Both SharePoint Online (including OneDrive for Business) and Exchange Online allow a read only mode to be implemented. When this is enabled documents can be viewed in the browser only and not downloaded.
Create a new OwaMailboxPolicy and set the ConditionalAccessPolicy setting. Once that is done you may apply the same policy to the selected users.
Create a new Web App Policy
For create new policy Go to Exchange Admin Center > Permissions > Outlook Webb App policies
Go to Exchange Admin Center > recipients > Mailboxes > Properties > Mailbox features > Email
Connectivity > View details > Assign newly created Outlook web app policy.
Connect to M365 PowerShell module to set ConditionalAccessPolicy settings.
Connect-ExchangeOnline -UserPrincipalName <Username>
Set-OwaMailboxPolicy -Identity <OwaMailboxPolicy-Name> -ConditionalAccessPolicy ReadOnly
Note: Can be used Get-OwaMailboxPolicy command to see current configurations. Default configuration is "Off".
Note: if want to block attachments completely, use this command:
Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -ConditionalAccessPolicy ReadOnlyPlusAttachmentsBlocked
Create a Conditional Access Policy to Control the conditions.
In the Azure portal, create a new Conditional Access policy with below settings:
Assignments > Users and groups: Select appropriate users and groups to include and exclude.
Note: Include user/group which wants to block download/view in Exchange online.
Assignments > Cloud apps or actions > Cloud apps > Include > Select apps: Select Office 365 Exchange Online
Access controls > Session: Select Use app enforced restrictions
End User Experience: Exchange Online
Below screenshot taken by login from test2 who has applied the CA policy.
Please follow below configurations to extend Read Only And Attachment Download Restrictions in SharePoint and OneDrive
Go to M365 Admin Center > SharePoint Admin Center > Policies > Access Control > Unmanaged devices
Enable "Allow Limited, Web-only access"
Note: we can use SharePoint PowerShell admin console too to setting up this. If use PowerShell admin Console use below command.
Set-SPOTenant -ConditionalAccessPolicy AllowLimitedAccess
Note: When we select "Allow limited web-only access", below two conditional access polices are automatically create. However since I handle the same in a separate policy I have disabled these polices. Please refer below screenshot.
In the Azure portal, add a SharePoint Online to Conditional Access policy with these settings:
Assignments > Cloud apps or actions > Cloud apps > Include > Select apps: Select Office 365 Exchange Online
Note: Either we can use the same policy which we used for Exchange online above or Separate one for SharePoint. I have used the same policy here.
End User Experience: SharePoint
Thank You!