I am looking for a way to use sensitivity labels to selectively allow or block download in Teams / SPO. I.E. container label A enforces limited, web only access, container label B allows full access. We are an AAD P1 / EMS E3 shop, so authentication context and MDCA are not options. I need this to be user-driven, so PowerShell scripts are not options.
There are a number of links out there that reference using the CA section in container labels (example below), however none that I have found specifically detail what we are looking to accomplish. Each link references the need to set the unmanaged device access control in SPO to limited, web only, which creates two CA policies that always override any label I attempt to create.
Any thoughts or info on how I could make this work would be greatly appreciated.
Most documentation I found appears to indicate that for sensitivity labels to block access, you need to first configure unmanaged device access control in SPO to allow limited access. This step is not required. Leaving that setting at full access and simply creating a CA policy to use app enforced restrictions on Office 365 allows you to then create a sensitivity label to provide granular control over labeled sites.
Once I switched the SP tenant setting back to full access, and removing the two CA policies it created, I was able to accomplish granular download control.