Azure Information Protection
An Azure service that is used to control and help secure email, documents, and sensitive data that are shared outside the company.
519 questions
AIP Scanner for Sensitive Information Types
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 60%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
jpcapone
1,301
Reputation points
When I run a test AIP scan using the default configuration listed here it still seems that the sensitive info types that are found have to be associated with an existing label. I am basing this on the detailed report that is generated after each scanner run. I would think that this option would hinge the content scan job setting for Info types to be discovered, and if it is set to ALL or Policy only. When I set it to ALL, I am not seeing a report of ALL sensitive info types, just those associated with a label. Is this the correct behavior?
EDIT: I created a custom DLP policy based off of the U.S. Financial Data SSN template and put it into test mode. After doing this I ran another scan and noted that the various information types did show up in the detailed report. Is this the expected behavior?
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
Givary-MSFT 28,406 Reputation points Microsoft Employee2023-10-04T08:14:07.19+00:00 @jpcapone Thank you for reaching out to us, let me check on this and revert back.
-
Givary-MSFT 28,406 Reputation points Microsoft Employee
2023-10-10T03:26:28.7233333+00:00 @jpcapone Apologies for the delayed response, regarding your query researched/discussed with my team.
Info types to be discovered is exclusive for AIP not DLP. And yes it should find all sensitive info types and bypass the ones from your labels.
Let me know if you have any further questions, feel free to post back.
-
Givary-MSFT 28,406 Reputation points Microsoft Employee
2023-10-12T07:49:42.8666667+00:00 @jpcapone Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
-
jpcapone 1,301 Reputation points
2023-10-12T11:55:56.99+00:00 Yes, just for clarification. I know that the different types of SITS did not show up in the discovery scan UNTIL I created a DLP policy and put it into to test mode. So, I am not sure what you mean when you say "Info types to be discovered is exclusive for AIP not DLP". Can you please explain?
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 9%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFM%3C/text%3E%3C/svg%3E)
Fiona Matu 81 Reputation points Microsoft Employee2024-03-04T12:21:49.6333333+00:00 Hi @jpcapone ,
from my understanding, the observed behavior is correct. When you set the content scan job setting to "ALL", the AIP scanner detects all types of sensitive information that are defined in your AIP policy, but it only labels and protects documents that contain sensitive information types associated with a label in your policy.
When you created a custom DLP (Data Loss Prevention) policy based on the U.S. Financial Data SSN template and put it into test mode, you started detecting more information types because your DLP policy likely defines more sensitive information types than your AIP policy.
Sign in to comment