SharePoint is a great platform for facilitating collaboration in organizations across industry verticals. But sometimes this collaboration needs to be locked-down due to legal or security policies. If you have trade secrets or documents that provide competitive advantage, you’ll want to keep them secured and prevent users from being able to download those documents from SharePoint.
Method 1: Prevent Contributors from Downloading Content
The standard Contributor permission in SharePoint provides the ability to create, edit and delete list items and documents. In order to facilitate offline work, SharePoint includes the ability to download documents to work locally.
Custom Permission Level
In order to prevent Contributors from downloading documents, we first need to enable the View Only permission level. In SharePoint Online, this is part of the “SharePoint Server Enterprise Site Collection features” feature. When this feature is activated, “View Only” will appear in the site permission levels.
The View Only permission level lets users read documents, but not download them. From here, we will create a new permission level by going to Permissions -> Permission Levels -> View Only.
When you scroll to the bottom of the permission level, you’ll see the “Copy Permission Level” function. This creates a new permission level, copying the exact permissions and allowing you to name and further customize the permissions.
Preventing downloading is not a checkbox in the permission level, rather it is embedded in the View Only permissions. After copying the View Only permissions, you’ll want to grant “Add Items” and “Edit Items” permissions in the new permission level. This creates a custom permission level, allowing users to add and edit list items and documents, without letting them download the files from SharePoint.
This new custom permission level can now be applied to a SharePoint group, providing users the ability to contribute to documents by editing only in the browser, without being able to download. This is reflected in the menu for documents. Users see that they can edit in Word Online, but can’t download, rename or delete the document.
Open Through Explorer
The custom permission level we built also prevents downloading a document through Windows Explorer. If a user tries to download or copy the document, they will encounter an error like:
SharePoint Mobile App
Note: as of March 2019, using the View Only (or the custom permission level shown above), prevents users from viewing documents in the SharePoint Mobile App. When attempting to open a document, the SharePoint App will tell the user they do not have permissions to complete the action. However, editing in the browser through the App is still available via the item menu.
Method 2: SharePoint Access Control
It’s important to note that while the above approach prevents users from downloading copies of documents from SharePoint Online, it does not prevent them from opening individual documents in the web client and copying data out of the documents. In order to prevent users from being able to download, print or copy, you need to implement SharePoint Access Control.
SharePoint Access Control is controlled at the Tenant level in the SharePoint Admin Console. In the settings, you can set the behavior for users connecting with Unmanaged Devices. An Unmanaged Device is one that’s not enrolled in Device Management through Microsoft Intune.
When SharePoint Access Control is set to “Allow limited, web-only access,” users on Unmanaged Devices receive the following message in the top banner, to make them aware of the limited functionality:
When the SharePoint Access Control is turned on, the configuration is sent to Intune, where it can be further managed. While a lot more control is available with Intune, additional licensing may apply.
No matter your specific Office 365 licensing, a few options are available to let users collaborate on documents while preventing them from downloading those documents. It’s important to think through the licensing implications and unintended consequences (see earlier note on SharePoint Mobile App limitations) before rolling-out these types of changes to your organization.
Lastly, if you’re looking for help with any aspect of SharePoint Online, know that Anexinet has the expertise, knowledge and skilled staff to achieve your goals and ensure a successful outcome. Our mission is to help organizations provide the best digital experience possible for employees, customers, and end users, so please don’t hesitate to reach out to us with any questions.
Have industry news sent right to your Inbox