With the new sensitivity labels functionality available in Office 365, you can create a new label with encryption, assign the rights to the external people you want to have access to read (but maybe not print or copy) the document, and put the document in the SharePoint library owned by the team. It's a variant of what I discuss in https://www.petri.com/protecting-office-365-document-libraries-guest-users 

If you need more information about sensitivity labels, they're available online or in the Office 365 for IT Pros eBook (Chapter 24).

-1 for AIP policies, it kind of does the opposite of what's being requested in that it would force everyone to download the file in order to view it. Yes it's secure and protected when downloaded, but the user inconvenience of not being able to view online, co-edit or be searched for is pretty significant. If you are also assuming that it will just work for external guests who could have all sorts of different versions of Office you can expect a bumpy ride.

You can prevent download from SharePoint using site-scoped conditional access, that way you would retain all the behaviour but be unable to download. See https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Conditional-Access-8220-limit...

@Damien Rosario yes AIP has those features, but it currently also has the downsides I discussed. Using an AIP protected document through Teams is a significantly compromised experience where you need to open in Word/Excel/Ppt just to view.

I think blocking copy etc isn't really a control, a user can still take a photo of the screen, you are just making it more fiddly.

The user experience around protected documents stored in SharePoint could be considerably enhanced. It's kind of stuck around 2000 whereas the protection of email has moved forward quite nicely.

Even so, I think there is value in protecting really confidential documents with rights management. Sure, the preview won't work (along with other issues like no co-authoring and an inability to search for protected content), but if it is confidential material I think people understand that they have to go through a process to access it. After all, if you receive confidential information in the mail, you likely have to sign for the letter and then open a much more protected envelope than the norm.

Both sides have merit and I get where you are coming from Steven, however I agree with Tony on this one.

Trading off the ease of use of loading a doc in the web browser versus the enhanced lock down security of AIP (with some extra steps), I'd be going with that. But then again each to their own based on ones needs!

I am loving this intellectual discussion of ideas and philosophies on security but I will also say to @Rinch Anderson to please accept our apologies for hijacking your question.

The AIP discussion is the next evolution of digital security (takes it to a whole new level) that you may want to consider in the future, but it isn't related to your SharePoint question about preventing users from downloading a file!

Hopefully though the info helps in some future planning.

Cheers

Damien

@Steven Collier , I tried this limited access setting for SharePoint once and it broke all our MAM-only Mobile devices' access to OneDrive.  Started prompting users to enroll in Intune if they wanted to be able to access their OneDrive files.  Needless to say I had to roll back the change and re-activate a bunch of mobile devices for MAM-only.  At the time Microsoft was as surprised as I was (this was about 3 years ago) and said they would try to fix this cross-over issue between personal computers and personal devices, but from the article you linked it appears they are treating it as a feature now and not a bug so I assume this is never going to change now. This is disappointing for those of us that get all the security we need from Application Protection policies (MAM) and don't need the extra aggro of device enrollment, but still would like to allow limited SharePoint access on users' personal computers.   

Hi @Derek Pickell, this is a very old thread from over 2 years ago, the options are very different now.  MIP has largely replaced AIP and is now available in the browser.

Hi @Steven Collier , yes sorry I was venting my spleen on this thread because my boss recently asked me why we can't enable limited SharePoint access on personal computers for our staff and I was disappointed to find that even after all this time this option would still break our mobile MAM-only solution.  Microsoft has just called it out (device enrollment) as an additional security feature so we have no choice but to implement it if we want limited SharePoint access.  It rankles because the way we have MAM policies currently configured is sufficient to prevent data exfiltration.  Device Enrollment, while preferred by me as an Admin, is not preferred by the thousands of personal device users we have on staff.  I now have to explain to my management that we have to choose between mobile device enrollment and limited sharepoint access.  We have DLP projects working on MIP but that won't prevent data downloads to personal devices which is what they are most concerned with.

@Derek Pickell 

I'm not really an expert in that area, but the SharePoint restrictions trigger Conditional Access policies, is it not possible to change the conditions on the policy to exclude iOS and Android but keep blocking Windows and MAC.

Like this ...