Control 1.25: MIME Type Restrictions for File Uploads
Control ID: 1.25
Pillar: Security
Regulatory Reference: FINRA Rule 4511, FINRA Rule 3110, FINRA Regulatory Notice 25-07, SEC Rule 17a-4, GLBA Safeguards Rule (16 CFR Part 314), OCC Bulletin 2011-12
Last UI Verified: April 2026
Governance Levels: Baseline / Recommended / Regulated
Relationship to File Upload Security
This control defines environment-wide MIME type and file extension policies configured through the Power Platform Admin Center (PPAC). It complements the per-agent File Upload Security toggle and per-agent file type restrictions available in Copilot Studio (v8+), which enable or disable file uploads at the individual agent level and configure allowed file types per agent. Both environment-level and agent-level controls should be implemented together: environment-wide policies establish the maximum allowable file types, while per-agent settings provide granular restrictions for each agent's specific use case. See Configuration Hardening Baseline items 28-29 for the full hardening context and Control 1.26 - Agent File Upload and File Analysis Restrictions for per-agent attachment governance details.
Objective
Define and enforce MIME type and file extension restrictions for Copilot Studio agent file uploads within Power Platform environments, helping prevent the introduction of malicious or high-risk file types while maintaining operational flexibility appropriate to each governance zone.
Why This Matters for FSI
- FINRA Rule 4511 (Books and Records): Restricting file uploads to inspectable, indexable formats helps support recordkeeping requirements by limiting agent intake to formats that can be preserved and produced in original form. Opaque executable or script payloads cannot be reliably indexed for retention and retrieval.
- FINRA Rule 3110 (Supervision): Defining and enforcing an environment-wide file-type policy aids in establishing the supervisory system required for member firm communications. Documenting blocked extensions and allowed MIME types provides evidence of supervisory design when AI agents touch books-and-records workflows.
- FINRA Regulatory Notice 25-07: Helps address FINRA's 2025 guidance on AI agent oversight by ensuring file-based inputs to agents are bounded to a documented, reviewable allowlist; reduces the risk that unsupervised content (e.g., script payloads, macro-enabled binaries) enters the supervised communication stream.
- SEC Rule 17a-4 (Records Hygiene): Restricting agent intake to known, inspectable MIME types helps meet records hygiene expectations by reducing the introduction of formats that cannot be preserved in non-rewriteable, non-erasable form. Executable and binary script formats fall outside reasonable record-format scope.
- GLBA Safeguards Rule (16 CFR Part 314): Helps support the technical safeguards requirement by reducing the file-borne malware delivery and exfiltration attack surface against agent endpoints. Aligns with the Safeguards Rule expectation that financial institutions implement controls proportionate to identified risks (16 CFR §314.4(c)).
- OCC Bulletin 2011-12 (Model Risk Management): Bounding the input domain of AI agents to known file types contributes to model-input control expectations; limits the risk that unbounded or adversarial inputs degrade model behavior or introduce data poisoning into knowledge sources.
No companion solution by design
Not all controls have a companion solution in FSI-AgentGov-Solutions; solution mapping is selective by design. This control is operated via native Microsoft admin surfaces and verified by the framework's assessment-engine collectors. See the Solutions Index for the catalog and coverage scope.
Control Description
MIME type restrictions provide a layered defense against malicious file uploads in Power Platform environments where Copilot Studio agents accept user-submitted files. Without restrictions, agents may process executable files, script payloads, or file types that bypass downstream security scanning, creating pathways for malware introduction and data integrity compromise.
This control uses the Power Platform Admin Center (PPAC) to configure three complementary restriction mechanisms:
- Blocked file extensions — A deny list of file extensions (e.g.,
.exe,.bat,.ps1,.dll) that blocks uploads regardless of MIME type header - Blocked MIME types — A deny list of MIME type identifiers (e.g.,
application/x-msdownload,application/x-shellscript) that blocks files matching specific content type declarations - Allowed MIME types — An explicit allow list that restricts uploads to only approved content types (e.g.,
application/pdf,image/png,text/csv), rejecting all unlisted types
The enforcement model escalates by governance zone. Zone 1 environments apply Microsoft's default blocked extensions list as a baseline. Zone 2 environments add MIME type blocking and an explicit allowlist, with recommended DLP integration for content inspection. Zone 3 environments layer server-side magic-byte validation, required Purview DLP policies, and Microsoft Sentinel monitoring to achieve defense-in-depth file upload governance.
Per-Agent Attachment Restrictions
In addition to environment-wide MIME type policies, Copilot Studio (v8+) provides per-agent attachment governance controls that enable granular file type restrictions tailored to each agent's operational requirements. These controls complement the environment-level restrictions by applying additional constraints at the individual agent level.
Per-agent configuration capabilities include:
- File Upload toggle — A binary enable/disable setting in the agent's Security settings that determines whether the agent accepts file uploads at all
- Allowed file types per agent — A configurable list of permitted file extensions (e.g.,
.pdf,.docx,.csv) specific to the agent's use case, independent of the environment-wide allowlist - Attachment preview and content scanning integration — Configuration hooks for linking agent-level uploads to Purview DLP content inspection before files reach agent processing logic
Governance model: Environment-wide MIME restrictions establish the maximum allowable file types across all agents. Per-agent settings apply additional constraints within those bounds. For example, if the environment allows .pdf, .docx, and .xlsx, an individual agent may be configured to accept only .pdf, further limiting risk based on the agent's specific function.
Evidence expectations for per-agent governance:
- Screenshot evidence of the File Upload toggle state (enabled/disabled) in the agent's Security settings panel
- Screenshot evidence of allowed file types configured per agent, with justification for each permitted extension
- Audit trail records showing configuration changes to per-agent file type restrictions, including who made changes and when
- Periodic attestation that per-agent restrictions align with the principle of least privilege (only permitting file types required for the agent's documented purpose)
This layered approach—combining environment-wide MIME policies with per-agent restrictions—aids in achieving defense-in-depth for file upload governance while maintaining operational flexibility. Organizations should document the rationale for each agent's file type allowlist and review per-agent settings during monthly (Zone 2) or weekly (Zone 3) policy reviews.
Capability Comparison by Zone
| Capability | Zone 1 (Personal) | Zone 2 (Team) | Zone 3 (Enterprise) |
|---|---|---|---|
| Blocked file extensions | Microsoft defaults | Customized per environment | Comprehensive blocklist |
| Blocked MIME types | Not configured | Configured and maintained | Strictly enforced |
| Allowed MIME types (allowlist) | Not configured | Explicit allowlist active | Strict allowlist with justification |
| Template enforcement | Manual review | FsiMimeControl module | FsiMimeControl with drift detection |
| Server-side validation | None | Optional | Required (magic bytes verification) |
| DLP integration | None | Recommended | Required |
| Sentinel monitoring | None | Optional | Required (active alert rules) |
| Review cadence | Quarterly | Monthly | Weekly |
Key Configuration Points
- PPAC blocked file extensions list — Configure the deny list of dangerous file extensions (
.exe,.bat,.cmd,.ps1,.dll,.vbs,.js,.wsf,.msi,.scr) in the Power Platform Admin Center - PPAC blocked MIME types list — Define blocked MIME type identifiers (e.g.,
application/x-msdownload,application/x-msdos-program,application/x-shellscript) to prevent uploads by content type - PPAC allowed MIME types (explicit allowlist) — Specify the permitted MIME types (e.g.,
application/pdf,image/png,image/jpeg,text/csv,text/plain) and reject all unlisted types - Zone-based template application via FsiMimeControl module — Apply standardized MIME restriction templates per zone using the
Set-FsiMimeConfigcmdlet to maintain consistent configuration across environments - Server-side magic bytes validation (Zone 3 only) — Enable header-content verification to confirm uploaded files match their declared MIME type, detecting extension-spoofing attacks
- Purview DLP policy integration (Zone 2+) — Link MIME type restrictions with Purview DLP policies for content-level inspection of permitted file types, scanning for sensitive data patterns within uploads before files reach agent processing logic
- Per-agent file type restrictions — Configure allowed file types at the individual agent level in Copilot Studio, applying the principle of least privilege to limit each agent to only the file extensions required for its documented purpose
- Agent-level File Upload toggle — Enable or disable file uploads per agent via the Security settings panel, with screenshot evidence documenting the toggle state for each production agent
- Attachment content scanning integration — Configure Purview DLP policy evaluation to occur before uploaded files are processed by agent logic, blocking uploads that contain sensitive data patterns or violate content policies
- Sentinel monitoring queries and alert rules — Deploy KQL-based analytics rules to detect file upload anomalies, blocked-type bypass attempts, and policy drift across environments
Zone-Specific Requirements
| Zone | Requirement | Rationale |
|---|---|---|
| Zone 1 (Personal) | Microsoft default blocked-extensions list retained (do not remove defaults); per-agent File Upload toggle reviewed quarterly; no allowlist required | Baseline protection against common executable formats for personal productivity agents. The Microsoft default list (~80 extensions) covers most known-malicious formats and should be the floor, not a starting point that can be reduced. |
| Zone 2 (Team) | Microsoft defaults retained + organizationally-added extensions (e.g., ps1, ps1xml) + blocked MIME types configured + explicit MIME allowlist enforced + per-agent allowed file types documented; monthly review; Purview DLP policy recommended for content inspection of permitted uploads |
Shared team agents process content from multiple users; MIME-level controls help mitigate extension-spoofing (e.g., .exe renamed to .pdf). Per-agent allowlists implement least-privilege by restricting each agent to only the file types required for its documented purpose. |
| Zone 3 (Enterprise) | All Zone 2 requirements + Defender for Cloud Apps file policy with magic-byte (true MIME) inspection + Purview DLP enforced (not test mode) + Microsoft Sentinel analytics rules deployed and tuned + per-agent File Upload toggle attestation + weekly compliance scan via Test-FsiMimeCompliance |
Customer-facing, regulated, and books-and-records-touching agents require defense-in-depth: client-declared MIME alone is spoofable, so Defender for Cloud Apps content-type inspection provides the magic-byte verification layer. Sentinel monitoring helps satisfy FINRA 3110 supervisory evidence and SEC 17a-4 audit-readiness expectations. |
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| Power Platform Admin | Configure blocked extensions, blocked MIME types, and allowed MIME types in PPAC; apply zone templates via FsiMimeControl module; review and update restriction lists per zone cadence |
| Purview Compliance Admin | Create and maintain DLP policies for file upload content inspection; configure sensitivity label integration for uploaded documents |
| SOC Analyst | Monitor Sentinel analytics rules for file upload anomalies and blocked-type bypass attempts; triage and investigate alerts; escalate confirmed incidents |
| Entra Global Admin | Configure Conditional Access policies restricting file upload capabilities to managed devices or compliant endpoints where applicable |
Related Controls
| Control | Relationship |
|---|---|
| 1.5 - DLP and Sensitivity Labels | Complementary DLP policy layer for content inspection of uploaded files before agent processing |
| 1.10 - Communication Compliance Monitoring | Supervision of agent interactions where file uploads may occur |
| 1.11 - Conditional Access and Phishing-Resistant MFA | Access controls that determine which users and devices can interact with file-upload-enabled agents |
| 1.13 - Sensitive Information Types (SITs) | Pattern recognition for detecting sensitive data within uploaded file content |
| 1.14 - Data Minimization and Agent Scope Control | Data scope minimization complementing file type restrictions |
| 1.26 - Agent File Upload and File Analysis Restrictions | Companion control for per-agent attachment governance and File Upload toggle configuration |
| 3.3 - Compliance and Regulatory Reporting | Reporting integration for tracking file upload policy compliance and rejection rates |
| 3.7 - PPAC Security Posture | Security posture assessment including MIME restriction configuration status |
| 4.3 - Site and Document Retention Management | Retention policies for content sources that may also process uploaded files |
Implementation Playbooks
Step-by-Step Implementation
This control has detailed playbooks for implementation, automation, testing, and troubleshooting:
- Portal Walkthrough — Step-by-step portal configuration
- PowerShell Setup — Automation scripts
- Verification & Testing — Test cases and evidence collection
- Troubleshooting — Common issues and resolutions
Verification Criteria
Confirm control effectiveness by verifying:
- Blocked file extensions list is configured in PPAC and includes all required dangerous extensions for the target zone
- Blocked MIME types list is configured in PPAC with content-type identifiers appropriate to the zone (Zone 2+)
- Allowed MIME types are explicitly defined, restricting uploads to approved content types only (Zone 2+)
- Zone template compliance is verified via
Test-FsiMimeCompliancecmdlet, confirming configuration matches the expected zone profile - Per-agent File Upload toggle state is documented with screenshot evidence for each production agent, showing whether file uploads are enabled or disabled
- Per-agent allowed file types are configured and documented for each file-upload-enabled agent, with justification for each permitted extension aligned to the agent's documented purpose
- Attachment content scanning is configured, with Purview DLP policy evaluation occurring before uploaded files reach agent processing logic
- Audit trail records capture configuration changes to per-agent file type restrictions, including administrator identity, timestamp, and change details
- DLP policy is deployed, active, and generating alerts for sensitive content detected within uploaded files (Zone 2+)
- Sentinel analytics queries are returning data and alert rules are active for file upload anomaly detection (Zone 3)
Additional Resources
- Microsoft Learn: Manage privacy and security settings (Power Platform) — authoritative reference for blocked attachments, blocked MIME types, and allowed MIME types fields
- Microsoft Learn: System Settings General tab — Set blocked file extensions for attachments
- Microsoft Learn: Copilot Studio — Upload files as a knowledge source — supported file types and size limits for agent knowledge ingestion
- Microsoft Learn: Copilot Studio — Allow file input from users — per-agent file input limits (PDF <40 pages, TXT/CSV <180 KB, images ≤15 MB)
- Microsoft Learn: Copilot Studio quotas and limits
- Microsoft Learn: Defender for Cloud Apps — File policies — magic-byte / true MIME inspection for cloud-app uploads
- Microsoft Learn: SharePoint — Block syncing of specific file types — note: blocks sync client uploads only, not browser uploads
- Microsoft Learn: Microsoft Purview DLP — Learn about DLP
- Microsoft Learn: Microsoft Sentinel — Detect threats with built-in analytics rules
FSI Scope Note
Power Platform Focus: This control targets file upload restrictions within Power Platform environments where Copilot Studio agents accept user-submitted files. Organizations should implement MIME type restrictions when:
- Copilot Studio agents are configured with file upload capabilities enabled
- Agents process user-submitted documents as part of knowledge retrieval or workflow automation
- Regulatory requirements mandate control over file types entering supervised communication channels
For organizations without file upload-enabled agents, this control may be deferred until file upload capabilities are activated. Controls 1.5 (DLP) and 1.10 (Communication Compliance Monitoring) provide foundational security coverage in the interim.
Complement with DLP Content Inspection
MIME type restrictions control which file types reach your agents, but they do not inspect file contents. For defense-in-depth, pair this control with Control 1.5 (DLP and Sensitivity Labels) to scan permitted uploads for sensitive data patterns such as account numbers, SSNs, or confidential classifications. This layered approach addresses both the file-type attack surface and the data exposure risk within allowed uploads.
Updated: April 2026 | Version: v1.4.0 | UI Verification Status: Current