AIP Scanner++ (Discovering all the sensitive data)

The Situation:

So, you know that you have terabytes of unstructured data on your file shares and document libraries but you are uncertain how much of it is actually sensitive and needs to be protected.  In the past, discovering sensitive data was time consuming and potentially costly using 3rd party solutions or a massive amount of manpower to accomplish (but realistically, it probably has never been done).  Luckily, Microsoft introduced the AIP Scanner to help with bulk encryption of data, but we actually went one step further and have provided a way for you to discover all of the different types of data that you have scattered throughout your network.

The Solution:

The AIP Scanner now has a feature that will allow for the discovery of sensitive data by scanning against all of the information types defined in O365 and any custom types you create.  And the discovery portion can be done with only AIP P1/EMS E3 licenses.  The new parameter is associated with the Set-AIPScannerConfiguration and is called -DiscoverInformationTypes.  When this property is set to All, the scanner uses any custom conditions that you have specified for labels in the Azure Information Protection policy, and the list of information types that are available to specify for labels in the Azure Information Protection policy. When you use this option, labels do not need to be configured for any conditions.  Keep in mind that this setting only does discovery.  If you would like to classify and protect the identified items, you will need to configure automatic conditions on your labels to classify/protect the documents based on information type (AIP P2/EMS E5) or use PowerShell to classify and protect the entire repository (AIP P1/EMS E3).

The command below will allow you to scan your repositories against all information types

PS C:\> Set-AIPScannerConfiguration -Enforce Off -Schedule OneTime -Type Full -DiscoverInformationTypes All

After running the scan, you can review the logs by opening the Azure Information Protection event log or you can view the detailed logs at C:\users\<Scanner Service Account Profile>\appdata\local\Microsoft\MSIP\Scanner\Reports.  There you will find the summary txt and detailed csv files.

If you need assistance installing the AIP Scanner, please see my previous blog at

Let me know if you have any questions. Thanks!