Skip to content

Portal Walkthrough: Control 1.25 - MIME Type Restrictions for File Uploads

Last Updated: February 2026 Portal: Power Platform Admin Center Estimated Time: 20-30 minutes

Prerequisites

  • Power Platform Admin or Entra Global Admin role
  • Access to Power Platform Admin Center
  • Knowledge of organizational file type requirements per zone

Step-by-Step Configuration

Step 1: Navigate to Environment Settings

  1. Open Power Platform Admin Center
  2. Select Environments from the left navigation
  3. Select the target environment (repeat for each environment per zone)
  4. Click Settings in the top menu bar
  5. Expand Privacy + Security (or Features, depending on environment type)

Step 2: Configure Blocked File Extensions

  1. Locate the Set blocked file extensions for attachments field
  2. Enter a semicolon-separated list of file extensions to block

  3. The following is a partial list of the most critical executable extensions. The complete Zone 1 baseline requires 44 extensions — use Set-FsiMimeConfig -ZoneTemplate zone1 from the PowerShell Setup for the full list:

    exe;bat;cmd;com;vbs;js;wsf;scr;pif;msi;dll;reg;inf;hta;cpl;msp;mst

    Partial List

    The inline list above covers only 17 of the 44 required Zone 1 extensions. Using this list alone will leave your environment under-protected. Apply the complete zone template via PowerShell or copy the full list from scripts/governance/mime-templates/zone1.json.

  4. Click Save to apply changes

Note: Zone 2+ environments should also block ps1. Zone 3 adds cab, gadget, ps1xml, ps2, ps2xml, psc1, psc2, isp, its, and rgs. The FsiMimeControl zone templates at scripts/governance/mime-templates/ contain the complete lists (44 extensions for Zone 1, 45 for Zone 2, 55 for Zone 3). For full compliance, use Set-FsiMimeConfig -ZoneTemplate zone1 from the PowerShell Setup playbook or copy the complete list from the zone template JSON file.

Step 3: Configure Blocked MIME Types (Zone 2+)

Zone 2 and Zone 3 only. Skip this step for Zone 1 environments.

  1. Locate the Set blocked mime types for attachments field
  2. Enter a semicolon-separated list of MIME types to block

  3. Recommended MIME types to block:

    application/x-msdownload;application/x-msdos-program;application/x-bat;application/x-cmd;application/x-vbs;application/javascript;application/x-powershell;application/x-msi

  4. Click Save to apply changes

Note: The list above covers the most common executable content types. The FsiMimeControl zone templates contain extended lists (15 types for Zone 2, 21 for Zone 3) including text/javascript, application/hta, application/msaccess, and others. For full compliance, use Set-FsiMimeConfig -ZoneTemplate zone2 from the PowerShell Setup playbook or copy the complete list from the zone template JSON file.

Step 4: Configure Allowed MIME Types (Zone 2+)

  1. Locate the Set allowed mime types for attachments field
  2. Enter a semicolon-separated allowlist of MIME types that are permitted

  3. Recommended allowlist for regulated environments:

    application/pdf;image/png;image/jpeg;image/gif;image/tiff;text/plain;text/csv;application/vnd.openxmlformats-officedocument.spreadsheetml.sheet;application/vnd.openxmlformats-officedocument.wordprocessingml.document;application/vnd.openxmlformats-officedocument.presentationml.presentation

  4. Click Save to apply changes

Important: When an allowlist is configured, only the listed MIME types are accepted. All other types are rejected regardless of the blocked list. Both Zone 2 and Zone 3 templates include image/tiff in the allowlist — see the zone template JSON files for the complete list.

Legacy Office Formats Not Included

The zone template allowlists include modern Office formats (.docx, .xlsx, .pptx) but not legacy binary formats (.doc, .xls, .ppt). If your organization exchanges legacy Office documents — common in FSI for regulatory correspondence and historical records — add application/msword, application/vnd.ms-excel, and application/vnd.ms-powerpoint to your environment's allowed MIME types list. Alternatively, use an exception request per the exception template.

Step 5: Review and Apply Zone Template

  1. Review the configuration against the governance level table below
  2. Verify the settings match the zone classification for the selected environment
  3. Document the applied configuration in your governance records
  4. Repeat Steps 1-4 for each environment within the zone

Configuration by Governance Level

Setting Baseline (Zone 1) Recommended (Zone 2) Regulated (Zone 3)
Blocked File Extensions Yes — executable types Yes — executable types Yes — executable types
Blocked MIME Types Optional Yes Yes
Allowed MIME Types (Allowlist) Not required Recommended Required
DLP Policy for File Uploads Not required Yes Yes — with alerts
Sentinel Monitoring Not required Optional Required
Review Frequency Quarterly Monthly Weekly
Exception Process Informal Documented Documented with approval

Validation

After completing these steps, verify:

  • Blocked file extensions are configured for each environment
  • Blocked MIME types are configured for Zone 2 and Zone 3 environments
  • Allowed MIME types allowlist is configured for Zone 3 environments
  • Configuration matches the governance level table for each environment zone
  • Changes are documented in governance records

Back to Control 1.25 | PowerShell Setup | Verification Testing | Troubleshooting