download of files from a SharePoint site or OneDrive (preview)

+recommendations: true

+audience: Admin

+f1.keywords: NOCSH

+ms.localizationpriority: medium

+- Strat_SP_admin

+- M365-collaboration

+search.appverid:

+- SPO160

+- MET150

+- BSA160

+description: Learn how administrators can block download of files from a SharePoint and OneDrive without using conditional access policies.

+# Block the download of files from a SharePoint site or OneDrive (preview)

+As a SharePoint Administrator or Global Administrator in Microsoft 365, you can block download of files from SharePoint sites or OneDrive. This feature does not need Azure Active Directory conditional access policies. This feature can be set for individual sites and cannot be set at the organization level.

+Blocking download of files allows users to remain productive while addressing the risk of accidental data loss. Users have browser-only access with no ability to download, print, or sync files. They also won't be able to access content through apps, including the Microsoft Office desktop apps. When web access is limited, users will see this message at the top of sites, "Your organization doesn't allow you to download, print, or sync from this site. For help contact your It department."

+## How to set this policy for a SharePoint site

+1. To use PowerShell: [Download the latest SharePoint Online Management Shell](https://go.microsoft.com/fwlink/p/?LinkId=255251).

+ > [!NOTE]

+ > If you installed a previous version of the SharePoint Online Management Shell, go to Add or remove programs and uninstall "SharePoint Online Management Shell."

+2. Connect to SharePoint as a [Global Administrator or SharePoint Administrator](./sharepoint-admin-role.md) in Microsoft 365. To learn how, see [Getting started with SharePoint Online Management Shell](/powershell/sharepoint/sharepoint-online/connect-sharepoint-online).

+3. Run the following command.

+ ```PowerShell

+ Set-SPOSite -Identity <SiteURL> -BlockDownloadPolicy $true

+ ```

+ For example, `Set-SPOSite -Identity https://contoso.sharepoint.com/sites/research -BlockDownloadPolicy $true`

+## Exempting users and groups from the policy

+ The following parameters can be used with this cmdlet to fine tune it.

+ `-ExcludeBlockDownloadPolicySiteOwners $true` Exempts site owners from this policy and they can fully download any content for the site.

+ `-ExcludedBlockDownloadGroupIds <comma separated group ids>` Exempts users from the mentioned groups from this policy and they can fully download any content for the site.

+## App impact

+Blocking download may impact the user experience in some apps, including some Office apps. We recommend that you turn the policy on for some users and test the experience with the apps used in your organization. In Office, make sure to check the behavior in Power Apps and Power Automate when your policy is on.

+> [!NOTE]

+> Apps that run in "app-only" mode in the service, like antivirus apps and search crawlers, are exempted from the policy.

+>

+> If you're using classic SharePoint site templates, site images may not render correctly. This is because the policy prevents the original image files from being downloaded to the browser.

+## Need more help?

+[SharePoint Q&A](/answers/topics/office-sharepoint-online.html)

+## Related topics

+[SharePoint and OneDrive unmanaged device access controls for administrators](/sharepoint/control-access-from-unmanaged-devices).

+[Policy recommendations for securing SharePoint sites and files](/microsoft-365/enterprise/sharepoint-file-access-policies)

+[Control access to SharePoint and OneDrive data based on defined network locations](control-access-based-on-network-location.md)

+Loop's near real-time communications are enabled by the core services that run a WebSocket server. Coauthors in the same session need to establish secured WebSocket connections to this service to send and receive collaborative data such as changes made by others, live cursors, presence, etc. These experiences are crucial to Loop, and all the scenarios powered by Fluid framework. So, at the minimum, WebSocket will need to be unblocked from the user's endpoint.

+You'll need the latest version of SharePoint PowerShell module to enable or disable all Loop (powered by the Fluid Framework) experiences across your Microsoft 365 organization. Microsoft Fluid Framework defaults to ON for all organizations. Because Loop components are designed for collaboration, the components are always shared as editable by others, even if your organization is set to default to view-only for other file types. See the Learn more link next to the setting for more details.

+|Loop components in Teams and Outlook|`IsLoopEnabled` (boolean)|This property controls Loop experiences across the Microsoft 365 experience, except for Outlook - see below.|

+## Settings management for Outlook

+Microsoft is migrating to Cloud Policy as the mechanism to control Loop experiences. This will be phased in over time, so set both the above SharePoint setting `IsLoopEnabled` and the Cloud Policy settings in this section to control all Loop integrations.

+Outlook integration will stop checking the `IsLoopEnabled` setting in late 2022.

+Outlook integration will begin checking only these Cloud Policy settings in late 2022:

+* Create and view Loop files in Microsoft apps that support Loop

+* Create and view Loop files in Outlook

+See the [Cloud Policy](/deployoffice/admincenter/overview-cloud-policy) setting templates for the settings above for more information.