Get started with the data loss prevention on-premises scanner


Microsoft 365 compliance is now called Microsoft Purview and the solutions within the compliance area have been rebranded. For more information about Microsoft Purview, see the blog announcement and the What is Microsoft Purview? article.

This article walks you through the prerequisites and configuration for the Microsoft Purview data loss prevention on-premises scanner.

Before you begin

SKU/subscriptions licensing

Before you get started with DLP on-premises scanner, you should confirm your Microsoft 365 subscription and any add-ons. The admin account that sets up the DLP rules must be assigned one of the following licenses:

  • Microsoft 365 E5
  • Microsoft 365 E5 Compliance
  • Microsoft 365 E5 Information Protection & Governance

For full licensing details see: Microsoft 365 licensing guidance for security & compliance


All users who contribute to the scanned location either by adding files or consuming files need to have a license, not just the scanner user.


Data from DLP on-premises scanner can be viewed in Activity explorer. There are four roles that grant permission to activity explorer, the account you use for accessing the data must be a member of any one of them.

  • Global administrator
  • Compliance administrator
  • Security administrator
  • Compliance data administrator

Roles and Role Groups in preview

There are roles and role groups in preview that you can test out to fine tune your access controls.

Here's a list of applicable roles that are in preview. To learn more about them, see Roles in the Security & Compliance Center

  • Information Protection Admin
  • Information Protection Analyst
  • Information Protection Investigator
  • Information Protection Reader

Here's a list of applicable role groups that are in preview. To learn more about the, see Role groups in the Security & Compliance Center

  • Information Protection
  • Information Protection Admins
  • Information Protection Analysts
  • Information Protection Investigators
  • Information Protection Readers

DLP on-premises scanner prerequisites

Deploy the DLP on-premises scanner

  1. Follow the procedures in Install the AIP unified labeling client.

  2. Follow the procedures in Configuring and installing the Azure Information Protection unified labeling scanner to complete the scanner installation.

    1. Network discovery jobs configuration is an optional step. You can skip it and define specific repositories to be scanned in your content scan job.
    2. You must create content scan job and specify the repositories that host files that need to be evaluated by the DLP engine.
    3. Enable DLP rules in the created Content scan job, and set the Enforce option to Off, unless you want to proceed directly to the DLP enforcement stage.
  3. Verify that you content scan job is assigned to the right cluster. If you still did not create a content scan job create a new one and assign it to the cluster that contains the scanner nodes.

  4. Connect to the Azure Information Protection extension in Azure portal and add your repositories to the content scan job that will perform the scan.

  5. Do one of the following to run your scan:

    1. set the scanner schedule
    2. use the manual Scan Now option in the portal
    3. or run Start-AIPScan PowerShell cmdlet


    Remember that the scanner runs a delta scan of the repository by default and the files that were already scanned in the previous scan cycle will be skipped unless the file was changed or you initiated a full rescan. Full rescan can be initiated by using Rescan all files option in the UI or by running Start-AIPScan-Reset.

  6. Open the Data loss prevention page in the Microsoft Purview compliance portal.

  7. Choose Create policy and create a test DLP policy. See Create a DLP policy from a template if you need help creating a policy. Be sure to run it in test until you are comfortable with this feature. Use these parameters for your policy:

    1. Scope the DLP on-premises scanner rule to specific locations if needed. If you scope locations to All, all files scanned by the scanner will be subject to the DLP rule matching and enforcement.
    2. When specifying the locations, you can use either exclusion or inclusion list. You can either define that the rule is relevant only to paths matching one of the patterns listed in inclusion list or, all files, except the files matching the pattern listed in inclusion list. No local paths are supported. Here are some examples of valid paths:
    • \\server\share
    • \\server\share\folder1\subfolderabc
    • *\folder1
    • *secret*.docx
    • *secret*.*
    • https:// sp2010.local/sites/HR
    • https://*/HR
    1. Here are some examples of unacceptable values use:
    • *
    • *\a
    • Aaa
    • c:\
    • C:\test


The exclusion list takes precedence over the inclusions list.

Viewing DLP on-premises scanner alerts in DLP Alerts Management dashboard

  1. Open the Data loss prevention page in the Microsoft Purview compliance portal and select Alerts.

  2. Refer to the procedures in How to configure and view alerts for your DLP policies to view alerts for your Endpoint DLP policies.

Viewing DLP on-premises scanner in activity explorer and audit log


The on-premises scanner requires that auditing be enabled. In Microsoft 365 auditing is enabled by default.

  1. Open the Data classification page for your domain in the Microsoft Purview compliance portal and select Activity explorer.

  2. Refer to the procedures in Get started with Activity explorer to access and filter all the data for your on-premises scanner locations.

  3. Open the Audit log in the Compliance center. The DLP rule matches are available in Audit log UI or accessible by Search-UnifiedAuditLog PowerShell

Next steps

Now that you have deployed a test policy for DLP on-premises locations and can view the activity data in Activity explorer, you are ready to move on to your next step where you create DLP policies that protect your sensitive items.

See also