Forum Discussion
External Users Blocked from Downloading Files – Conditional Access Policy Stuck or Misbehaving?...
We recently updated and added several Conditional Access policies, including one that blocks downloading, printing, and syncing from unmanaged devices. This policy was initially tested with a small group of 2-3 users. However, we noticed that when employees share an external link, external recipients can log in but cannot download files. They see a yellow banner stating that "downloading, printing, or syncing is blocked etc."
We have since disabled related Conditional Access policies and waited the required 24 hours for changes to take effect. Additionally, Microsoft Support has been involved for three days but has not yet resolved the issue. Any suggestions?
Its an only cloud environment
Hi there, please check the SharePoint Admin Center under Policies. For unmanaged devices, you may need to set permissions to allow full access from desktop apps, mobile apps, and the web.
After making these adjustments, I noticed that external users were able to download files I shared with them. My assumption is that if the external users are on a company-managed device, they’ll also see the download button.
Of course, providing external users with company-managed laptops isn’t practical, but this permissions change should allow them to access and download files securely without needing specific device management.
Hope this help!!
Hi thanks for replying, yes this setting is on allow full access, even if we try to change it we get an error. The error says. The remote server returned an error (403) Forbidden.
Hi, if that is the case, please raise an official Microsoft Support ticket and ask for help!
Hello,
My guess is that your problem is caused by a conflict with another policy. I can make some suggestions.
Verify Policy Propagation: Confirm in the Azure AD portal that the Conditional Access policy is indeed disabled for all relevant users. Sometimes, it helps to refresh the session for affected users by having them log out and log back in.
Check for Other Conflicting Policies: Other Conditional Access policies, Intune configurations, or SharePoint/OneDrive sharing settings might still be enforcing restrictions on unmanaged devices. Review all active policies that could impact external access and file download permissions.
Clear Cached Policies: Sometimes cached policies can cause issues. Ask external users to clear their browser cache or try accessing the link in an incognito/private browsing session.
Check Compliance Policies on SharePoint/OneDrive: Some settings within SharePoint or OneDrive compliance policies might restrict downloads based on device trust. Go to the SharePoint Admin Center or OneDrive settings to ensure there are no download restrictions set at the service level.
Audit Logs: Use the Azure AD Sign-In logs to check if there are any Conditional Access or compliance errors associated with these users’ access attempts. This may provide insights into which specific rule or condition is still applying.
Re-enable and Re-disable the Policy: Sometimes, toggling the policy off and on again can help refresh its status.
If it is not resolved, please let me know.
Best Regards,
Ali Koc
Thanks for replying, Ali!
We checked everything, but the issue persists. External share links still can’t download. We also tried changing settings in the SharePoint admin center, but encountered an error:
"The remote server returned an error: 403 Forbidden."
We attempted several PowerShell commands, like setting BlockDownloadPolicy to false, but no response.
We suspect the issue might be due to the feature being in preview mode. Hoping Microsoft Support finds a solution soon.
We try to work with the new CA block downloads (preview) function that we think is causing this problem..
