Block Downloads In MS TEAMS Thick Client For Non Managed Computers

How to remove the download, save as or print option from the MS Teams thick client application on unmanaged device, logged into your corporate tenancy via a conditional access policy.

  1. Create a group : Block_Teams_Thick_Client_Downloads
  2. Add users to the group you want to block access to download, save as or print.
  3. Create a new conditional access policy – Example : Block Teams Thick Client Downloads
    1. Users and Groups add “Block_Teams_Thick_Client_Downloads”
    2. Cloud Apps or Actions – Select Apps – MS Teams
    3. Conditions – Select Client Apps> Configure >Yes> Tick : Mobile Apps, Exchange and Other Clients. Untick Browser.
    4. Device state (Currently in preview) > Set exclude > Tick : Hybrid Azure AD joined and Device marked as compliant
    5. Grant – Select > Block Access and For Multiple controls > “Require one of the selected controls”

Useful links:

Block Access From Unmanaged Devices To SharePoint or Specific Sites

Block Access From Unmanaged Devices To SharePoint

From SharePoint Admin Center > Polices > Access Control

Click Unmanaged Devices

Note “To use this setting, get a subscription to Enterprise Mobility + Security and assign a license to yourself. ” See Microsoft Endpoint Manager | Microsoft 365 for more information

Select Block Access > Save

Block Access From Unmanaged Devices To SharePoint Specific Sites and Limit access using PowerShell.

Examples block download, save and print on unmanaged devices for a specific SharePoint site (SharePoint, OneDrive)

  • Limit access to a single site: Set-SPOSite -Identity https://<SharePoint online URL>/sites/<name of site or OneDrive account> -ConditionalAccessPolicy AllowLimitedAccess

     

  • Block access to a single site: Set-SPOSite -Identity https://<SharePoint online URL>/sites/<name of site or OneDrive account> -ConditionalAccessPolicy BlockAccess

     

  • Update multiple sites at once: (Get-SPOSite -IncludePersonalSite
    $true -Limit all -Filter
    “Url -like ‘-my.sharepoint.com/personal/'”) | Set-SPOTenant -ConditionalAccessPolicy AllowLimitedAccess