Get started with the data loss prevention on-premises repositories

This article walks you through the prerequisites and configuration for using the Microsoft Purview Data Loss Prevention on-premises repositories location in a DLP policy.


If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

Before you begin

SKU/subscriptions licensing

Before you get started with DLP on-premises repositories, you should confirm your Microsoft 365 subscription and any add-ons. The admin account that sets up the DLP rules must be assigned one of the following licenses:

  • Microsoft 365 E5
  • Microsoft 365 E5 Compliance
  • Microsoft 365 E5 Information Protection & Governance

For full licensing details, see: Microsoft 365 licensing guidance for security & compliance


All users who contribute to the scanned location, either by adding files or consuming files, need to have a license, not just the scanner user.


Data from DLP can be viewed in activity explorer. There are four roles that grant permission to activity explorer, the account you use for accessing the data must be a member of any one of them.

  • Global administrator
  • Compliance administrator
  • Security administrator
  • Compliance data administrator

Roles and Role Groups

There are roles and role groups in that you can test out to fine tune your access controls.

Here's a list of applicable roles. To learn more about them, see Permissions in the Microsoft Purview compliance portal.

  • Information Protection Admin
  • Information Protection Analyst
  • Information Protection Investigator
  • Information Protection Reader

Here's a list of applicable role groups. To learn more, see Permissions in the Microsoft Purview compliance portal.

  • Information Protection
  • Information Protection Admins
  • Information Protection Analysts
  • Information Protection Investigators
  • Information Protection Readers

DLP on-premises repositories prerequisites

  • The Microsoft Purview information protection scanner implements DLP policy matching and policy enforcement. The scanner is installed as part of the AIP client, so your installation must meet all the prerequisites for AIP, the AIP client, and the AIP unified labeling scanner.
  • Deploy the AIP client and scanner. For more information, see, Install the AIP unified labeling client and, Configuring and installing the information protection scanner.
  • There must be at least one label and policy published in the tenant, even if all your detection rules are based on sensitive information types only.

Deploy the DLP on-premises scanner

  1. Follow the procedures in Install the AIP unified labeling client.

  2. Follow the procedures in Configuring and installing the information protection scanner to complete the scanner installation.

    1. You must create a content scan job and specify the repositories that host the files to be evaluated by the DLP engine.
    2. Enable DLP rules in the created content scan job, and set the Enforce option to Off (unless you want to proceed directly to the DLP enforcement stage).
  3. Verify that your content scan job is assigned to the right cluster. If you haven't created a content scan job, create a new one and assign it to the cluster that contains the scanner nodes.

  4. Connect to the Microsoft Purview compliance portal and add your repositories to the content scan job that will perform the scan.

  5. Do one of the following to run your scan:

    1. Set the scanner schedule
    2. Use the manual Scan Now option in the portal
    3. Run Start-AIPScan PowerShell cmdlet


    Remember that the scanner runs a delta scan of the repository by default and files that were scanned in the previous scan cycle will be skipped, unless the file was changed or you initiated a full rescan. A full rescan can be initiated by using the Rescan all files option in the UI or by running Start-AIPScan-Reset.

  6. Open the Data loss prevention page in the Microsoft Purview compliance portal.

  7. Choose Create policy and create a test DLP policy. See Create and Deploy data loss prevention policies if you need help with creating a policy. Be sure to Run the policy in simulation mode until you're comfortable with this feature. Use these parameters for your policy:

    1. Scope the DLP on-premises repositories rule to specific locations if needed. If you scope locations to All, all files scanned will be subject to the DLP rule matching and enforcement.
    2. When specifying the locations, you can use either exclusion or inclusion list. You can either define that the rule is relevant only to paths matching one of the patterns listed in inclusion list or, all files, except the files matching the pattern listed in inclusion list. No local paths are supported. Here are some examples of valid paths:
    • \\server\share
    • \\server\share\folder1\subfolderabc
    • *\folder1
    • *secret*.docx
    • *secret*.*
    • https:// sp2010.local/sites/HR
    • https://*/HR
    1. Here are some examples of unacceptable values use:
    • *
    • *\a
    • Aaa
    • c:\
    • C:\test


The exclusion list takes precedence over the inclusions list.

Viewing DLP alerts

  1. Open the Data loss prevention page in the Microsoft Purview compliance portal and select Alerts.

  2. Refer to the procedures in Get started with the data loss prevention Alerts dashboard and Investigate data loss incidents with Microsoft Defender XDRto view alerts for your on-premises DLP policies.

Viewing DLP data in activity explorer and audit log


The Information Protection scanner requires that auditing be enabled. Auditing is enabled by default in Microsoft 365.

  1. Open the Data classification page for your domain in the Microsoft Purview compliance portal and select Activity explorer.

  2. Refer to the procedures in Get started with Activity explorer to access and filter all the data for your on-premises scanner locations.

  3. Open the Audit log in the compliance center. The DLP rule matches are available in the Audit log UI or accessible by Search-UnifiedAuditLog in PowerShell.

Next steps

Now that you've deployed a test policy for DLP on-premises locations and can view the activity data in Activity explorer, you're ready to move on to your next step where you create DLP policies that protect your sensitive items.

See also