Add support for ExcludeBlockDownloadSharePointGroups and ReadOnlyForBlockDownloadPolicy in Set-PnPSite

[sw-ms-chinmayaupadhyay]

Is your feature request related to a problem? Please describe.

Currently, the PnP.PowerShell cmdlet Set-PnPSite supports -BlockDownloadPolicy, but it does not expose two newer SharePoint Online site properties that are available in the Microsoft SharePoint Online Management Shell via Set-SPOSite, specifically:

• ExcludeBlockDownloadSharePointGroups
• ReadOnlyForBlockDownloadPolicy

Because these parameters are missing in PnP.PowerShell, it is not possible to fully configure Block Download behavior using PnP alone. For governance and automation scenarios where PnP is the preferred or only module allowed (due to modern authentication and certificate-based automation), this creates gaps and forces mixing modules or using unsupported REST workarounds.

This becomes a challenge in large-scale automation and enterprise security enforcement.

Describe the solution you'd like

Please add support in Set-PnPSite for the following parameters, matching the behavior of Set-SPOSite:

-ExcludeBlockDownloadSharePointGroups
Allow specifying one or more SharePoint groups that should be exempt from the Block Download Policy.

-ReadOnlyForBlockDownloadPolicy
Allow setting the site to read-only mode specifically for users impacted by the Block Download Policy.

Ideally, these parameters should map to the underlying SPO Admin service properties the same way as Set-SPOSite does.

Describe alternatives you've considered

Using the SharePoint Online Management Shell (Set-SPOSite).
This works, but it requires:

• Legacy module installation
• Legacy authentication for some tenants
• Separate connections in automation pipelines
• Mixed-module execution (PnP + SPO), which complicates DevOps workflows

Because PnP.PowerShell already exposes -BlockDownloadPolicy, it would be ideal if PnP provided full parity with the SPO cmdlet for all related settings.

Additional context
These properties are important for enterprise-level security policies where organizations want to enforce Block Download but allow exceptions for certain SharePoint groups (e.g., Owners or specific business units).

The official Microsoft cmdlet already supports these parameters:

Set-SPOSite -Identity <SiteURL> `
  -BlockDownloadPolicy $true `
  -ExcludeBlockDownloadSharePointGroups "Marketing,HR" `
  -ReadOnlyForBlockDownloadPolicy $true

Equivalent PnP support would greatly simplify governance automation, especially for certificate-based app-only scripts, Azure Automation, and DevOps pipelines using PnP exclusively.

[gautamdsheth]

hey @sw-ms-chinmayaupadhyay , thanks for raising this feature request. Have merged the needed changes, it will be available starting with tomorrow's nightly builds !

[sw-ms-chinmayaupadhyay]

hey @sw-ms-chinmayaupadhyay , thanks for raising this feature request. Have merged the needed changes, it will be available starting with tomorrow's nightly builds !

Thank you for your quick response @gautamdsheth. It is working in nightly version.

Can we know when will this be available in production release? Any estimate?

[gautamdsheth]

@sw-ms-chinmayaupadhyay , we plan to get this out asap. Unfortunately, we are currently blocked due to some certificates that we need for the release, so can't give ETA. Hopefully, very soon !