Forum Discussion
Need help with MSIP Scanner
Hello, I was hoping to get some help with our on prem MSIP Scanner.
start-scannerDiagnostics command looks good below. But the scan just keeps running and never finishes.
The MSIPScanner log file keeps filling up with the info below and keeps repeating.
Scanner information:
SQL server: <NAME>.
Cluster: <ClusterName>.
Scanner user: <domain>\UserName
Connectivity check for: https://login.windows.net/common completed successfully
Connectivity check for: https://dataservice.protection.outlook.com completed successfully
Connectivity check for: https://api.aadrm.com/ completed successfully
Database check completed successfully
Authentication check completed successfully
Content scan job check completed successfully
Configuration check completed successfully
Logs exported to: C:\Users\<UserName>\AppData\Local\Microsoft\MSIP\DiagnosticsLogs.zip
No issues found.
Info 2025-05-23 11:43:01.9029 MSIP.Lib MSIP.Scanner (3904) Getting RMS token, authority: https://login.windows.net/common, resource: https://api.aadrm.com/ <DOMAIN>\User 39
Info 2025-05-23 11:43:01.9029 MSIP.Lib MSIP.Scanner (3904) "Scanner status content: {""DurationInSeconds"":0.0,""TotalScannedFiles"":0,""FailedFiles"":0,""TotalScannedMB"":0,""ProfileName"":""Albion1"",""ProfileTimestamp"":""2025-05-23T12:23:37.07Z"",""CurrentScanId"":""512dc554-7f68-4ba2-b81b-2b79819c7cd8"",""ResetCacheAccepted"":false,""NodeName"":""msscanner.albion.edu"",""Status"":1,""ClientVersion"":""3.1.105.0""}. CorrelationId: 6c25b9f9-189d-429d-aead-97bac6a9ad89" <DOMAIN>\User 39
Info 2025-05-23 11:43:02.1998 MSIP.Lib MSIP.Scanner (3904) "Got configuration from service: {""scanNow"":false,""resetNow"":false,""stopScan"":false,""rescanOnNextCycle"":false,""profileCurrentScanId"":""512dc554-7f68-4ba2-b81b-2b79819c7cd8"",""profile"":null}" <DOMAIN>\User 18
4 Replies
According to the May 2025 Microsoft Learn documentation, for a scan job to start scanning content, you must ensure that:
At least one data repository (like a file share or SharePoint Server site) is defined and accessible;
At least one scan rule is assigned to the scan job, which either applies a sensitivity label or uses a detection condition (such as a SIT);
The scanner profile is published and active, and the scanner service account has read access to the paths in the scan rule.
Even if all other diagnostics pass — authentication, database, connectivity —, the scanner will sit idle with TotalScannedFiles: 0 and profile: null if the configuration is not actionable. To resolve this, revisit your scan profile in the Purview portal, confirm that it's linked to a valid scan rule, ensure the paths are reachable from the scanner node, and republish the configuration. Restarting the scanner service after that typically forces it to pull the updated profile and begin scanning.
Also, make sure you have set the correct config in your Purview Portal settings for scanning. The read only scanner, which only scans and does not apply labels or make any changes, requires a correct set of configurations. I made the same mistake, and it was fixed after a little research last year.Hello Ankit, Thank you so much for the reply! I think our scanner has a few issues and we resolved at least one of them. Our scanner was stuck, and clearing the files in %LocalAppData%\\Microsoft\\MSIP\\mip\\<processname>\\mip, then running start-scannerDiagnostics -ResetConfig and then finally running start-scan -reset seems to have helped it along. We can now run scans and they will complete, however there is still an issue with the results. The content scan job results show it's essentially failing on every file and in the logs it show "Failed, Repository configuration incorrect. No action to apply" even though we have set "Info types to be discovered - ALL" and I know for certain there are SSN's and other sensitive files in this location. We do not have any DLP Rules configured at this time, and don't want to take action on the files. Our hope is that we can use the scanner to identify sensitive information types, and add their record to the Information Protection Activity Explorer, and then export this to a spreadsheet to manually work with customers to delete their files.
We are looking fantastic now, everything is working, and the issue was exactly as you described and we found some additional details here https://alberthoitingh.com/2020/12/08/handeling-errors-information-protection-scanner/
We did not have the setting "Label files based on content" enabled because I thought it would mess with the files, but turns out, this is required for the scanner to inspect the files for sensitivity types.
