Dustin Schutzeichel

❗️ Vulnerability for #SharePoint download restrictions ❗️

#Microsoft released a #PowerShell cmdlet to activate the web-only mode for sensitive #SharePoint, #Teams or #OneDrive sites. Thus, users should not be able to download, sync or print files:
https://learn.microsoft.com/en-us/sharepoint/block-download-from-sites

But I found a little hack to bypass the download restriction: Just add a shortcut to OneDrive for the respective document library. Consequently, in the OneDrive web interface, you can download the ”protected“ library as .zip archive.

Until Microsoft provides a fix, you could use JSON formatting for list views and hide the ”addShortcut“ button (security by obscurity):
https://learn.microsoft.com/en-us/sharepoint/dev/declarative-customization/view-commandbar-formatting

Alternatively, you must globally deactivate the ”Add shortcut to OneDrive“ button for all sites in the tenant. You cannot scope the cmdlet to specific sites:
https://learn.microsoft.com/en-us/powershell/module/sharepoint-online/set-spotenant?view=sharepoint-ps#-disableaddshortcutstoonedrive

Block the download of files from a SharePoint site or OneDrive (preview) - SharePoint in Microsoft 365

Learn how administrators can block download of files from a SharePoint and OneDrive without using conditional access policies.

Feb 15, 2023 at 8:45pmWeb