9,664 questions
My first recommendation would be Defender for Cloud apps and a CA Policy if you are licensed:
https://learn.microsoft.com/en-us/defender-cloud-apps/use-case-proxy-block-session-aad
How to stop/prevent users to upload and download from Teams, OneDrive for business and SharePoint Online for users which includes .EXE, .MSI and any other executable files?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 82%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVS%3C/text%3E%3C/svg%3E)
Vinod Survase
4,776
Reputation points
How to stop/prevent users to upload and download from Teams, OneDrive for business and SharePoint Online for users which includes .EXE, .MSI and any other executable files?
Is there any policy via Intune or Azure AD side that we should create and apply across org or group of users?
Microsoft 365 and Office | Install, redeem, activate | For business | Windows
Microsoft 365 and Office | SharePoint | For business | Windows
11,701 questions
Microsoft Security | Intune | Other
5,570 questions
Microsoft Teams | Microsoft Teams for business | Other
10,940 questions
Accepted answer
-
Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator2023-06-22T12:56:46.89+00:00 -
Vinod Survase 4,776 Reputation points
2023-06-22T14:40:23.7666667+00:00 Thanks @Andy David - MVP for reply on this.
I have another question on top of that I got to know we can prevent download but what about upload and how we can prevent that will it be covered via this CA policy or how it is?
-
Vinod Survase 4,776 Reputation points
2023-06-22T14:43:42.6933333+00:00 Andy David - MVPI have another question on top that as per this docs we can prevent download on unmanaged devices but what about upload to those storage locations like SPO, Teams, ODB, will it prevent upload as well or how it is?
Andy David - MVPI have another question on top that as per this docs we can prevent download on unmanaged devices but what about upload to those storage locations like SPO, Teams, ODB, will it prevent upload as well or how it is?
Andy David - MVPI have another question on top that as per this docs we can prevent download on unmanaged devices but what about upload to those storage locations like SPO, Teams, ODB, will it prevent upload as well or how it is?
Sign in to comment -
2 additional answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 67%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EML%3C/text%3E%3C/svg%3E)
Maarten Leyman 1 Reputation point2023-06-22T15:24:16.25+00:00 As @Andy David - MVP suggested you can use Microsoft Defender for Cloud Apps (MDCA) to block uploads and downloads to Onedrive or Sharepoint Online in realtime only for browser sessions!
Uploading or downloading through for example Teams or copying One Drive synced files in file explorer are not covered by the conditional access proxy policies.
You can also create file policies to for example change permissions of files with a .exe extentions. https://learn.microsoft.com/en-us/defender-cloud-apps/data-protection-policies
-
Vinod Survase 4,776 Reputation points
2023-06-23T13:00:21.6866667+00:00 Thanks @Maarten Leyman
Will check this and make appropriate settings.
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 51%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EED%3C/text%3E%3C/svg%3E)
Emily Du-MSFT 51,846 Reputation points Microsoft External Staff2023-06-23T09:46:09.28+00:00 Form SharePoint, there is no OOTB functionality to restrict specific file extensions when uploading files.
From OneDrive, go to SharePoint admin center -> Settings -> Sync -> Block uploads by file type.
https://learn.microsoft.com/en-US/sharepoint/block-file-types?WT.mc_id=365AdminCSH_spo
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
-
Vinod Survase 4,776 Reputation points
2023-06-23T13:21:51.2266667+00:00 Thanks @Emily Du-MSFT
Its helpful.
-
Emily Du-MSFT 51,846 Reputation points Microsoft External Staff
2023-06-26T06:01:40.3+00:00 If you find any answers helpful to you, please remember to accept them.
It will help others who meet the similar question in this forum.
Thank you.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 30%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPG%3C/text%3E%3C/svg%3E)
Prashant Gupta 0 Reputation points2024-03-19T10:12:21.6866667+00:00 This is good but how to block upload of such files from Power Automate flows to OneDrive/SharePoint? Is there any possible solution for this?
Sign in to comment -