Malware scanning uploaded attachments Power Pages
Craig Harvey
Business Applications Technical Specialist spreading the awesomeness that is Dynamics 365 and the Power Platform.
Power Pages can be configured to allow end users to upload attachments. These end users could be authenticated or anonymous, but are typically external to your organisation. Most organisations would prefer some security scanning on those attachments before they reach internal users. Here’s how to tackle that.
For years I’ve referred customers to this post by Stu Eggerton that explains the concepts for generic applications hosted in Azure, but it’s 2025 and time to update it. The good news we can skip the Container A vs Container B movements - with Microsoft Defender for Storage.
Ingredients you’ll need
Run to your kitchen cloud and grab these ingredients.
Let’s cook!
Overview
What we’re going to do is: 1. Create an Azure Storage container for the Blobs 2. Configure the Power Pages site to use Azure Blob Storage 3. Configure Defender for Cloud to scan the container(s) 4. Configure an internal UI for users to access the uploaded blobs
It’s going to look something like this.
?
1. Azure Storage container
Head over to Create an Azure storage account and then Create a container.
2. Connect Power Pages and Blob Storage
Head over here to Enable Azure storage for Power Pages
3. Defender for Storage
What is it
According to the product page …
Defender for Storage offers two types of malware scanning:
- On-upload malware scanning: Scans blobs automatically when they’re uploaded or modified, providing near real-time detection. This type of scanning is ideal for applications that involve frequent user uploads, such as web applications or collaborative platforms. Scanning content as it is uploaded helps prevent malicious files from entering your storage environment and propagated downstream.
领英推荐
- On-demand malware scanning: Lets you scan existing blobs whenever necessary, making it ideal for incident response, compliance, and proactive security. This scanning type is ideal for establishing a security baseline by scanning all existing data, reacting to security alerts, or preparing for audits.
These options help you protect your storage accounts, meet compliance needs, and maintain data integrity.
We’re interested in the first one!
Keeping things clean
The second part of this is - what happens when a nasty file is detected, and how do I keep it away from my users? You can configure Defender to delete or quarantine files that return negative results.
The other thing to note is that scanned files have metadata tags applied to them. So when we get to allowing users to download these files we will use the presence (or not) of these tags to limit the results.
This simple approach means you don’t need to make your own automation to move scanned files from A to B. If you wanted to do your own automation, just consume the Event Grid events.
Set up and configure Microsoft Defender for Storage
4. Dude where’s my blobs?!
Connecting Power Pages and blob storage is great for the Power Pages users, they can upload files - MISSION ACCOMPLISHED (for them).
Your internal users in a model driven app can’t see them. This is nothing to do with malware scanning, it’s always been part of the “configure blob storage” pattern. This is where you the consultant / maker / developer add value!
The easiest approach here is to use low-code and a connector to surface the blobs for your users. A Canvas App embedded, or even a Custom Page (the hidden gem). Create a UI, utilise the Azure Blob Storage Connector, point it to your Blob Storage container and have at it.
There is also a Web Resource (JavaScript) based approach with Microsoft providing an example you can download. That will only work in a model-driven app, but it allows you to add further logic as well. Head here to gobble up that web resource.
Rather than let your users navigate ALL the blobs, you probably want to provide some context like just show them the specific folder for the record they are viewing - I’ll leave that to you, the reader to work out.
5. I’m on a blob-free diet
If you don’t want to leave the files in Azure Storage but want to move them to somewhere like SharePoint then you’ll be pleased to know Defender for Storage can raise Event Grid events. These events can be consumed and you can take action with something like an Azure Function. So you could use this to move the files after they have been scanned (with no negative results!). If the destination is SharePoint it’s worth mentioning SharePoint has it’s own malware scanning as well. But … defense in depth as they say in the movies.
Dishing it up
There you have it, a tasty fusion meal made up of Power Platform and Microsoft Azure. A great example of being able to leverage the wider Microsoft cloud if the Power Platform alone doesn’t meet all your requirements.
?
Hi Craig, thanks for the article. If the Power Pages users want to view their uploaded files, is there any features available OOTB or do we need to role our own with Shared access signatures?