Posted by Reading time (approx.): 5 minutes
Sometimes it’s best if your (guest)users cannot download the files from a SharePoint Online site. And there’s some simple ways to prevent this. One of these is to use the Access Control options in the SharePoint admin-center. These can be used to control access to documents when using an unmanaged device.
In this blog I want to go one step further. By using Microsoft Cloud App Security we can now use the power of Azure AD’s conditional access rules to prevent any download of documents. And in addition, these rules can apply to different cloud applications, not just SharePoint Online.
Cloud App Security App Control
Conditional Access App Control is part of Cloud App Security and is tightly integrated with Azure AD conditional access. When a user tries to access a resource on SharePoint Online, his/her identity is determined. When done, Azure AD checks if any conditions apply. A condition might be based on the device being used, the sign-in risk, or the location. It can also be based on the user or group (for example, external users or specific domain roles).
Based on the conditions, Azure AD will apply a policy. Policies can be based on granting access with specific settings (the enforcement of MFA for example), blocking access or passing on the handling of the policy to another application. Cloud App Security App Control is such an application. This is called Conditional Access App Control (CAAC).
When the policy has been passed, CAAC can monitor the connection, apply a custom (Cloud App Security) policy or block download of documents. That’s the one I’m going to use.
Watch the URL!
When you start using CAAC, you will start to notice something subtle. The URL of the platform being accessed is replaced by a Cloud App Security URL. For example:
Is replaced by:
https://contoso.sharepoint.com.region.cas.ms/sites/management
According to Microsoft, this is to keep the user within the session, without requiring any install on the device.
Here we go
For this post I’ll be using Azure AD Premium 1 and Microsoft Cloud App Security. These are required for this function to work. One of the first steps is to configure the conditional access policy.
I will forgo the detailed steps. But you should know that you’ll select the users, client apps (in this example Office 365 SharePoint Online) and conditions. But then you get to the Access controls. And here’s where you can configure the rule to use Conditional Access App Control. I’ve selected Block download (preview).
After saving this policy, it will take a very short time to take effect.
From the user
The first thing a user will notice is the dialog box. This tells our user that the session to/from SharePoint Online is monitored by Cloud App Security.
When a user tries to download a document from a SharePoint site, Cloud App Security steps in. The user sees a dialog box detailing the action. 
Also, a separate txt-file is downloaded. This file contains a little more information on the download
Please note (all-in-all)
This blog was to show you how a conditional access policy with app specific restrictions might work. But please note that this might not be the right solution for you! For one thing, preventing downloads from SharePoint Online does come with a big disadvantage: you can only use this solution for all site-collections.
Also, there’s the licenses to consider. MCAS does not come cheap, although it is part of Microsoft 365 and EMS E3.
But, then again, if you want a solution which is user-friendly and can manage more than just Office 365 cloud applications, this is the way to go. Also, blocking downloads is just on the functions. In addition, you can set alerts on these actions or get an insight into any trends. And, to be fair, you get a lot more conditional access options when using this function.
I’m very looking forward working with the new sensitivity labels and conditional access. When available I’d like to compare this function with the one described in this article. So keep posted!
If you want more information, then please read this article by Microsoft: https://docs.microsoft.com/en-us/office365/securitycompliance/ocas-conditional-access-app-control
Governance, Risk, Security and Compliance 
Great article . How can we apply MCAS controls to Teams fat app to stop downloads from unmaged devices
Hi there,
Interesting question. But I don’t think I have the answer. I would have looked at the site-classifications (sensitivity labels) and the option to prevent download here. https://alberthoitingh.com/2020/04/22/site-classifications-in-action/
But alas, this works only for cloud-applications. Using Teams in the browser does prevent download. But the client does allow this action. This might be an oversight or something Microsoft is still working on. I have looked at using MCAS policies to check if the client is coming from a managed device and then preventing downloads. But I haven’t been able to.
Having said this; Why prevent download? If it’s to prevent data loss, you might want to look at protecting the information instead. Microsoft Information Protection now allows for encrypted documents to be used in the webbrowser (and Teams). And when downloaded, the protection moves with the file itself.
And you can expect many new things to be presented during Ignite on this (and endpoint protection) as well.
So, sorry -I don’t have a straight away answer. But hope this helps somewhat.
I will delve into this some more. See what I can find 🙂