enforcing the labels

Question

enforcing the labels

Nikitha Cheemati 170

Hi - I've deployed IP scanner with the below configurations under content scan job(and mentioned as 'content scan job default' for the repository configuration). I'm looking to enforce labels now. So, I could see that, 4 labels were configured under Information protection-> sensitivity labels. As per my understanding, we need to create more labels if we want under sensitivity labels and also to enable 'Enforce sensitivity labelling policy' option under content scan job configuration?

Is that all required to enable labelling after deploying Scanner? (i mean, do i need to enable any other options here?)

User's image

0 comments

3 answers

Your answer

Answer 1

The main issue we are experiencing is linked to the separation of accounts: the NTFS scanner account has local AD/NTFS permissions and (due to the configuration) the Purview account is Entra ID only. How can we delegate write (label) permissions to the on-premises account that is not sync'd from AD to Entra? UPDATE: The above account separation was not the issue. Enabling "Label files based on content" and "Relabel files" with a custom Default Label worked. However this did not auto-detect sensitive content and apply higher levels of labeling that was defined in our auto-labeling policy.

Answer 2

Dora-T 13,745 Microsoft External Staff Moderator

Hi @Niharika Ch

Thank you for reaching out to Microsoft Q&A Support.

To perform labeling effectively with the Microsoft Purview Information Protection scanner, you don’t necessarily need to enable all options, but it depends on your labeling goals.

I wanted to share some important details regarding the configuration of the sensitivity labeling policy for the scanner, particularly in relation to how labels are applied to files within data repositories.

Helpful articles:

Issues with Microsoft Purview Information Protection scanner - Microsoft 365 | Microsoft Learn

Using the Purview Information Protection Scanner to do Sensitive File Inventory and Background Labeling | Practical365

Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have additional questions about this answer, feel free to click "Comment".

Note: Please follow the steps in our documentation to enable email notifications if you want to receive updates for this thread.

Dora-T 13,745 Reputation points Microsoft External Staff Moderator

2025-06-02T04:41:02.5033333+00:00

Hi @Niharika Ch

It has been a while and I am writing to see how things are going with this issue.

Have you had a chance to check the replies provided?

Any updates would be greatly appreciated, and if the information helped you, please feel free to mark it as an answer.

Warm thanks.
Dora-T 13,745 Reputation points Microsoft External Staff Moderator

2025-06-04T01:42:56.17+00:00

Hi @Niharika Ch

Is there any update on this thread?

If the issue has been resolved, please mark the helpful replies as answers.

This helps others in the community facing similar problems.

Thanks for your understanding.

Answer 3

Venkat Reddy Navari 5,840 Microsoft External Staff Moderator

Hi @Niharika Ch You're on the right track, deploying the AIP scanner and configuring the content scan job is the first step. To enforce labeling after deployment, you'll need to make a few adjustments in your content scan job settings:

From your screenshot, the “Enforce sensitivity labeling policy” toggle is currently Off. You should switch this to “On” to ensure that labeling is enforced based on your published sensitivity labels.

Additionally, consider enabling the following for full labeling functionality:

Label files based on content: Turn this On if you want the scanner to automatically apply labels based on file content matching conditions in your sensitivity labels.
Enable DLP policy rules (optional): Enable this if you want to apply Data Loss Prevention policies during the scan.
Default label (optional): You can set a default label to apply to files that don’t match any label condition, though this depends on your labeling strategy.
Relabel files (optional): Turn this On if you want existing labels to be overwritten when a higher-sensitivity label is detected.

Also, make sure the sensitivity labels are published to the Scanner service account and the Scanner has the required permissions (e.g., Information Protection Admin role). After updating these settings, republish the scan job.

Hope this helps. Do let us know if you any further queries.

If this answers your query, do click Accept Answer and Yes for was this answer helpful.

Nikitha Cheemati 170 Reputation points

2025-05-29T14:54:24.2866667+00:00

thanks for your prompt response. Could you please help me explain a few more details and how to do it?

Also, make sure the sensitivity labels are published to the Scanner service account and the Scanner has the required permissions (e.g., Information Protection Admin role). After updating these settings, republish the scan job.
Venkat Reddy Navari 5,840 Reputation points Microsoft External Staff Moderator

2025-05-30T09:30:23.44+00:00
Hi @Niharika Ch Glad to hear back from you! Let me clarify the two key points you asked about:

Publishing Sensitivity Labels to the Scanner

To make sure the AIP Scanner can apply sensitivity labels, they need to be published to the scanner service account. Here’s how:

Navigate to Microsoft Purview portal → Information Protection → Label policies.

Edit your existing policy or create a new one.

Under "Users and groups", add the service account used by the Scanner (typically a dedicated account set up during deployment).

Save and publish the policy.

Without this, the scanner won't have access to the sensitivity labels during the scan.

Required Permissions for the Scanner Account

Ensure the Scanner service account has the necessary permissions:

In the Azure portal, go to Azure Active Directory → Roles and administrators.

Assign one of the following roles to the Scanner account: Information Protection Administrator, or Compliance Administrator

These roles allow the scanner to read label policies and apply them to scanned files.

Once these two steps are completed, please remember to republish your content scan job so the new settings take effect.

Hope this helps. Do let us know if you any further queries.

If this answers your query, do click Accept Answer and Yes for was this answer helpful.
Nikitha Cheemati 170 Reputation points

2025-05-30T14:50:58.1+00:00

Thanks for your response. Do you mean to rescan the content scan job when you said below please?

Once these two steps are completed, please remember to republish your content scan job so the new settings take effect.
Venkat Reddy Navari 5,840 Reputation points Microsoft External Staff Moderator

2025-05-30T15:00:29.8933333+00:00

@Niharika Ch Yes, by “republish your content scan job,” I meant you should rescan it after making the changes. This ensures the scanner uses the latest settings, like the updated labels and permissions.
Venkat Reddy Navari 5,840 Reputation points Microsoft External Staff Moderator

2025-06-03T01:02:04.21+00:00

@Niharika Ch Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Nikitha Cheemati 170 Reputation points

2025-06-04T10:52:05.4+00:00
thanks for your follow-up. But for some reason, I'm unable to see service account which i used for deployment at these below steps? I can see the other account which was used as part of the deployment. (I mean the delegated user account i used during deployment. - *Set-Authentication -AppId <ID of the registered app> -AppSecret <client secret sting> -**DelegatedUser ******@example.com *-TenantId <your tenant ID> -OnBehalfOf $pscreds

Under "Users and groups", add the service account used by the Scanner (typically a dedicated account set up during deployment).

Assign one of the following roles to the Scanner account: Information Protection Administrator, or Compliance Administrator
Venkat Reddy Navari 5,840 Reputation points Microsoft External Staff Moderator

2025-06-04T11:08:15.9933333+00:00
@Niharika Ch It looks like you're using a delegated user account (******@contoso.com) via the Set-Authentication command during scanner setup. This means the scanner is operating on behalf of that specific user, rather than a standalone scanner service account.

Follow these steps:

Publish Sensitivity Labels to the Delegated User Account: Since you're using a delegated authentication model, you need to make sure that ******@contoso.com is included in the label policy under Users and groups. This allows the scanner (acting through this user) to see and apply those labels.

Assign Required Permissions to the Delegated Account: Go to Azure Active Directory → Roles and administrators, and ensure the delegated user account (******@contoso.com) has one of the following roles:

Information Protection Administrator

Compliance Administrator

Republish and Rescan: Once you've added the delegated account to the label policy and assigned the necessary permissions, republish your content scan job. This ensures that the new settings take effect, and the scanner can apply labels as expected.

Hope this helps. Do let us know if you any further queries.

If this answers your query, do click Accept Answer and Yes for was this answer helpful.
Nikitha Cheemati 170 Reputation points

2025-06-04T11:10:28.1066667+00:00

thanks for your prompt response. I've given compliance admin permissions to delegated user account and also included it under label policy. But still the labels are not showing up in the documents?

Just a note to mention on one thing if it matters - I've added service account permissions to the repository which is part of the content scan job but not the delegated user account. I suppose that's how it should be right?

Could you please send me the relevant MS docs reference links as well for the information which you mentioned earlier? Thanks.
Venkat Reddy Navari 5,840 Reputation points Microsoft External Staff Moderator

2025-06-05T10:54:09.4366667+00:00
@Niharika Ch Since you've already assigned Compliance Admin permissions to the delegated user account and included it under the label policy, but sensitivity labels are still not appearing in documents, here are a few key areas to check:

Verify Label Policy Application:

The sensitivity labels are correctly published to the delegated user account (examplescanner@...).

The label policy is active and includes the labels you're expecting.

The account is not scoped out by any policy filters or groups.

Repository Access – Important: You mentioned that only the service account has access to the repository, and not the delegated user. Since you're using delegated authentication (via Set-Authentication -DelegatedUser), the scanner operates in the context of the delegated user account.

Yes, the delegated user account must have read access to the content repositories being scanned (e.g., network shares or folders). Without this, the scanner cannot read or label the files, even if everything else is configured correctly.

Scanner Permissions: Ensure the delegated user account has the appropriate Azure AD roles (e.g., Information Protection Administrator or Compliance Administrator) — which you've already assigned — and that there are no conditional access policies blocking access.

For further details, you can refer to the official Microsoft documentation on sensitivity labels:

https://learn.microsoft.com/en-us/purview/create-sensitivity-labels

https://learn.microsoft.com/en-us/purview/sensitivity-labels

Hope this helps. Do let us know if you any further queries.

If this answers your query, do click Accept Answer and Yes for was this answer helpful.
Nikitha Cheemati 170 Reputation points

2025-06-05T12:12:44.38+00:00

Thanks for your response. The delegated account I’ve here is not synced with on premise which is the reason I’m unable to add it to the file paths. Do you know any other possible options I can try please?
Venkat Reddy Navari 5,840 Reputation points Microsoft External Staff Moderator

2025-06-05T13:04:22.5933333+00:00
@Niharika Ch thanks for the clarification that’s a key detail, and it helps explain the issue.

We didn’t ask about on-prem sync earlier because it's typically assumed that delegated accounts used with the AIP Scanner are synced and have access to the content sources this is a common deployment setup. Thanks for calling this out it helped surface the core issue.

Since the delegated user account isn’t synced with on-prem, it won’t be able to access the file paths defined in your content scan job. As a result, the scanner can't read or label the files — even if all other configurations are correct.

Here are options you can consider:

Sync the Delegated User to On-Prem AD: If possible, use Azure AD Connect to sync the delegated user account with your on-prem environment. Once synced, you can:

Grant NTFS/share access to the scan repositories,

Continue using delegated authentication,

And ensure labeling works as expected.

Switch to App-Only Authentication: If syncing isn’t feasible, you can configure the scanner to use app-only authentication instead:

The scanner will use a service principal (app registration) rather than a delegated user.

File access permissions will be assigned to the local service account running the scanner, not the Azure AD account.

The app principal still needs to be included in your sensitivity label policy and have an appropriate role (like Information Protection Admin).

For more detailed information: https://learn.microsoft.com/en-us/purview/deploy-scanner-configure-install?tabs=azure-portal-only#configure-the-scanner-for-app-only-authentication

Hope this helps. Do let us know if you any further queries.

If this answers your query, do click Accept Answer and Yes for was this answer helpful.
Deep 20 Reputation points

2025-06-05T13:52:18.1466667+00:00

i've the same query
Nikitha Cheemati 170 Reputation points

2025-06-05T13:54:34.5566667+00:00

Thanks again for your prompt response. If I consider to use app-only authentication- when you mentioned about app registration, do you mean the app registration we used during deployment?
Venkat Reddy Navari 5,840 Reputation points Microsoft External Staff Moderator

2025-06-05T14:08:39.14+00:00

@Niharika Ch Yes, the app registration for app-only authentication is the same one used during your AIP Scanner deployment.

Make sure it has the required API permissions (like Information Protection) and a client secret or certificate configured. The scanner will use this app identity instead of a delegated user.

Hope this helps. Do let us know if you any further queries.

If this answers your query, do click Accept Answer and Yes for was this answer helpful.
Nikitha Cheemati 170 Reputation points

2025-06-05T14:22:54.6266667+00:00
Thanks for your quick response!

Switch to App-Only Authentication: If syncing isn’t feasible, you can configure the scanner to use app-only authentication instead:

The scanner will use a service principal (app registration) rather than a delegated user. - Sure, i'll consider using the App registration which is used during the scanner deployment

File access permissions will be assigned to the local service account running the scanner, not the Azure AD account. - The service account used during deployment has write permissions applied to the file path - would that be okay with this approach in terms of accessing the files?

The app principal still needs to be included in your sensitivity label policy and have an appropriate role (like Information Protection Admin). - Could you help me explain a bit more on this please? I've assigned Azure 'Information Protection Administrator' role to the App registration but can't see any way to include in sensitivity label policy? (I think I'm only this step away to enforce the labels)
Venkat Reddy Navari 5,840 Reputation points Microsoft External Staff Moderator

2025-06-09T07:20:36.0266667+00:00
@Niharika Ch Thanks for your confirmation here's a clarification based on your questions:

App registration confirmation: Yes, you can continue using the same app registration created during the AIP Scanner deployment. Just ensure it has the Information Protection Administrator role assigned in Azure AD and a valid client secret or certificate configured.

File path access: In app-only authentication, the local Windows service account (running the scanner) needs read/write access to the file paths being scanned — not the Azure AD account. Since you've already granted permissions to that local service account, you're correctly set up here.

Sensitivity label policy visibility: You're right app registrations can't be directly added to sensitivity label policies. These policies only support users and groups. As a workaround:

You can publish the label policy to a group or user that represents your scanning scenario (e.g., an admin group).

This won’t block the scanner from applying labels, as long as the app identity has the right role and the scanner job is republished with updated config.

Hope this helps. Do let us know if you any further queries.

If this answers your query, do click Accept Answer and Yes for was this answer helpful.
Nikitha Cheemati 170 Reputation points

2025-06-09T09:08:15.8733333+00:00

thanks for your response. It looks like only "Microsoft 365" groups can only be added under labels but can't see the app registrations to add as part of "Microsoft 365" group? I could only add app registration for a security group but that can't be added as part of labels? Let me know if i'm missing anything here, thanks.
Venkat Reddy Navari 5,840 Reputation points Microsoft External Staff Moderator

2025-06-10T11:01:29.3133333+00:00

@Niharika Ch Sensitivity label publishing policies currently only support assigning to users, mail-enabled security groups, Microsoft 365 groups, and distribution groups. Unfortunately, service principals (like app registrations) and non-mail-enabled security groups can’t be added to label policies.

You cannot directly include an app registration or its security group in a label policy.

Labels won’t be “visible” to the app principal but that’s okay, because: As long as the scanner job is configured with “Label files based on content”, And the scanner’s app registration has the Information Protection Admin role, The scanner can still apply sensitivity labels based on the conditions defined inside each label (no label policy visibility needed for app-only).

Hope this helps. Do let us know if you any further queries.

If this answers your query, do click Accept Answer and Yes for was this answer helpful.

Share via

enforcing the labels

3 answers

Your answer