Tip #1376: Antivirus for portal attachments

One taketh one giveth (or other way around). Returning a favor to AK who asked:

How does the portals handle uploading of virus?

(Want your favor returned? Send your awesome tip to jar@crmtipoftheday.com!)

There are multiple mechanisms you can put in place to protect your users from the viruses (no, not that virus, unfortunately).

File extension

This is the weakest form of protection by the virtue of restricting acceptable file extensions. Attachments by default are stored as notes attachments in Common Data Service so they are subject to this block.

  1. Navigate to Power Platform admin center
  2. Open your instance
  3. Select Settings
  4. Select Privacy + Security
  5. Add the extensions you need to block to the Block these file extensions, separated by semicolon.

Bad guys can still rename nastyvirus.exe into cute-kitten.jpg and sneak it in. Not entirely fool-proof but pseudo-kittens are still better than executable ransom.


Before portal visitors can upload the file attachments into Common Data Service portal maker needs to configure notes as attachments for entity forms. One of the attributes in this configuration is Accept MIME Type(s). This offers a deeper protection than the file extension by analyzing the type of the file.

For example, setting acceptable mime types in notes metadata to application/pdf;image/jpeg;image/png will restrict users to uploading PDF, JPG, and PNG files only. (I think you can use wildcards, e.g. image/*).

Virus scan

But what if you have a legitimate scenario that requires accepting executables or zip files (that can contain anything)? In these scenarios the proper virus scan must be put in place. Portal attachments can be stored in Azure blob storage instead of notes and that allows to unleash threat protection goodness:

  1. Configure portal file attachments to use Azure Blob storage.
  2. Configure advanced threat protection for Azure Storage.
  3. As most Azure services, it’s measured in peanuts per transaction so make sure that the costs are aligned with the business requirements and expectations.

External services

If Microsoft threat protection does not cut the mustard, you can delegate the security checks and virus scan to a third-party using Power Automate (credit: Aric Levin).

There are a few [Power Automate] Virus Scanning connectors, which you can probably use when a new Azure Blob item is added. We have done similar implementation with an On-Premise Virus scanner being triggered when an Azure Blob file is uploaded, but I think this (flow to virus scanner) should work as well.

Cover photo by Branimir Balogović from Pexels