Microsoft 365: Stop Sensitive File Downloads on Mobile

Imagine someone opening a private file - like a client list or a budget sheet - on their phone. If they download it, that file now lives on their personal device. If they lose the phone or leave the company, that data goes with them. Not good, right?

Many people use Microsoft 365 apps like Teams, SharePoint, and OneDrive on their mobile phones. But without the right settings, files can be downloaded and shared without control.

That’s why it’s important to block file downloads on mobile devices - especially when the files are sensitive. With the right setup in Microsoft 365, you can:

• Use Conditional Access to block downloads on unmanaged devices
• Apply Intune App Protection Policies
• Set SharePoint and OneDrive to view - only mode
• Add watermarks to sensitive documents
• Restrict access to personal devices

In this guide, we’ll walk you through how to set this up - step by step - and give you a checklist to help keep your files safe.

Today, most people use their phones to check email, open documents, or join meetings using Microsoft 365 apps like Teams, SharePoint, and OneDrive. It’s super convenient - but it can also be risky.

If someone downloads a sensitive file to their personal phone, that file may not be protected. Your IT team won’t know where it ends up. It could be shared, copied, or kept - even after the person leaves your company.

Without the right policies and configurations, important data can easily slip through the cracks.

• BYOD sprawl – Employees use their own phones, and you lose control over what’s stored or shared.
• Ex-employees keep data – Someone leaves the company but still has access to client info, pricing, or internal documents.
• No encryption – Personal phones often don’t encrypt files. If the phone is lost or hacked, the data is exposed.

That’s why companies use Microsoft 365 tools to prevent data loss - especially on phones that aren’t managed by IT.

Many laws and standards require you to protect personal or private data. Here are a few examples:

• HIPAA – In healthcare, you must protect patient data. That means no saving files to unprotected phones.
• GDPR – If you handle personal data from the EU, you must stop people from downloading and sharing it freely.
• ISO 27001 – This global security standard says you must control who can access and store company data - especially on personal devices.

Using Microsoft 365 tools to block downloads from Teams, SharePoint, and other apps helps you stay compliant and avoid legal trouble.

Microsoft 365 gives you several powerful tools to help you stop sensitive files from being downloaded onto mobile phones. The best part? These tools work together, so you can create smart rules without needing full device control.

Let’s break down the key tools that make it possible to prevent file downloads in Microsoft 365 - especially from apps like SharePoint, OneDrive, and Teams.

Think of sensitivity labels as digital “stickers” you place on files. These stickers tell Microsoft 365 how to treat the file.

With Microsoft Purview, you can:

• Mark files as Confidential, Internal, or Restricted
• Automatically encrypt the file so it stays protected - even if someone copies or downloads it
• Block certain actions like printing, copying, or downloading (depending on the app)

For example, if a file in SharePoint is labeled as “Confidential,” it can be restricted to view – only mode in Teams or the browser - helping you prevent file download from SharePoint.

Conditional Access is like a smart gatekeeper. It checks things like:

• What device is being used?
• Is the device managed or personal?
• Where is the person signing in from?

You can use Conditional Access to:

• Block file downloads on unmanaged mobile devices
• Allow view – only access in mobile browsers
• Require multi – factor authentication before file access

So, if someone tries to open a sensitive file on their personal phone, Conditional Access can prevent downloads in Office 365 apps like Teams or OneDrive.

This tool adds extra control after a user is signed in. Defender lets you:

• Stop downloads in real time, even during an active session
• Apply watermarks to viewed documents
• Track activity like copying, pasting, or printing

For example, if someone opens a file in Microsoft Teams, you can use Defender to prevent file downloads unless the device meets certain conditions.

These tools, when used together, create strong protection. You don’t have to rely on a single solution - just mix and match based on your needs and user types.

Now that you know the tools available in Microsoft 365, let’s walk through exactly how to set things up. You don’t need to be a security expert - just follow these steps, and you’ll be able to prevent file downloads in Microsoft 365 on mobile devices safely and effectively.

Start by deciding which files are sensitive - like contracts, financials, or employee records - and apply sensitivity labels to them.

Platforms used: Microsoft Purview, Microsoft Entra Admin Center, SharePoint Admin Center

1. Go to Microsoft Purview → Solutions → Information Protection → Sensitivity Labels
2. Click + Create a label.

3. Under Label details, name the label something like: “Confidential – No Download Allowed” or “Confidential Data”

4. Also fill in other details like Description: “Prevents downloading, printing, or copying of labeled content.” You can also choose the label colour.

Open PowerShell as Administrator to Install Required PowerShell Modules and run:

6. Under Items, check both the options Control Access and Apply content marking (Add custom headers, footers, and watermarks to labeled items)

6.1 Under Access control, click Configure access control settings, and choose Assign permissions now. Under Allow offline access, select Never

6.2 Assign permissions to specific users and groups so they can interact with content that has this label applied.

6.3 Under Choose permissions, select Custom. Then proceed with Uncheck of all permissions except View. Save.

6.4 In content marking, you can add a header, footer, or watermark with Customized text.

7. (Optional) Apply auto-labeling rules for keywords like “salary” or “client”.
8. In Groups & sites, leave the settings unchecked unless you need to configure Teams or Microsoft 365 Groups.

9. In External sharing and Conditional Access settings, select Use Azure AD Conditional Access to protect labeled SharePoint sites. Select Allow limited, web-only access. (or Block access if that’s what you want to achieve)

10. Click Next and Review your settings. Finally click on the Create Label button to finish.

1. Go to Microsoft Entra Admin Center → Protection → Conditional Access
2. Click + Create new policy

3. Configure the Conditional Access Policy as described:

• • Name: Give the policy a name that fits your company’s naming convention.
  • Users: Select a group of users to apply the policy to.

• • Cloud apps or actions: Select the SharePoint Online cloud app.

• • Conditions: {empty}
  • Grant: {empty}
  • Session: Select the Use app enforced restrictions

4. Turn the policy On and Save

1. Go to Microsoft Purview → Solutions → Information Protection → Label Protection Policies → Publish Label

2. Click on Choose Sensitivity Labels to publish. From the list, choose the newly created Sensitivity Label that you just created (“Confidential Data” in our case). Click Add.

3. Click Next twice. (Skip Admin units page)
4. Click on Choose user or group and select the desired users, or alternatively leave the setting on All to include all users.

5. Click Next twice. (skip the Settings page)
6. Optional: If you want, you can set the newly created label as the default label or require users to apply a label to their groups or sites.
7. Enter a Name for your policy. Optional: Enter a Description for your policy.

8. Click Next and Submit to create the Sensitivity Label policy.

1. Go to the SharePoint Admin Center and navigate to Sites > Active Sites

2. Select the site. Click on
3. Go to Settings. Click on newly created Label from Sensitivity Label option.

4. Click Save

Conditional Access lets you control who can access what, from where, and how. The Policy identifies traffic from unmanaged browsers and hands the session to MDCA for inspection.

Platforms used: Microsoft Entra Admin Center, Defender

To block downloads on mobile phones that are personal or unmanaged:

1. Go to Microsoft Entra Admin Center → Protection → Conditional Access
2. Click + Create new policy

3. Name:

4. Assignments:
   • Users or groups: Target specific departments or all users

1. • Target resources:
     • Under Include, choose Select cloud apps.
     • Search for and select: Office 365, Office 365 SharePoint Online
       (This includes SharePoint and OneDrive for Business apps)

(Note: You need Microsoft Entra ID P1 or P2 or Microsoft 365 E5 license to target specific apps.)

5. Set Conditions:
   • Device Platforms:
     • Enable configuration: Yes
     • Select device Platforms: iOS and Android

1. • Client Apps: Configure it to Yes and then choose Mobile apps and desktop clients

1. • Filter for Devices: Set this option to Yes, then configure the filter to Include devices where IsCompliant equals False or DeviceOwnership equals Personal.

6. Access Controls

         Session:

1. • Select Use Conditional Access App Control
   • And then select ‘Use custom policy’

7. Save the policy and turn it ON (not just report-only)

Defender lets you take control even during an active session - without fully blocking access.

Important Note: Sign in to office.com from an unmanaged device using a test user to trigger the Conditional Access policy. This lets Defender onboard the app so you can create a session policy.

To create your Session policy:

1. Go to Microsoft Defender Portal → Cloud Apps → Policies → Policy management → Conditional Access

2. Click Create policy → Session policy
3. Set a Session Policy:
   • Policy name: Block Downloads on Unmanaged Devices
   • Policy Severity: Medium or High
   • Category: Data Loss Prevention (DLP)
   • Session control type: Control File download (with Inspection)

1. • Activity Source: Configure to match all of the following conditions:
     1. Device Type equals Mobile or PC
     2. Device Tag does not equal Intune compliant or Microsoft Entra Hybrid joined
   • Actions: Block
   • Alerts: Optional

4. Click Create.

Even if someone is already signed in, you can stop the download before it happens.

Results!!!!

Desktop view:

Mobile view:

While blocking downloads is a strong security move, you may need to make thoughtful exceptions for certain people, locations, or situations. Microsoft 365 lets you build in this flexibility - without losing control.

Some senior leaders or internal teams - like Legal, Finance, or IT - might need to download files on mobile devices, especially during travel.

Instead of disabling download protection entirely, you can:

• Create an exclusion group in Microsoft Entra ID (formerly Azure AD)
• Apply different Conditional Access policies to that group
• Allow downloads only on compliant devices, or from certain apps

This keeps protections in place for most users while giving trusted teams what they need.

In some cases, you might want to allow downloads only when users are on secure networks, like your company VPN or office Wi – Fi.

You can do this by:

• Setting a Named Location in Conditional Access
• Allowing full access only when the login IP matches that trusted network
• Blocking or limiting access on unknown or public networks

This ensures sensitive files aren’t downloaded over risky public connections.

Use this checklist to make sure your Microsoft 365 environment is set up to prevent file downloads on mobile devices - without blocking productivity.

• Files are classified as "Confidential" or similar
• Encryption is enabled
• Auto – labeling is applied to critical SharePoint and OneDrive libraries

• Separate policies for iOS and Android
• Unmanaged or non – compliant devices are restricted
• Web access is allowed, but file downloads are blocked
• Trusted groups or networks are excluded if needed

• Session policies block downloads on unmanaged devices
• Optional: watermarking enabled for browser – based viewing
• Real – time monitoring of file access and sharing

• Work apps like OneDrive and Word are protected
• Clipboard, Save – As, screenshots, and backups are restricted
• Policies apply even on personal devices without full MDM

• Trusted users or departments are excluded via groups
• Named locations (e.g., office IPs or VPN) are allowed
• Cross – app restrictions are tested across iOS and Android

• Purview audit logs are collecting access events
• Defender for Cloud Apps is logging risky behavior
• Alerts or reports are reviewed regularly by IT or security teams

Pro Tip: Save this checklist and revisit it every quarter - or when onboarding new apps or departments. Microsoft 365 evolves fast, and so should your protection policies.

You don’t need to lock everything down overnight. The best way to start is by testing your mobile download controls in a safe environment - then rolling them out gradually with clear communication.

Here’s what we recommend:

• Choose 2–3 test users on different devices (iOS and Android)
• Apply your new Conditional Access and Defender for Cloud Apps policies
• Label sample files in SharePoint or OneDrive
• Test how those files behave across Teams, browser, and mobile apps

• Check the Activity Log in Defender for Cloud Apps
• Confirm that download attempts are being blocked
• Review Purview Audit Logs to track file access across devices
• Set up alerts for risky actions (e.g., unauthorized download attempts)

• Tell users what’s changing, and why
• Explain that files are still accessible - but safer
• Share FAQs or short videos showing what to expect
• Reassure them that trusted exceptions can be made if needed

Tip: Use Microsoft 365 Message Center and SharePoint intranet pages to roll this out smoothly.

By starting small, measuring impact, and communicating well, you can build strong security without frustrating your users. And as Microsoft 365 continues to evolve, so will your ability to fine – tune these controls.

1. Does Microsoft 365 block file downloads on mobile by default?

No. By default, Microsoft 365 apps like SharePoint, OneDrive, and Teams allow downloads across all devices, including mobile. To block this, you need to use Conditional Access, Defender for Cloud Apps, and/or Microsoft Purview sensitivity labels to enforce download restrictions.

2. How do I stop people from downloading files from OneDrive?

Create a Conditional Access policy that targets OneDrive and applies to unmanaged or non-compliant devices. Combine it with Defender for Cloud Apps to block downloads in real-time. You can also use Purview sensitivity labels to restrict file usage.

3. How can I make a document view-only and not downloadable?

To make a document view-only:

• Apply a Microsoft Purview sensitivity label with “view only” permissions
• Enforce session controls in Defender for Cloud Apps
• Configure Conditional Access to allow only browser access without download privileges
  This ensures users can preview the file but cannot download, copy, or print it.

4. How do I lock a file in Microsoft 365 to prevent changes or downloads?

You can “lock” a file by:

• Setting file permissions to read-only via SharePoint/OneDrive
• Applying a sensitivity label with restricted permissions
• Using IRM (Information Rights Management) in Purview to disable copy, print, and download
  This ensures the file cannot be altered or downloaded, even by collaborators.

5. Can I block downloads in SharePoint Online using Conditional Access?

Yes. In Conditional Access:

• Set SharePoint Online as the cloud app
• Add a condition for unmanaged or mobile devices
• Use the “Use Conditional Access App Control” option to enable Defender for Cloud Apps session control
  Then, configure session control to block downloads, optionally with watermarking.

6. How do I stop users from downloading files from my shared folder in OneDrive?

When sharing a folder in OneDrive:

• Click “Manage Access” → “People with existing access”
• Choose ‘View only’ and disable “Allow editing”
• For external or unmanaged access, use Conditional Access + Defender for Cloud Apps to block download behavior on browser and mobile

7. How do I prevent saving files to OneDrive for specific users?

You can restrict OneDrive access by:

• Blocking license assignment for OneDrive
• Using Intune App Protection Policies to prevent OneDrive use on unmanaged devices
• Applying Conditional Access to block access to OneDrive altogether for certain users or device types

8. Can I allow downloads only from managed or compliant mobile devices?

Yes. Conditional Access policies let you require that a device be marked as compliant (via Intune) before allowing downloads. This ensures sensitive content is only downloaded onto secure, company-controlled devices.

9. Will download restrictions apply to desktop users too?

Only if you include desktops in your Conditional Access policy scope. You can target mobile platforms specifically (iOS, Android) while allowing full access on managed desktops or laptops.

10. Can I prevent file downloads in Microsoft Teams?

Yes. You can block file downloads in Teams by combining:

• A Conditional Access policy for the Teams app
• Defender for Cloud Apps session control to allow view-only mode
  This lets users preview shared documents without downloading them on mobile or unmanaged devices.

11. How do I stop documents from automatically downloading when opened?

To prevent automatic downloads:

• Use Defender for Cloud Apps to enforce session controls
• Force documents to open in the browser view only
• Disable “Always open in desktop app” in SharePoint/OneDrive settings
  This ensures files are streamed rather than downloaded by default.

12. Can I block screenshots of files on mobile devices?

Partially. Intune App Protection Policies can block screenshots inside Microsoft apps like Word or OneDrive. However, browser-based access cannot prevent screenshots — so combine with watermarking and user awareness training.

13. How can I audit or track file download attempts in Microsoft 365?

Use the following tools:

• Microsoft Defender for Cloud Apps for real-time alerts and activity logs
• Microsoft Purview Audit Logs to view file access, location, and download attempts
  This helps you detect risky behavior and maintain compliance with internal policies.

14. Can I make exceptions for certain users or departments?

Yes. You can define inclusion and exclusion groups in Conditional Access. For example, allow executives or HR users to download files from mobile, while restricting access for all other roles.