- SmartDeploy: Rethinking software deployment to remote workers in times of a pandemic - Thu, Jul 30 2020
- Outlook attachments now blocked in Office 365 - Tue, Nov 19 2019
- PolicyPak MDM Edition: Group Policy and more for BYOD - Tue, Oct 29 2019
Microsoft is rolling out major updates to the blocked file types list in Office 365. These same changes are planned for on-premises Exchange and will automatically be implemented through an upcoming cumulative update.
Internal Office 365 data showed that many end users do not legitimately use the newly blocked file types. Sysadmins are not the typical end user though, and most sysadmins are likely to be affected by these changes. For example, common extensions related to PowerShell or certificate administration are no longer allowed.
Microsoft did provide PowerShell cmdlets and sample scripts related to this change. These allow you to edit or remove the new restrictions. In this article, we are going to look at the new file types that will be blocked on your domain, learn how to edit this block list, and show a few workarounds in case you are not an Exchange admin or can't make the backend changes.
Newly blocked file extensions in Office 365
There is no complete list that shows the file types that are blocked in Office 365. Instead, Microsoft provides a couple of lists as file types can be blocked in multiple locations. Newer versions of Outlook (2010+) block just over a hundred file types. That list includes everything from Access Projects (.adp) to Windows Script files (.ws).
The Exchange team has an additional list containing the file types that are currently being blocked in every tenant. That list can be found here. There is a bit of overlap between the two lists, but it is important to note that the second list only applies to Outlook Web Access/Outlook on the web.
Notable newly blocked file types include a whole suite of PowerShell-related extensions (.ps1, .ps1xml, .ps2, .ps2xml, .psc1, .psc2, .psd1, .psdm1, .cdxml, and .pssc), file types used with certificates (.cer, .crt, and .der), and the ClickOnce extension (.appref-ms), which is used in a few Office 365 and System Center tools. Oddly, the Windows Sandbox extension (.wsb) is also included. As sandboxes are isolated from the host, it seems odd that this extension is blocked for security reasons.
Editing the Exchange blocked file type list
Extensions are added to or removed from the blocked file type list through the various OWAMailboxPolicy cmdlets. To edit the list, first run the PowerShell cmdlet Get-OwaMailboxPolicy.
The output of this command shows you a list of all mailbox policies currently enabled in your Exchange environment. You might have just a single policy.
Microsoft appends the new list of blocked extensions to existing mailbox policies. If you have more than one policy, you may need to make your changes to multiple policies (depending on how they are enforced).
The Exchange team has provided the following sample script to add an extension to the allowed file types list:
$policy = Get-OwaMailboxPolicy -Identity POLICYNAME $allowedFileTypes = $policy.AllowedFileTypes $allowedFileTypes.Add(".foo") Set-OwaMailboxPolicy $policy -AllowedFileTypes $allowedFileTypes
To remove an extension from the blocked file type list, you can use the inverse of the above script. That example would look like this:
$policy = Get-OwaMailboxPolicy -Identity POLICYNAME $blockedFileTypes = $policy.BlockedFileTypes $blockedFileTypes.Remove(".foo") Set-OwaMailboxPolicy $policy -BlockedFileTypes $blockedFileTypes
As you can see, the modifications are simple (if you are already set up to manage Exchange Online through PowerShell).
Working around Office 365 file type restrictions
You might not be able to (or not want to) change the mailbox policies through PowerShell. When you really need to send a blocked file type, there are a few workarounds you can try.
As of now, the newly blocked file types are only restricted in Outlook on the web. If the blocked file type appears on this list but not this list, you can try using the Outlook application to send the file instead.
If that option does not work, you can rename the file extension, upload it to a shared location and share the link, or add the file to a compressed folder. Of the three options, uploading to a shared location is probably the method most likely to succeed as some environments may do advanced attachment inspection and many organizations block compressed file types.
Final thoughts and one thing to do now
If you have reviewed the blocked file lists described above, add any required file types to your allowed list now! Microsoft does not add any extension to the blocked file type list if it is present on the allowed file type list.
For example, you might create a policy for IT staff that lists the PowerShell and certificate file types in the allowed file types list property. As an additional security measure, you could add a filter to allow IT staff members to email these file types while quarantining external messages containing them. This would allow your IT staff to continue sharing files easily while protecting against external threats.
Subscribe to 4sysops newsletter!
While I think these changes are good for the overall security posture in Office 365, I do not like how blocked file types are automatically added to existing client policies. I think an opt-in method might be a better approach. If you have any additional tips for managing file type lists or have problems with the PowerShell examples in this guide, leave a comment below.