![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 95%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGV%3C/text%3E%3C/svg%3E)
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
873 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
To ensure users cannot download or print document files, you can achieve this using Microsoft Entra ID in combination with Microsoft Purview Information Protection and Conditional Access Policies.
- Enable Azure Information Protection (AIP):
- Use Microsoft Purview Information Protection to apply labels that classify and protect documents.
- Create a custom label that applies restrictions such as "view-only," disabling download and print options.
- Configure Protection Settings in the Label:
- In the AIP or sensitivity label configuration:
- Set permissions: Choose "Viewer" or "Read-only" permissions.
- Disable downloading, copying, or printing.
- Assign this label to the required documents.
- In the AIP or sensitivity label configuration:
- Apply Conditional Access App Control:
- Configure Conditional Access policies in Microsoft Entra ID with Session Controls:
- Navigate to Microsoft Entra admin center → Security → Conditional Access.
- Create a policy that applies to cloud apps like SharePoint Online or OneDrive.
- Enable Session Control and select Use Conditional Access App Control.
- Use Microsoft Defender for Cloud Apps (MDCA) to enforce session policies:
- Create a session policy to block download and printing actions.
- Configure Conditional Access policies in Microsoft Entra ID with Session Controls:
- Restrict Access for Specific Groups:
- Scope the policy to target specific users or groups who should have restricted access.
This approach should work for files stored in SharePoint Online, OneDrive, or other supported cloud applications. To extend control, you can combine this with Conditional Access App Enforcement to ensure files remain protected outside the controlled environment.
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 55.00000000000001%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)