Block Downloads but Can still Sync Folder in OneDrive

Question

Block Downloads but Can still Sync Folder in OneDrive

Cristina 0

Hi,

I would like to check if there's an option for a Teams Sharepoint site to block downloads and print for visitors / read-only users but still able to sync the folder in their OneDrive?

I tried following the steps in https://learn.microsoft.com/en-us/sharepoint/block-download-from-sites. specifically:

Set-SPOSite -Identity <SiteURL> -BlockDownloadPolicy $true -BlockDownloadPolicy $true-ExcludeBlockDownloadSharePointGroups "<M365group name>"

The "M365group name" is the M365 group created and generated the sharepoint site. running the script however blocked the download option for everyone and did not exclude the specified group.

Is there a way for the script above to work on the members of M365 group / Sharepoint members to be excluded from block policy? and also to ensure those who are blocked from downloading/printer can map the Sharepoint documents to their OneDrive?

1 answer

Your answer

Answer 1

Nghia-P 2,435 Microsoft External Staff Moderator

Hi Cristina,

Welcome to Microsoft Q&A Forum!

Have a good day and I hope you're doing well!

Thank you so much for sharing the details of your issue. I completely understand how frustrating it can be when permissions don’t work as expected, especially when you need to balance security with your team’s productivity. I appreciate your patience and the effort you’ve put into troubleshooting this so far.

Based on my research, when the block download policy is enabled on a SharePoint site, users affected by this policy will not be able to download, print, or sync files from the site to their OneDrive. Only users or groups that are specifically excluded from this policy will retain the ability to download and sync files.

The article you mentioned has also clearly pointed out: https://learn.microsoft.com/en-us/sharepoint/block-download-from-sites. User's image Regarding your PowerShell command, I noticed that using the group name (display name) in the -ExcludeBlockDownloadSharePointGroups parameter may not always work as expected. This is because group names can be duplicated or contain special characters, which can cause PowerShell to not recognize the group correctly.

To ensure the exclusion works reliably, I recommend using the Object ID of your M365 group instead of the group name. The Object ID is a unique identifier for each group in Microsoft Entra (formerly Azure Active Directory).

Here’s how you can find the Object ID in Entra:

Go to https://entra.microsoft.com
In the left menu, select Groups
Search for your group and click on it
On the group overview page, you will see the Object ID field. Please copy this value

Once you have the Object ID, please try running the PowerShell command again:

Set-SPOSite -Identity <SiteURL> -BlockDownloadPolicy $true -ExcludeBlockDownloadSharePointGroups "<object-id>"

(Replace <object-id> with the actual Object ID you copied from Entra.)

If you want to exclude multiple groups, separate their Object IDs with commas.

After running the command, please allow some time for the policy to take effect, and then test if members of the excluded group can download and sync as expected.

If you encounter any issues, or if there’s anything I’ve explained that is unclear or if I have misunderstood any part of your situation, please feel free to let me know. We’ll work through this together and find the best solution for your needs.

If the answer is helpful, please click "Accepted Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". User's image

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Cristina 0 Reputation points

2025-08-01T04:33:45.57+00:00

Hello,

I already tried the -ExcludeBlockDownloadSharePointGroups command and even used -ExcludedBlockDownloadGroupIds both showed errors where the group I am adding to exclude is not part of the site members. Note that the group I am using is the M365 group that created the site itself and the members managed either in Entra groups or Sharepoint members in sharepoint admin portal.

Error in powershell:

Set-SPOSite: Cannot set BlockDownloadPolicy on the site because the group 91c5aabe-0982-4ca4-ba27-c93353c5fd48 is not a member of the site. Please ensure that all the provided group ids are members of the site.

The group cannot be added as a "site member" as well since it is already added as "<group name> members" with the matching email address of the M365 group
Nghia-P 2,435 Reputation points Microsoft External Staff Moderator

2025-08-01T12:49:20.2666667+00:00
Hi Cristina

Have a good day and I hope you're doing well!

Thank you so much for your response. Following up on our previous discussion regarding the Block Download Policy for your SharePoint site, I wanted to share some positive progress. I've replicated your scenario in my virtual environment and successfully applied the policy with exclusions. The key difference that made it work was ensuring the exact group name includes "Members" (or "Owners" if applicable) as it appears in the Site Permissions. This precise naming is crucial for the exclusion to take effect without errors like "group is not a member of the site."

Here's the updated PowerShell command that worked in my tests:

Set-SPOSite -Identity <SiteURL> -BlockDownloadPolicy $true -ExcludeBlockDownloadSharePointGroups "<Group Name> Members"

Replace <SiteURL> with your site's URL (e.g., https://contoso.sharepoint.com/sites/ProjectTeam).

Replace <Group Name> Members with the exact name from Site Permissions (e.g., "ProjectTeam Members").

If you're excluding multiple groups (e.g., members and owners), use a comma-separated list: "<Group Name> Members,<Group Name> Owners".

After running the command, verify the results with this check:

Get-SPOSite -Identity <SiteURL> | Select BlockDownloadPolicy, ExcludeBlockDownloadSharePointGroups, ExcludedBlockDownloadGroupIds, ExcludeBlockDownloadPolicySiteOwners

This will confirm if the policy is enabled and the exclusions are correctly applied.

For reference, here's the result I obtained after applying the block in my test environment:

I understand how frustrating these configuration issues can be, especially with permissions and group syncing in SharePoint. If you run into any further challenges or have questions about implementing this, please let me know. I'm here to help! Wishing you a smooth and productive day ahead!
Nghia-P 2,435 Reputation points Microsoft External Staff Moderator

2025-08-05T05:56:05.7133333+00:00

Hi Cristina

Have a good day and I hope you're doing well!

Just wondering if there’s been any progress on this thread. If your issue has been resolved, please consider marking it as “Accepted Answer” so others facing similar issues can find it more easily. This helps others in the community too. Thanks for your understanding and support!
Cristina 0 Reputation points

2025-08-06T01:42:40.17+00:00
Hi Nghia-P

Apologies for taking a while to get back to you. We have tested the script

Set-SPOSite -Identity <SiteURL> -BlockDownloadPolicy $true -ExcludeBlockDownloadSharePointGroups "<Group Name> Members"

Get-SPOSite -Identity <SiteURL> | Select BlockDownloadPolicy, ExcludeBlockDownloadSharePointGroups, ExcludedBlockDownloadGroupIds, ExcludeBlockDownloadPolicySiteOwners

however the block still applies to members.
Nghia-P 2,435 Reputation points Microsoft External Staff Moderator

2025-08-06T08:28:14.19+00:00
Hi Cristina,

Have a good day and I hope you're doing well!

Thank you for your update and for trying the scripts. I truly appreciate your patience and the details you've shared so far. Rest assured, I'm fully committed to helping you resolve this step by step.

In the meantime, if you haven't already, let's try one more variation to ensure we're covering all bases:

1. First, please run:

Set-SPOSite -Identity <SiteURL> -BlockDownloadPolicy $true -ExcludeBlockDownloadSharePointGroups "<Exact Group Name from Above>" -ExcludeBlockDownloadPolicySiteOwners $true

2. Wait 15-30 minutes, then verify with the Get-SPOSite command.

This variation adds the -ExcludeBlockDownloadPolicySiteOwners $true parameter to explicitly exclude site owners. The reason I'm suggesting this is that it could be the reason in your scenario: When a SharePoint site is created from a Microsoft 365 group (such as through Teams), the group often overlaps in roles meaning the same users can be both owners and members (e.g., mapped to both "<Group Name> Owners" and "<Group Name> Members" in SharePoint). This overlap can cause the block policy to still apply unexpectedly to some members if owners aren't fully excluded, even if the command runs without errors. By adding this parameter, we're ensuring owners (and any overlapping users) are protected from the policy, which has resolved similar issues in other reported cases.

To better diagnose what's going on, could you please share a screenshot of the exact script you ran (including the commands and their output)? For example, show the Set-SPOSite command with your inputs and the results from Get-SPOSite -Identity <SiteURL> | Select BlockDownloadPolicy, ExcludeBlockDownloadSharePointGroups, ExcludedBlockDownloadGroupIds, ExcludeBlockDownloadPolicySiteOwners. This will help me spot any subtle differences, like group naming or propagation issues, without needing access to your environment.

As a moderator on the Microsoft Q&A Forum, I can't directly access or view the content of the scripts you've run in your tenant. That's for privacy and security reasons. I can only replicate scenarios in my virtual environment and provide guidance based on that, along with official documentation. I understand your situation completely, and I'm here to support you fully within these bounds. We'll work through this together!

I understand your feelings, and I know troubleshooting can take a lot of time. I truly appreciate your efforts. More than anyone, I always want our customers to have the best experience and the most effective results. I'm always here and ready to help, so rest assured.

Wishing you a smooth and productive day ahead!
Nghia-P 2,435 Reputation points Microsoft External Staff Moderator

2025-08-08T07:53:46.3633333+00:00

Hi Cristina,

We’d love to hear back from you whenever you're ready.

If you feel this helped point you in the right direction, you're more than welcome to mark it as "Accepted Answer". This also helps me keep track of your case and continue supporting you as best I can. This can make it easier for others facing a similar issue to find their way to a solution, too.

If there’s any update, please don’t hesitate to let us know.

Share via

Block Downloads but Can still Sync Folder in OneDrive

1 answer

Your answer