AIP scanner not discovering sensitivity content

Hi kirh​ 

Even if the AIP scanner is healthy, content discovery can fail due to policy, configuration or scan scope issues.

Possible causes may include.

1. Policy not in scanner profile scope

The custom SIT is included in a label or auto-labeling policy, but the policy is not assigned to the scanner or is set to simulate only.

FIX: Ensure the correct labeling policy is published to “On‑premises locations” and assigned to the scanner profile user account commonly SVC_Scanner Account (which is the onprem-scanner admin account), with enforcement enabled.

2. Custom SIT not suitable for data at‑rest scanning

Custom SIT uses confidence levels, regex or supporting elements that work for emails but do not match file content as stored.

Fix: Test the SIT using uploading different combination of test content in Purview and validate it against actual file content (plain text, not images or encrypted files).

4. Check onfidence level of Custom SIT

Auto-labeling conditions require multiple matches, so content may have skipped.

Fix: Temporarily lower the custom SIT confidence thresholds to confirm detection and then tune later.

5. File types not supported or excluded

The files may be unsupported formats, encrypted, password‑protected, or explicitly excluded in the scanner profile.

Fix: Confirm the file types are supported and not excluded. Ensure files are readable and not encrypted.

6. Check the Permissions issue of the Scanner account (This is the most common issue)

The scanner service account does not have read access to the target folders or files.

Fix: Grant read access at share and NTFS level and validate access using the scanner service account.

If you find the answer useful, please do not forget to like and mark it as a solution🙂