Block Download Policy covered by Syntex-SharePoint Advanced Management License

Microsoft launched the Syntex-SharePoint Advanced Management license into preview in late January 2023. The license is now generally available and cost $3/user/month. Since news about the license emerged, people have been figuring out if the features covered by the license are worth the cost by examining details of the features it enables. Now a new block download file policy is available for Teams meeting recordings.

Blocking Downloads and Teams Meetings

In February, I covered the Block Download Policy for SharePoint Online, a feature in Syntex-SharePoint Advanced Management to limit users to browser access when interacting with content stored in sensitive sites. Blocking downloads for Teams recordings is a similar feature that’s now available in preview. The big difference is that the block download policy applies tenant-wide for all Teams recordings created after the block comes into force in both SharePoint Online sites (for channel meeting recordings) and OneDrive for Business (for personal meeting recordings).

Clearly Microsoft is responding to a customer need to make Teams meeting recording more secure. Blocking downloads removes the worry that someone with access to a recording of a sensitive meeting can download it before the meeting file automatically expires.

Site-Wide Block Download Policy Applied With PowerShell

As noted above, the block is tenant-wide. No GUI is currently available in the SharePoint Online admin center, so management of the block is by running the Set-SPOTenant cmdlet from the SharePoint Online management module.

Make sure that you run an up-to-date version of the module (I used 16.0.23408.12000) as otherwise the Set-SPOTenant won’t support the necessary parameters. Keeping modules like Exchange Online management, Teams, SharePoint Online, and the Microsoft Graph PowerShell SDK up to date is an important task. Ideally, you should check and update modules monthly. As it’s always nice when PowerShell looks after PowerShell, here’s a script to automate the process, including tidying up by removing old module files afterward.

To impose the block, use Set-SPOTenant to set these parameters:

• BlockDownloadFileTypePolicy from $False (the default) to $True.
• BlockDownloadFileTypeIds to “TeamsMeetingRecording.” This is the only value currently supported by the cmdlet.
• ExcludedBlockDownloadGroupIds to the identifiers of security groups whose members you want to exclude from the block download policy. You can’t use Microsoft 365 groups to exclude accounts. This parameter can be left blank if you want the policy to apply to all accounts. If you want to specify multiple security groups, do so in a comma-separated list.

Here’s the command I ran in my tenant to enable the block policy and check its settings afterward:

Set-SPOTenant -BlockDownloadFileTypePolicy $True -BlockDownloadFileTypeIds TeamsMeetingRecording -ExcludedBlockDownloadGroupIds "dc637020-4b0f-4f65-bdf0-3c7dbe8a83e7"

Get-SPOTenant | Format-List BlockDownLoadFile*, ExcludedBlock*

BlockDownloadFileTypePolicy   : True
BlockDownloadFileTypeIds      : {TeamsMeetingRecording}
ExcludedBlockDownloadGroupIds : {dc637020-4b0f-4f65-bdf0-3c7dbe8a83e7}

It can take up to a day before a policy update becomes effective across SharePoint Online. Before it is effective, anyone can download a Teams meeting recording (Figure 1).

When the block download policy is effective, users don’t see the download options for recordings created after the effective date (Figure 2).

It’s important for users to understand that they are only blocked for new recordings. At least, while the feature is in preview. However, when the block download policy is generally available, a background agent will search for older Teams meeting recordings stored in SharePoint Online and OneDrive for Business and mark the files as blocked for download. Although I can see why customers would want this to happen, the fact is that many of the Teams recordings will age out and disappear in a relatively short period unless users take explicit action to retain the files.

Available in Preview Now

SharePoint Online’s block download policy for Teams recordings is available in preview. After Microsoft makes the block download policy generally available, you’ll need to buy some Syntex-SharePoint Advanced Management licenses to continue using the policy or the block download policy will stop working (perhaps much to the relief of some users!).

---

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

SharePoint Block Download Policy Licensed by Syntex-SharePoint Advanced Management and Managed with PowerShell

One of the features covered by the new Syntex-SharePoint Advanced Management license blocks users from being able to download files from a SharePoint Online site or OneDrive for Business account. The idea is to protect sites that store very confidential material by forcing users to work with the files stored in the site using browsers. Users can’t even use the Office desktop apps because those apps download a temporary copy of files to work on them locally.

The block files from download feature is currently in preview. To enable a block download policy for a site, you’ll need to use the Set-SPOSite cmdlet from the latest version of the SharePoint Online management PowerShell module.

Restricting Download Access

I tested the feature by creating a new team called Project Aurora. I then configured the SharePoint Online site belonging to the team by running these commands to find all sites, select the URL for the Project Aurora site, and use it to configure a block download policy with an exclusion for site owners. In other words, site members can’t download files from its document libraries, but site owners can.

[array]$Sites = Get-SPOSite -Limit All
$Site = ($Sites | Where-Object {$_.Title -eq "Project Aurora"}) | Select-Object -ExpandProperty Url
Set-SPOSite -Identity $Site -BlockDownloadPolicy $True -ExcludeBlockDownloadPolicySiteOwners $True

The preview documentation says that site owners can grant exclusions to groups by passing the group identifiers in the ExcludedBlockDownloadGroupIds parameter. I see some issues here because Microsoft has long coached customers not to update membership of group-connected sites through SharePoint Online. In addition, adding a Microsoft 365 group to site membership creates an unsupported condition of nested Microsoft 365 groups. For now, I would avoid using group-based exclusions and concentrate solely on site owner exclusions.

After populating the default document library with some documents, I signed into the site with a member account. The site flagged the restrictions in place and removed the options to download files (Figure 1).

The Teams Files channel tab also removes the download option but doesn’t display a banner to inform the user about the restrictions. The Files channel tab does remove the option to use an Office desktop app to open a document. Before restricting downloads by policy, Microsoft recommends that you check any potential effect that the block might have on other applications, including Power Apps and Power Automate.

The file download restrictions are the same as when using a conditional access policy to limit access when users attempt to access SharePoint content from an unmanaged device. That’s the point of this feature: you don’t need to deploy conditional access policies to get equivalent protection. Although conditional access policies are a good way to control what people can do after they connect to a Microsoft 365 tenant, there’s no doubt that organizations can end up with many different policies to manage. Replacing a conditional access policy with a relatively simple download block applied at the site level might be a good thing to do, especially if you want to have finer-grained control over what sites block file downloads.

Applying the SharePoint Block Download Policy to Multiple Sites

As a practical example of how you might deploy block download policies, let’s assume that you want to stop downloads for all sites assigned the most stringent sensitivity label. In my tenant, that’s a label called “Confidential Access.” The important thing is to know the label identifier (GUID) because that’s how Microsoft 365 workloads connect to sensitivity labels. In this case, the GUID is c99e52c6-f5ff-4050-9313-ca6a3a35710f.

This script applies the SharePoint block download policy to all sites assigned the Confidential Access sensitivity label. First, we find the set of sites associated with Microsoft 365 groups. Because the Get-SPOSite cmdlet does not return all site properties when it processes multiple sites, we need to loop through the site of sites to check the sensitivity label for each site and apply the policy after detecting a matching label:

# Process sites and set the SharePoint block download policy
[array]$Sites = Get-SPOSite -Template "GROUP#0" -IncludePersonalSite:$False -Limit All
Write-Host ("Scanning {0} sites to find those with the Confidential Access label" -f $Sites.count)
[int]$i = 0
ForEach ($Site in $Sites) {
   $SiteData = Get-SPOSite -Identity $Site.Url
   If ($SiteData.SensitivityLabel -eq "c99e52c6-f5ff-4050-9313-ca6a3a35710f" -and $SiteData.BlockdownloadPolicy -eq $False ) {
      Write-Host ("Applying site download block policy to {0}" -f $SiteData.Title)
      Set-SPOSite -Identity $Site.Url -BlockDownloadPolicy $True -ExcludeBlockDownloadPolicySiteOwners $True; $i++
   }
}
Write-Host ("Finished processing. {0} sites updated with a block download policy" -f $i)

Remember Your Syntex Licenses

Remember that every member of a site that uses a block download policy to restrict downloads to site owners or groups must have a Syntex Advanced Management license. Given that you’ll probably only apply this kind of restriction to a limited number of sites, that shouldn’t be a big issue.

---

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.