Table of Contents
Configure Document Libraries with Default Sensitivity Label for Downloaded Files
I think most people will agree that it’s good to protect confidential information. In a Microsoft 365 context, protection through the Azure rights-management encryption service is available through sensitivity labels, which can be applied manually (with E3 licenses) or automatically (with E5). Automatic application includes configuring document libraries with a default sensitivity label. When a document library has a default sensitivity label, SharePoint Online applies the label to new and modified Office and PDF files (if unlabeled). It’s a great way to make sure that items stored in document libraries receive protection with minimal impact on users.
Extending the concept to ensure that Office documents downloaded from libraries receive protection is a logical next step. The feature is relatively new, but the announcement in message center notification MC1208688 (29 December 2025, Microsoft 365 roadmap item 468888) that the Office Online applications will support sensitivity labels with user-defined permissions (UDP) caused me to take another look. Extending protection for downloaded files depends on sensitivity labels with UDP, hence the connection.
Preparing SharePoint Online
Sensitivity labels can protect files with preconfigured administrator-defined permissions or with UDP. The big difference is that file owners can configure UDP on a per-file basis. SharePoint Online has supported labels with administrator-defined permissions for years, but only added support for UDP labels in March 2025. This was an important step forward because it unlocked support for files protected by UDP labels in Purview solutions like DLP and eDiscovery.
To enable SharePoint Online to extend protection for downloaded Office files, an administrator must update tenant settings by running the Set-SPOTenant cmdlet. Make sure that you use the most recent version of the SharePoint Online management PowerShell module and run the command as follows.
Set-SPOTenant -ExtendPermissionsToUnprotectedFiles $true Confirm This cmdlet requires a premium license to access its full functionality. To learn more about the licensing requirements, as well as the general capabilities and limitations associated with this feature, please refer to the detailed documentation available at: https://aka.ms/ExtendSharePointPermission. [Y] Yes [N] No [?] Help (default is "Y"): y
The warning about the premium license refers to SharePoint Advanced Management,
Wait a couple of hours to allow the update to become effective across the tenant. You should then be able to update library settings to extend protection for downloaded files. The most important point here is that the default sensitivity label for the library must be a UDP label (Figure 1). Using a UDP label allows SharePoint Online to dynamically configure the permissions assigned for the label as it downloads the file from the library.
You cannot configure a document library to have a default sensitivity label for files added or modified in the library with a different label to protect downloaded files.
Effect on Files in the Document Library
After selecting a default sensitivity label and choosing to extend protection for downloaded files, SharePoint Online scans the document library and applies the selected label to all unlabeled Office and PDF files. It also finds labeled files without encryption and replaces the existing label with the default label. In other words, all Office and PDF files in the document library are now protected.
If you decide not to extend protection to downloaded files and revert to the original document library configuration, SharePoint Online restores files to their original state by either updating (to the prior label) or removing sensitivity labels from files.
Usage Rights
When a file is downloaded, SharePoint Online checks the access the user has to the file and translates that access to UDP usage rights (see this table mapping permissions to usage rights). SharePoint Online then applies a sensitivity label with the appropriate usage rights to the file before it is downloaded. The labeling process also happens for local copies of files synchronized by the OneDrive client. Following the download, the usage rights set in the UDP label allows the user to open the file (Figure 2).
Many document libraries belong to sites associated with Microsoft 365 groups (teams). In these cases, the user is either a group owner or group member and will have owner or edit permission.
The Link to the Mother Ship
The real magic in this solution is that the permissions assigned to downloaded files only work when online access is available to SharePoint. Microsoft calls this a “just in time layer of protection.”
Offline access to labeled files isn’t supported because SharePoint needs to be able to validate that the user continues to have the right to access the file. For example, if the user’s level of permission to the content changes, SharePoint must be able to make that adjustment for the downloaded file. In addition, if the user is removed as a site (group) member, or the file is deleted from the site or moves to another site, or the site is deleted, SharePoint nullifies access, and the user can no longer open the file.
Interestingly, if a file is subject to a hold and is deleted, it is still present in the preservation hold library and access is maintained. Although labeled files cannot be copied or moved to a different site, they can be moved to a different document library within the site.
A New Possibility
Extending protection to downloaded files is an option that deserves consideration if you want to make sure that confidential material doesn’t leak. If the concern is to stop people from downloading files, SharePoint has a block download policy that can be applied to sites to force users to work with files online. The block download policy is licensed through SharePoint advanced management. Corporate culture and user work habits are just two of the factors that will drive the decision about which approach to take. It’s nice to have choice!
Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.