Get started with the data loss prevention on-premises scanner

This article walks you through the prerequisites and configuration for the Microsoft Purview data loss prevention on-premises scanner.


If you're not an E5 customer, you can try all the premium features in Microsoft Purview for free. Use the 90-day Purview solutions trial to explore how robust Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

Before you begin

SKU/subscriptions licensing

Before you get started with DLP on-premises scanner, you should confirm your Microsoft 365 subscription and any add-ons. The admin account that sets up the DLP rules must be assigned one of the following licenses:

  • Microsoft 365 E5
  • Microsoft 365 E5 Compliance
  • Microsoft 365 E5 Information Protection & Governance

For full licensing details see: Microsoft 365 licensing guidance for security & compliance


All users who contribute to the scanned location either by adding files or consuming files need to have a license, not just the scanner user.


Data from DLP on-premises scanner can be viewed in Activity explorer. There are four roles that grant permission to activity explorer, the account you use for accessing the data must be a member of any one of them.

  • Global administrator
  • Compliance administrator
  • Security administrator
  • Compliance data administrator

Roles and Role Groups

There are roles and role groups in preview that you can test out to fine tune your access controls.

Here's a list of applicable roles that are in preview. To learn more about them, see Permissions in the Microsoft Purview compliance portal.

  • Information Protection Admin
  • Information Protection Analyst
  • Information Protection Investigator
  • Information Protection Reader

Here's a list of applicable role groups that are in preview. To learn more about the, see Permissions in the Microsoft Purview compliance portal.

  • Information Protection
  • Information Protection Admins
  • Information Protection Analysts
  • Information Protection Investigators
  • Information Protection Readers

DLP on-premises scanner prerequisites

  • The Azure Information Protection (AIP) scanner implements DLP policy matching and policy enforcement. The scanner is installed as part of the AIP client so your installation must meet all the prerequisites for AIP, the AIP client, and the AIP unified labeling scanner.
  • Deploy the AIP client and scanner. For more information see, Install the AIP unified labeling client and, Configuring and installing the information protection scanner.
  • There must be at least one label and policy published in the tenant, even if all your detection rules are based on sensitive information types only.

Deploy the DLP on-premises scanner

  1. Follow the procedures in Install the AIP unified labeling client.

  2. Follow the procedures in Configuring and installing the information protection scanner to complete the scanner installation.

    1. Network discovery jobs configuration is an optional step. You can skip it and define specific repositories to be scanned in your content scan job.
    2. You must create content scan job and specify the repositories that host files that need to be evaluated by the DLP engine.
    3. Enable DLP rules in the created Content scan job, and set the Enforce option to Off, unless you want to proceed directly to the DLP enforcement stage.
  3. Verify that you content scan job is assigned to the right cluster. If you still did not create a content scan job create a new one and assign it to the cluster that contains the scanner nodes.

  4. Connect to the Azure Information Protection extension in Azure portal and add your repositories to the content scan job that will perform the scan.

  5. Do one of the following to run your scan:

    1. set the scanner schedule
    2. use the manual Scan Now option in the portal
    3. or run Start-AIPScan PowerShell cmdlet


    Remember that the scanner runs a delta scan of the repository by default and the files that were already scanned in the previous scan cycle will be skipped unless the file was changed or you initiated a full rescan. Full rescan can be initiated by using Rescan all files option in the UI or by running Start-AIPScan-Reset.

  6. Open the Data loss prevention page in the Microsoft Purview compliance portal.

  7. Choose Create policy and create a test DLP policy. See Create and Deploy data loss prevention policies if you need help creating a policy. Be sure to run it in test until you are comfortable with this feature. Use these parameters for your policy:

    1. Scope the DLP on-premises scanner rule to specific locations if needed. If you scope locations to All, all files scanned by the scanner will be subject to the DLP rule matching and enforcement.
    2. When specifying the locations, you can use either exclusion or inclusion list. You can either define that the rule is relevant only to paths matching one of the patterns listed in inclusion list or, all files, except the files matching the pattern listed in inclusion list. No local paths are supported. Here are some examples of valid paths:
    • \\server\share
    • \\server\share\folder1\subfolderabc
    • *\folder1
    • *secret*.docx
    • *secret*.*
    • https:// sp2010.local/sites/HR
    • https://*/HR
    1. Here are some examples of unacceptable values use:
    • *
    • *\a
    • Aaa
    • c:\
    • C:\test


The exclusion list takes precedence over the inclusions list.

Viewing DLP on-premises scanner alerts in DLP Alerts Management dashboard

  1. Open the Data loss prevention page in the Microsoft Purview compliance portal and select Alerts.

  2. Refer to the procedures in How to configure and view alerts for your DLP policies to view alerts for your on-premises DLP policies.

Viewing DLP on-premises scanner in activity explorer and audit log


The on-premises scanner requires that auditing be enabled. In Microsoft 365 auditing is enabled by default.

  1. Open the Data classification page for your domain in the Microsoft Purview compliance portal and select Activity explorer.

  2. Refer to the procedures in Get started with Activity explorer to access and filter all the data for your on-premises scanner locations.

  3. Open the Audit log in the Compliance center. The DLP rule matches are available in Audit log UI or accessible by Search-UnifiedAuditLog PowerShell

Next steps

Now that you have deployed a test policy for DLP on-premises locations and can view the activity data in Activity explorer, you are ready to move on to your next step where you create DLP policies that protect your sensitive items.

See also