Skip to content

Add support for ExcludeBlockDownloadSharePointGroups and ReadOnlyForBlockDownloadPolicy in Set-PnPSite #5154

@sw-ms-chinmayaupadhyay

Description

@sw-ms-chinmayaupadhyay

Is your feature request related to a problem? Please describe.

Currently, the PnP.PowerShell cmdlet Set-PnPSite supports -BlockDownloadPolicy, but it does not expose two newer SharePoint Online site properties that are available in the Microsoft SharePoint Online Management Shell via Set-SPOSite, specifically:

  • ExcludeBlockDownloadSharePointGroups
  • ReadOnlyForBlockDownloadPolicy

Because these parameters are missing in PnP.PowerShell, it is not possible to fully configure Block Download behavior using PnP alone. For governance and automation scenarios where PnP is the preferred or only module allowed (due to modern authentication and certificate-based automation), this creates gaps and forces mixing modules or using unsupported REST workarounds.

This becomes a challenge in large-scale automation and enterprise security enforcement.

Describe the solution you'd like

Please add support in Set-PnPSite for the following parameters, matching the behavior of Set-SPOSite:

-ExcludeBlockDownloadSharePointGroups
Allow specifying one or more SharePoint groups that should be exempt from the Block Download Policy.

-ReadOnlyForBlockDownloadPolicy
Allow setting the site to read-only mode specifically for users impacted by the Block Download Policy.

Ideally, these parameters should map to the underlying SPO Admin service properties the same way as Set-SPOSite does.

Describe alternatives you've considered

Using the SharePoint Online Management Shell (Set-SPOSite).
This works, but it requires:

  • Legacy module installation
  • Legacy authentication for some tenants
  • Separate connections in automation pipelines
  • Mixed-module execution (PnP + SPO), which complicates DevOps workflows

Because PnP.PowerShell already exposes -BlockDownloadPolicy, it would be ideal if PnP provided full parity with the SPO cmdlet for all related settings.

Additional context
These properties are important for enterprise-level security policies where organizations want to enforce Block Download but allow exceptions for certain SharePoint groups (e.g., Owners or specific business units).

The official Microsoft cmdlet already supports these parameters:

Set-SPOSite -Identity <SiteURL> `
  -BlockDownloadPolicy $true `
  -ExcludeBlockDownloadSharePointGroups "Marketing,HR" `
  -ReadOnlyForBlockDownloadPolicy $true

Equivalent PnP support would greatly simplify governance automation, especially for certificate-based app-only scripts, Azure Automation, and DevOps pipelines using PnP exclusively.

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions