Forum Discussion

zenodj's avatar
zenodj
MCT
Apr 01, 2026

PURVIEW - SCANNER ACCOUNT MISMATCH

Hello

I have a strange issue on Scanner
Setup is fine also discover is fine, in activity explorer we see discovered file, issue was in USER column that reports not scanner dedicated user but purview admin user.

We also try open a case with MS but no one respond

Any suggestions?

 

Thanks

Zeno

 

1 Reply

  • Pbv85's avatar
    Pbv85
    MCT
    Apr 02, 2026

    Hi zenodj​ 

    Activity explorer is built from the Microsoft 365 unified audit log and shows both the user identity and  Purview AIP scanner recorded  audit events i.e logs discovery/label actions into the unified audit log.

    Lets look at two possibilities here why user colum is showing Purview admin and not the Scanner account  .

    1. If the scanner is using a token that was acquired interactively by a Purview admin, the audit event can show that admin as the “User” even though the scanner service is doing its work.

    2. The AIP scanner runs as a Windows service, so this must be configured/authenticated correctly (cluster, nodes, token) in Purview.

    The root cause could be due the scanner node which is authenticated using the Purview admin account instead of the scanner admin account.   

    The solution here is to re-authenticate the scanner using the dedicated scanner account.  Please follow these steps.

    1. Confirm the scanner Windows service account

    On the scanner server: Services -> find Microsoft Purview Information Protection scanner (or AIP scanner service).  Now Check the Log On As = your scanner dedicated service account 

    2. Re-run authentication explicitly for the scanner account

     On the AIP scanner server, open an PowerShell (in admin mode) and re-authenticate on behalf of the scanner service account (Do NOT use your admin identity for the token used by the service).

    If you already configured Set-Authentication, repeat it again ensuring it’s tied to the scanner service account (usually SVC_Scanner) then restart the scanner service.

    3. Restart the scanner service and run a small test scan

    Restart the scanner service, Configure a small repository with fewer files at the job to run the scan.  Monitor the progress.

    When i did this configuration, I experienced similar issues..  Upon restarting the AIP scanner server not just the service it started successfully working. 

    Now the new events in Activity explorer should list the actual service account name instead of purview admin user.

    Ensure the scanner service account is a dedicated account either a domain account or gMSA which is preferred.  Ensure least privilege on the scanner account.

     

    If you find the answer useful and you appreciate my time, please do not forget to like and mark it as a solution 🙂