How to block download of Office 365 files on an unknown device

How to block download of Office 365 files on an unknown device

From 20 million to 44 million daily Microsoft Teams users by May 2020.

Video is used in 61% of all meetings in the Netherlands.

There has been a growth from 560 million to 2.7 billion minutes a day with Microsoft Teams call . source

But we use Microsoft Teams insecurely... On our own computers, or our mobile devices....

We all use Microsoft Teams

Collaboration is possible with Microsoft Teams. Real collaboration, secure file sharing, remains a huge challenge as we work more from home, or on our own computers.

Since the covid-19 crisis, several organisations have adapted to move away from corporate-devices towards private-devices. In itself a good move for people who prefer to work on their own devices.

Unfortunately, we have reached a point where organisational documents end up on every device. And as a company, you'd rather not have that. In this blog, I provide a practical guide to adjusting this behaviour.

How to handle files safely in Microsoft Teams?

How can you keep documents safe on organisational devices?

  • What you see in this screenshot is 2x a Microsoft Edge browser.
  • On the left you can see a browser 'connected' to a Windows 10 device. (condition)
  • On the right, a 'browser' that we do not trust. A device strange to the organisation.

Short demo video of conditional access for documents in Teams

  • in the clink I work with your trusted web browser in a word document. I am allowed to download this because the device is known. (on condition, conditional access)
  • If the device is not known, as in the view on the right, then I cannot download it - but I can edit online .

Personalised display of the security warning in Teams

It is best to communicate clearly so that users understand what is wrong when you want to activate new policies.

Users work on a device that is not protected by the organisation. They can work on documents, they can collaborate. But on the basis of the proposed framework.

Do not download. Could be an agreement you make to never leak documents on devices foreign to the organisation.


How do you work with documents with this secure setup?

Users logging in to a system that is not managed by the organisation will get this view when they log in to Microsoft Teams via the web browser.

It is still possible to work online , edit the document or share it within the organisation. But downloading is no longer possible.

For the IT Administrators, there are insights

Microsoft is good at bringing together capabilities of the multiple platforms.

In the Microsoft Cloud App portal Security you will see the attempts to download the document. You can later link automatic actions to this if you wish.


Licence requirements for this blocking of document downloading in Microsoft Teams

In order to use Conditional Access, you need at least a Azure AD Premium P1 licence.

Cloud App Security is required to gain the insights shown above.

Some licences include Cloud App Security Discovery.

Microsoft 365 E3, Microsoft 365 E5 are always right for you. It is also possible with fewer licences.

Installing the Intune Company Portal in Android

If you want to open a document in Android, your Android device will ask you to install the Intune Company Portal.


Device and rollers


The document security roadmap in 5 steps

Multi-Factor Authentication - It is illogical for users to have a secure device without using MFA. If a hacker or a colleague has the password, they can also log in to Office 365.

Conditional Access - based on conditions, you can automatically make decisions and add extra security layers as the security risk increases.


Self-service password reset - to help users reset their passwords themselves. But also to ensure that you can use the extra security features for Teams. Users can help themselves with this feature. Users can log in passwordlessly (without entering a password) with their smartphone and they are happy about it.


EndPoint Security - protect your mobile devices and your Windows 11 devices. It is quite easy to turn on a PIN code + data check (MAM) on BYOD. This has no impact on the person and requires no management of the device. It does require management of the organisational application. Such as Teams, OneDrive, SharePoint,..

Information protection - Of course you have noticed that you can still send documents to colleagues or external contacts. If you want to solve this, it is necessary to go for even more security. You can use information protection.



Welcome to On this website you can read articles and experiences about Office 365 with focus on Microsoft Teams. Feel free to ask me a question and I will answer it in a blog post. Help others by giving feedback at the bottom of the articles. This blog is made in Dutch. The multilingual website is offered with best-effort machine translation.
0 0 votes
Product review
Please let us know if there are
0 Reactions
Inline feedbacks
See all comments
Would love to know your thoughts, please leave a comment.x