Block Uploading Specific File Types in SharePoint and OneDrive

On Day 27 of Cybersecurity Awareness Month, learn to block uploading specific file types in SharePoint and OneDrive to avoid potential security threats. Stay active for the upcoming blogs in our M365 Cybersecurity blog series.

As collaborative work in Microsoft 365 expands, so does the importance of controlling what gets stored in SharePoint and OneDrive. Allowing all file types in Microsoft 365 can lead to security risks, unwanted storage consumption, or even malicious content entering your environment. By blocking specific file types like .exe, .bat, or .rar, admins can manage what content must be synced to cloud, preventing potentially harmful files from entering your cloud storage.

This guide will walk you through the steps to block specific file types from being uploaded in OneDrive and SharePoint, when they sync their OneDrive files.

Blocking specific file types in Microsoft SharePoint and OneDrive is essential for several key reasons:

Enhanced Security: Certain file types, such as executable (.exe) files or scripts, can carry malware or malicious code. By blocking these file types, you can reduce the risk of security breaches and potential threats entering the organization.

Data Protection: Blocking unauthorized file types (.bat, .js ) prevents accidental data leakage, ensuring restricted content is not uploaded to the cloud, where it may be exposed.

Storge Optimization: Media files like video or audio files (.mp4, .mov) can quickly consume cloud storage space, leading to increased cost. By blocking these types of uploads, you ensure that your storage is used efficiently for business-critical data.

Depending on organizational needs, it’s important to identify which file types should be blocked. This control over file uploads reduces clutter and helps maintain an organized storage system, contributing to a secure and efficient cloud environment.

There are two ways to block uploading certain file types in SharePoint and OneDrive.

1. Block Uploading Specific File Types in SharePoint Admin Center

2. Block Uploading Specific File Types Using PowerShell

Before proceeding with the steps to restrict specific file type uploads in OneDrive and SharePoint, there are a few considerations you will need to know.

Things to Consider Before Blocking Specific File Types in Microsoft 365:

✔ Configuring ‘Block uploads by file type’ setting in the SharePoint admin center prevents users from uploading the blocked file types but doesn’t stop them from downloading them.

✔ If the blocked file types already exist in a user’s OneDrive, they will be synced to their local machine, but changes to those files won’t sync back to the cloud.

✔ By default, OneDrive doesn’t sync files with extensions like .tmp, .ini, and .lnk.

Follow the steps mentioned below to block the uploading of file types in SharePoint and OneDrive:

1. Sign in to the SharePoint admin center.

2. Navigate to Settings –> Sync.

3. Check the box labeled as Block upload of specific file types. This allows you to specify which file types should be blocked.

4. Specify the file extensions you want to block, such as exe, mp3, or any other undesirable file types. Make sure to enter the extensions without periods, spaces, or special characters.

5. After entering the file types, click Save to apply your settings.

Note: It may take up to 8 hours for the changes to take effect across all users’ OneDrive sync apps. If users already have blocked file types in their OneDrive, the files sync to their computer, but any changes they make on their computer won’t be uploaded.

Based on your organization’s requirements, you may consider blocking the following file extensions to enhance security:

• .exe: Executable files (programs and scripts).

• .bat: Batch files for automated command execution.

• .vbs: Visual Basic scripts.

• .js: JavaScript files.

• .php: PHP scripts.

• .asp / .aspx: ASP and ASP.NET web application files.

• .htaccess: Apache server configuration files.

• .ini: Configuration files.

• .reg: Windows registry files.

• .msi: Windows installer packages.

Blocking these file types can help mitigate risks associated with malicious scripts and unwanted configurations. These recommendations can be tailored based on your specific security needs.

If you prefer a more automated approach, you can also use PowerShell to manage file type restrictions. The Set-SPOTenantSyncClientRestriction cmdlet allows administrators to configure restrictions on specific file types that can be uploaded to SharePoint and OneDrive.

Firstly, connect to the SharePoint Online PowerShell.

Now, use the following command to block certain file types.

This example will stop users from uploading PowerPoint and Compressed file types.

To unblock specific file uploads in OneDrive and SharePoint using PowerShell, run the below command.

Running this command clears the compressed file type in ExcludedFileExtensions list, thus enabling the synchronization with the updated OneDrive client.

If you want to unblock the file types in the SharePoint admin center, navigate to Settings –> Sync and remove the file types listed under ‘Block upload specific file types’ checkbox. Don’t forget to save the changes.

Tip: You can also look at Microsoft Secure Secore recommendations on SharePoint to strengthen your defenses against security threats.

To wrap up, controlling the upload of specific file types in SharePoint and OneDrive is crucial for protecting your organization’s data integrity. By such SharePoint Online security best practices, organizations can mitigate risks associated with unwanted file uploads!