Forum Discussion
how to use labels to selectively allow / block download on SPO sites without authentication context?
I am looking for a way to use sensitivity labels to selectively allow or block download in Teams / SPO. I.E. container label A enforces limited, web only access, container label B allows full access...
I may have this figured out.
Most documentation I found appears to indicate that for sensitivity labels to block access, you need to first configure unmanaged device access control in SPO to allow limited access. This step is not required. Leaving that setting at full access and simply creating a CA policy to use app enforced restrictions on Office 365 allows you to then create a sensitivity label to provide granular control over labeled sites.
Once I switched the SP tenant setting back to full access, and removing the two CA policies it created, I was able to accomplish granular download control.
Most documentation I found appears to indicate that for sensitivity labels to block access, you need to first configure unmanaged device access control in SPO to allow limited access. This step is not required. Leaving that setting at full access and simply creating a CA policy to use app enforced restrictions on Office 365 allows you to then create a sensitivity label to provide granular control over labeled sites.
Once I switched the SP tenant setting back to full access, and removing the two CA policies it created, I was able to accomplish granular download control.