Prevent users from making copies of SharePoint/OneDrive data that was downloaded via sync app

New Contributor

We have a client who is planning to roll out OneDrive for Business and SharePoint. The goal is to allow users to synchronize [SharePoint/OneDrive] libraries on their laptops, using the sync app.


We already put in place policies to prevent users from syncing from non-domain-joined computers, and their hard drives are also encrypted (in case a laptop is stolen). We know you can limit actions on data in the portal, such as copying, forwarding, saving-as, downloading, etc.


The main concern, however, is how do we prevent users from making copies of the files that will reside in their laptops once the libraries have been synced on their laptops.


The focus of this post is not on an outside attacker, but rather on the employee itself. For instance, a user may not necessarily need to get fired to be disgruntled and make copies of the data before departing, s/he may make a copy of the data anytime prior to the termination. How do we prevent this? or is it even possible?

10 Replies
best response confirmed by Marcelo Gonzalez (New Contributor)

IRM can limit actions on downloaded files for users with Read Only permissions, but users with Edit or Full Control will be able to take the data wherever they want

If necessary, access to IRM protected documents can be revoked, which is what @Marcelo Gonzalez needs, if I understand well...

I think they want users to work normally on their synced files, but prevent them from taking the data somewhere else. You cannot do that with IRM.

My understanding is instead that he wants to revoke access after the firing of an employee, which is exactly what IRM allows...

That's correct, Pablo. The goal is for users to work normally on their synced files, but prevent them from taking the data somewhere else by making copies of it. It's very hard to strike such balance, as users want to work with their data locally, but we don't want them to make copies of it.


So, even with Windows 10 + IRM, users will still be able to copy the data huh?

Thanks for the feedback and the contribution, @Salvatore Biscari.


To clarify the goal: the goal is to to prevent employees from making copies of the data; not necessarily when an employee termination takes place, but at any time. Revoking access is the easy part, the hard part is to provide access to the data, without allowing the data to be copied.

That's correct, IRM won't prevent users with the proper permissions from taking the data somewhere else.
Take a look at the links I pasted about Windows Information Protection working with Intune or System Center policies. I think that's what you need.

Hi Marcelo, we are looking for similar capabilities. Could you please let know if this served your needs?