Skip to content

Troubleshooting: Control 1.25 - MIME Type Restrictions for File Uploads

Last Updated: February 2026

Common Issues

Issue Cause Resolution
Blocked file type still uploadable Extension not in blocklist or typo in configuration Verify extension spelling and semicolon separators
MIME type not recognized by platform Incorrect MIME type string or unsupported format Use standardized IANA MIME type identifiers
Zone template application fails Insufficient permissions or environment locked Verify Power Platform Admin role; check environment state
DLP policy not triggering on file uploads DLP policy not scoped to Power Platform or connector Review DLP policy scope in Purview Compliance Portal
Sentinel query returns no results Diagnostic settings not configured or data latency Enable Power Platform admin activity connector in Sentinel
FsiMimeControl module import errors Module not found or PowerShell version mismatch Import module from repository path and verify PowerShell 7.0+

Detailed Troubleshooting

Issue: Blocked File Type Still Uploadable

Symptoms: Users can successfully upload files with extensions that should be blocked (e.g., .exe, .bat)

Resolution:

  1. Navigate to PPAC → Environments → [Environment] → Settings → Privacy + Security
  2. Check the Set blocked file extensions for attachments field
  3. Verify the target extension is listed (without the dot)
  4. Check for typos or missing semicolon separators
  5. Confirm the setting was saved (click Save if pending)
  6. Clear browser cache and retry the upload test

Portal Path: 

Power Platform Admin Center → Environments → [Environment] → Settings → Privacy + Security

Note: Changes may take up to 15 minutes to propagate across all sessions. If the issue persists after 15 minutes, verify the environment ID matches the target environment.

Issue: MIME Type Not Recognized by Platform

Symptoms: Configured blocked MIME type does not prevent uploads of the target file type

Resolution:

  1. Verify the MIME type string uses the correct IANA format (e.g., application/x-msdownload not msdownload)
  2. Check that the MIME type is supported by Power Platform's validation engine
  3. Test with a known-supported MIME type to isolate the issue
  4. Consider using file extension blocking as a complementary control
  5. Common corrections:
  6. application/exeapplication/x-msdownload
  7. application/batapplication/x-bat
  8. text/javascriptapplication/javascript

Issue: Zone Template Application Fails

Symptoms: Set-FsiMimeConfig returns an error when applying a zone template

Resolution:

  1. Verify your account has Power Platform Admin or Entra Global Admin role
  2. Check the environment is not in a locked or read-only state: 
    $config = Get-FsiMimeConfig -DataverseUrl 'https://org.crm.dynamics.com' -AccessToken $token
Write-Host "Organization ID: $($config.OrganizationId)"
  3. Verify the Dataverse URL is correct (copy from PPAC → Environments → Details)
  4. Check network connectivity to the Dataverse Web API
  5. If the environment is managed by another admin, coordinate before applying changes

Issue: DLP Policy Not Triggering on File Uploads

Symptoms: DLP alerts are not generated when users upload restricted file types

Resolution:

  1. Navigate to Microsoft Purview Compliance Portal → Data Loss Prevention → Policies
  2. Verify a DLP policy exists that covers Power Platform connectors
  3. Check the policy scope includes the target environment
  4. Verify the policy is in Enforce mode (not Test or Off)
  5. Allow up to 24 hours for new DLP policies to take effect
  6. Check Activity explorer for recent events to rule out display delay

Portal Path: 

Microsoft Purview Compliance Portal → Data Loss Prevention → Policies → [Policy Name]

Issue: Sentinel Query Returns No Results

Symptoms: KQL queries for blocked upload events return empty result sets

Resolution:

  1. Verify the Power Platform admin activity data connector is enabled in Sentinel:
  2. Navigate to Microsoft Sentinel → Data connectors
  3. Search for Power Platform and verify status is Connected
  4. Check that diagnostic settings include admin activity events
  5. Verify the time range in the query matches the test period (default is 30 days)
  6. Confirm at least one blocked upload attempt occurred in the query time range
  7. Allow 15-30 minutes for event ingestion latency after a test upload

Issue: FsiMimeControl Module Import Errors

Symptoms: Import-Module FsiMimeControl fails with module not found or version errors

Resolution:

  1. Verify PowerShell version is 7.0 or later: 
    $PSVersionTable.PSVersion
  2. Import the module from the repository path: 
    Import-Module ./scripts/governance/FsiMimeControl.psm1 -Force
  3. Verify the module file exists at the expected path: 
    Test-Path ./scripts/governance/FsiMimeControl.psm1
  4. Check for module conflicts: 
    Get-Module -Name FsiMimeControl -ListAvailable

Escalation Path

  1. Power Platform Admin — Environment settings, MIME configuration, permissions
  2. Security Operations — DLP policy tuning, Sentinel connector, KQL query assistance
  3. Microsoft Support — Platform-level issues with file restrictions or Dataverse API

Known Limitations

Limitation Impact Workaround
Extension-based blocking only (no content inspection) Renamed files may bypass extension checks Use both extension and MIME type blocking together
MIME type validation depends on client-reported type Spoofed MIME types may pass initial check Layer with DLP policies for content-level inspection
Settings per environment (not per app) All apps in an environment share the restriction Use separate environments for different restriction levels
No built-in audit trail for setting changes Requires Sentinel connector for change tracking Enable Power Platform admin activity connector in Sentinel
Allowlist overrides blocklist If allowlist is set, blocklist is not evaluated Use allowlist approach for Zone 3; blocklist for Zone 1-2
allowedmimetypes field may not be supported Older Dataverse versions may not expose the allowed MIME types field Set-FsiMimeConfig will warn and apply remaining settings; configure allowlist manually in PPAC portal or request environment upgrade
Propagation delay up to 15 minutes Recent changes may not be enforced immediately Wait 15 minutes before testing after configuration changes

Diagnostic Commands

Check Current MIME Configuration

Get-FsiMimeConfig -DataverseUrl 'https://org.crm.dynamics.com' -AccessToken $token | Format-List

Verify Module Is Loaded

Get-Module -Name FsiMimeControl | Format-Table Name, Path -AutoSize

Quick Compliance Check

Test-FsiMimeCompliance -DataverseUrl 'https://org.crm.dynamics.com' -AccessToken $token -Zone 2

List All Power Platform Environments

Get-AdminPowerAppEnvironment | Format-Table DisplayName, EnvironmentName, @{N='Type';E={$_.Internal.properties.environmentType}}

Export Configuration for Audit

# Export MIME configuration for a specific environment
Get-FsiMimeConfig -DataverseUrl 'https://org.crm.dynamics.com' -AccessToken $token -OutputFormat JSON -OutputPath '.\MimeConfigAudit.json'

Back to Control 1.25 | Portal Walkthrough | PowerShell Setup | Verification Testing