Forum Discussion
AIP scanner not discovering sensitivity content
I am deploying the Purview Information Protection AIP scanner to scan an some of the on‑premises Windows file share and some network file shares that is in scope for compliance and data protection. However, the scanner is not discovering sensitive content within files stored on the share for a custom configured SIT.
The custom SIT is tested and it properly works, but the data are being reported as no matches / no sensitive content found to discover the files that may be applied with sensitivity label.
This issue is observed across one or more mapped repository paths and may be inconsistent by folder, file type or file size. I noticed the scanner appears “healthy” service is running, repository configured and schedules enabled.
Hi kirh
Even if the AIP scanner is healthy, content discovery can fail due to policy, configuration or scan scope issues.
Possible causes may include.
1. Policy not in scanner profile scope
The custom SIT is included in a label or auto-labeling policy, but the policy is not assigned to the scanner or is set to simulate only.
FIX: Ensure the correct labeling policy is published to “On‑premises locations” and assigned to the scanner profile user account commonly SVC_Scanner Account (which is the onprem-scanner admin account), with enforcement enabled.
2. Custom SIT not suitable for data at‑rest scanning
Custom SIT uses confidence levels, regex or supporting elements that work for emails but do not match file content as stored.
Fix: Test the SIT using uploading different combination of test content in Purview and validate it against actual file content (plain text, not images or encrypted files).
4. Check onfidence level of Custom SIT
Auto-labeling conditions require multiple matches, so content may have skipped.
Fix: Temporarily lower the custom SIT confidence thresholds to confirm detection and then tune later.
5. File types not supported or excluded
The files may be unsupported formats, encrypted, password‑protected, or explicitly excluded in the scanner profile.
Fix: Confirm the file types are supported and not excluded. Ensure files are readable and not encrypted.
6. Check the Permissions issue of the Scanner account (This is the most common issue)
The scanner service account does not have read access to the target folders or files.
Fix: Grant read access at share and NTFS level and validate access using the scanner service account.
If you find the answer useful, please do not forget to like and mark it as a solution🙂
1 Reply
Hi kirh
Even if the AIP scanner is healthy, content discovery can fail due to policy, configuration or scan scope issues.
Possible causes may include.
1. Policy not in scanner profile scope
The custom SIT is included in a label or auto-labeling policy, but the policy is not assigned to the scanner or is set to simulate only.
FIX: Ensure the correct labeling policy is published to “On‑premises locations” and assigned to the scanner profile user account commonly SVC_Scanner Account (which is the onprem-scanner admin account), with enforcement enabled.
2. Custom SIT not suitable for data at‑rest scanning
Custom SIT uses confidence levels, regex or supporting elements that work for emails but do not match file content as stored.
Fix: Test the SIT using uploading different combination of test content in Purview and validate it against actual file content (plain text, not images or encrypted files).
4. Check onfidence level of Custom SIT
Auto-labeling conditions require multiple matches, so content may have skipped.
Fix: Temporarily lower the custom SIT confidence thresholds to confirm detection and then tune later.
5. File types not supported or excluded
The files may be unsupported formats, encrypted, password‑protected, or explicitly excluded in the scanner profile.
Fix: Confirm the file types are supported and not excluded. Ensure files are readable and not encrypted.
6. Check the Permissions issue of the Scanner account (This is the most common issue)
The scanner service account does not have read access to the target folders or files.
Fix: Grant read access at share and NTFS level and validate access using the scanner service account.
If you find the answer useful, please do not forget to like and mark it as a solution🙂