This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 82%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVS%3C/text%3E%3C/svg%3E)
How to stop/prevent users to upload and download from Teams, OneDrive for business and SharePoint Online for users which includes .EXE, .MSI and any other executable files?
Is there any policy via Intune or Azure AD side that we should create and apply across org or group of users?
My first recommendation would be Defender for Cloud apps and a CA Policy if you are licensed:
https://learn.microsoft.com/en-us/defender-cloud-apps/use-case-proxy-block-session-aad
Thanks @Andy David - MVP for reply on this.
I have another question on top of that I got to know we can prevent download but what about upload and how we can prevent that will it be covered via this CA policy or how it is?
Andy David - MVPI have another question on top that as per this docs we can prevent download on unmanaged devices but what about upload to those storage locations like SPO, Teams, ODB, will it prevent upload as well or how it is?
Andy David - MVPI have another question on top that as per this docs we can prevent download on unmanaged devices but what about upload to those storage locations like SPO, Teams, ODB, will it prevent upload as well or how it is?
Andy David - MVPI have another question on top that as per this docs we can prevent download on unmanaged devices but what about upload to those storage locations like SPO, Teams, ODB, will it prevent upload as well or how it is?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 67%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EML%3C/text%3E%3C/svg%3E)
As @Andy David - MVP suggested you can use Microsoft Defender for Cloud Apps (MDCA) to block uploads and downloads to Onedrive or Sharepoint Online in realtime only for browser sessions!
Uploading or downloading through for example Teams or copying One Drive synced files in file explorer are not covered by the conditional access proxy policies.
You can also create file policies to for example change permissions of files with a .exe extentions. https://learn.microsoft.com/en-us/defender-cloud-apps/data-protection-policies
Thanks @Maarten Leyman
Will check this and make appropriate settings.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 51%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EED%3C/text%3E%3C/svg%3E)
Form SharePoint, there is no OOTB functionality to restrict specific file extensions when uploading files.
From OneDrive, go to SharePoint admin center -> Settings -> Sync -> Block uploads by file type.
https://learn.microsoft.com/en-US/sharepoint/block-file-types?WT.mc_id=365AdminCSH_spo
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thanks @Emily Du-MSFT
Its helpful.
If you find any answers helpful to you, please remember to accept them.
It will help others who meet the similar question in this forum.
Thank you.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 30%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPG%3C/text%3E%3C/svg%3E)
This is good but how to block upload of such files from Power Automate flows to OneDrive/SharePoint? Is there any possible solution for this?