Tutorial: Discovering your sensitive content with the Azure Information Protection (AIP) scanner

The Azure Information Protection client provides an on-premises scanner that enables system administrators to scan on-premises file repositories for sensitive content.

In this tutorial, you'll learn how to:

  • Add any risky repositories found to a content scan job
  • Scan your content shares for sensitive content and understand results found

Time required: You can finish this configuration in 15 minutes.

Tutorial prerequisites

Requirement Description
A supporting subscription You'll need an Azure subscription that includes Azure Information Protection.

If you don't have one of these subscriptions, you can create a free account for your organization.
Admin access to the Azure portal Make sure that you can sign in to the Azure portal with a supported administrator account, and have protection enabled. Supported administrator accounts include:

- Compliance administrator
- Compliance data administrator
- Security administrator
- Global administrator
AIP client and scanner To complete this tutorial, you'll need to have installed the Azure Information Protection unified labeling client and scanner.

For more information, see:

- Quickstart: Deploying the Azure Information Protection (AIP) unified labeling client
- Tutorial: Installing the Azure Information Protection (AIP) unified labeling scanner
A content scan job Make sure you have a basic content scan job that you can use for testing. You may have created one when you installed your scanner.

If you need to create one now, you can use the instructions in Configure Azure Information Protection in the Azure portal. When you have a basic content scan job, return here to complete this tutorial.
SQL Server To run the scanner, you'll need SQL Server installed on the scanner machine.

To install, go to the SQL Server download page and select Download now under the installation option you want to install. In the installer, select the Basic installation type.

Note: We recommend installing SQL Server Enterprise for production environments, and Express only for testing.
Azure Active Directory account When working with a standard, cloud-connected environment, your domain account must be synchronized to Azure Active Directory. This isn't necessary if you're working offline.

If you're not sure about your account, contact one of your system administrators to verify the synch status. For more information, see Deploying the scanner with alternative configurations.
Sensitivity labels and a published policy You must have created sensitivity labels, and published a policy with at least one label to the Microsoft Purview compliance portal, for the scanner service account.

Configure sensitivity labels in the Microsoft Purview compliance portal. For more information, see the Microsoft 365 documentation.

Define and run your content scan job

Use the content scan job you prepared with the tutorial prerequisites to scan your content.

If you don't have a content scan job yet, perform Configure initial settings in the Azure portal, and then return here to continue.

  1. Sign in to the Azure portal as a supported administrator, and navigate to the Azure Information Protection pane.

  2. In the Scanner menu on the left, and select Content scan jobs, and then select your content scan job.

  3. Edit your content scan job settings, making sure that you have a meaningful name and optional description.

    Keep the default values for most of the settings, except for the following changes:

    • Treat recommended labeling as automatic. Set to On.

    • Configure repositories. Ensure that there is at least one repository defined.

    • Enforce. Set to On

  4. Select Save, and then return to the Content scan jobs grid.

  5. To scan your content, go back to the Content scan jobs area, and select your content scan job.

    In the toolbar above the grid, select Scan now to start the scan.

    When the scan is complete, continue with View scan results.

View scan results

When the scan is complete, check the reports in Azure Information Protection > Analytics area in the Azure portal.

For example:

Scanner results Analytics Data discovery report


If your results are empty and you would like to run a meaningful scan, create a file named Payment info in one of the repositories included in your content scan job. Save the file with the following content:

Credit card: 2384 2328 5436 3489

Run your scan again to see the difference in the results.

For more information, see Central reporting for Azure Information Protection (public preview)

Local scanner reports

Logs are also stored locally in the %localappdata%\Microsoft\MSIP\Scanner\Reports directory on the scanner machine, and include:

Type Description
.txt summary files Includes the time taken to scan, the number of scanned files, and how many files had a match for the information types.
.csv detail files Contains detailed descriptions for each file scanned. The directory can hold up to 60 reports for each scanning cycle.

Next steps

For more information, see: