You try to download a file from OneDrive in your browser and see an error message saying the download is blocked. This happens because your organization uses Microsoft Entra Conditional Access policies to control how data leaves the tenant. The policy specifically targets browser download actions and blocks them based on conditions like device compliance, location, or sign-in risk.
This article explains why Conditional Access blocks browser downloads, how to identify the exact policy causing the block, and what steps you can take to resolve it. You will also learn about related blocking scenarios and how to request exceptions from your IT team.
Key Takeaways: Understanding and Resolving OneDrive Browser Download Blocks
- Microsoft Entra admin center > Conditional Access > Policies: The location where administrators create and manage policies that control browser download behavior for OneDrive and SharePoint.
- Session control > Use app enforced restrictions: The specific Conditional Access setting that blocks downloads when a device is non-compliant or from an untrusted network.
- Browser download block error message: The exact text you see indicates which policy is blocking the action, including the policy name and the condition that was violated.
Why Conditional Access Blocks OneDrive Browser Downloads
Conditional Access is a feature in Microsoft Entra ID that evaluates every sign-in request against a set of policies. When you attempt to download a file from OneDrive in a web browser, the request triggers a Conditional Access evaluation. If the policy conditions are not met, the download is blocked.
The most common conditions that block browser downloads include:
- Device compliance: The device you are using must be marked as compliant in Microsoft Intune. Personal devices or devices that have not enrolled in management are often blocked.
- Location: The policy may restrict downloads to specific IP address ranges, such as the corporate office network. Downloads from home or public Wi-Fi are blocked.
- Sign-in risk: Microsoft Entra ID Protection calculates a risk level for each sign-in. High-risk sign-ins from unfamiliar locations or anonymous IP addresses trigger download blocks.
- Client app: The policy may target browser-based access specifically. The OneDrive desktop app or mobile app may be allowed while the browser is blocked.
The block is enforced through a session control setting called Use app enforced restrictions. When this setting is enabled, the browser receives a signal from Microsoft Entra ID that instructs OneDrive to block download, print, or sync actions. The user sees a red banner at the top of the OneDrive page stating that downloads are not allowed.
How to Identify Which Conditional Access Policy Is Blocking You
When a download is blocked, the error message in the browser includes the name of the Conditional Access policy that triggered the block. You can use this information to understand which condition was violated.
- Open the OneDrive download error message
Click the red banner at the top of the OneDrive page that says Download blocked. Your organization’s security policy prevents this action. A detailed dialog opens. - Read the policy name and condition
The dialog shows the exact name of the Conditional Access policy, the condition that was not met, and the date and time of the block. For example: Policy: Block downloads from non-compliant devices. Condition: Device is not compliant. - Check the sign-in logs
If the error dialog does not show enough detail, sign in to the Microsoft Entra admin center and navigate to Identity > Monitoring & health > Sign-in logs. Filter by your user name and the time of the block. Select the failed sign-in event and click the Conditional Access tab to see which policies applied. - Copy the policy name and share it with your IT team
Your IT administrator can modify the policy or create an exception for your user account or device. Provide them with the exact policy name and the condition that failed.
Steps to Unblock OneDrive Browser Downloads
You cannot override a Conditional Access policy from your user account. The block is enforced at the tenant level. However, you can take several actions to resolve the block depending on the condition that is failing.
If the Block Is Due to Device Compliance
- Enroll your device in Microsoft Intune
Open the Company Portal app on your Windows device and follow the prompts to enroll. If you are on a personal device, use the Company Portal website to enroll as a personal device. - Wait for the compliance check to complete
After enrollment, the device status updates within a few minutes. Refresh the OneDrive page in your browser and try the download again. - Check device compliance status
Open the Company Portal app and go to Devices. Your device should show Compliant. If it shows Not compliant, run any pending updates or install required security software as instructed by your IT team.
If the Block Is Due to Location
- Connect to the corporate network
Use a VPN client provided by your organization to connect to the corporate network. Once connected, refresh the OneDrive page and attempt the download. - Request a location exception
If you need to download files from a remote location regularly, ask your IT team to add your home or travel IP address to the trusted locations list in the Conditional Access policy.
If the Block Is Due to Sign-in Risk
- Sign out and sign in again
Sign out of your Microsoft 365 account in the browser, close the browser, and sign in again from a trusted network. This reduces the sign-in risk score. - Use multi-factor authentication
Completing a multi-factor authentication prompt during sign-in lowers the risk level. Ensure you have MFA set up for your account.
Request a Policy Exception from IT
If none of the above steps work, submit a request to your IT helpdesk. Include the policy name from the error dialog, your user name, and the reason you need to download files from the browser. The administrator can create an exclusion group that bypasses the policy for your account or device.
If OneDrive Browser Downloads Are Still Blocked After the Main Fixes
Downloads are blocked only for specific file types
Some Conditional Access policies target file types like executables or scripts. Check the error dialog for a message about file type restrictions. If present, request that your IT administrator review the policy and add your file type to the allowed list.
The download button is grayed out but no error message appears
This is usually caused by a SharePoint site-level permission rather than a Conditional Access policy. Verify that you have at least Contribute permission on the document library. Contact the site owner to request higher permissions.
Downloads work in the OneDrive desktop app but not in the browser
The Conditional Access policy is likely configured to block browser-based access only. The desktop app uses a different authentication flow that may be allowed. If you need browser access, request an exception from IT as described above.
Browser Download Blocked vs Desktop App Download Blocked: Key Differences
| Item | Browser Download Blocked | Desktop App Download Blocked |
|---|---|---|
| Conditional Access target | Session control for browser-based access only | Device compliance or sign-in risk for app-based access |
| Error display | Red banner inside OneDrive web page | Sync icon shows a red X or error code in the system tray |
| Common cause | Location or client app condition | Device non-compliance or high sign-in risk |
| Resolution | Connect to corporate network or request location exception | Enroll device in Intune and meet compliance requirements |
| User action required | Change network or request IT exception | Enroll device or install required security software |
You can now identify the specific Conditional Access policy that is blocking your OneDrive browser downloads and take the appropriate action to resolve it. If you frequently need to download files from a browser, ask your IT team to add your device to an exclusion group or to adjust the location conditions. For advanced scenarios, review the Microsoft Entra sign-in logs to see all policies that apply to your session. This data helps you understand the full security posture of your access.