Azure Information Protection scanner gets new central management, and many new other features!
Published Jan 22 2019 08:51 AM 11K Views


We’ve seen massive adoption of the Azure Information Protection (AIP) scanner from the time we made it generally available earlier in 2018. Customers have used the AIP scanner to discover, classify and protect their sensitive information in on-premises repositories. The scanner has also gained significant usage in helping customers achieve GDPR compliance.

Customers have requested additional features to help them better adopt the AIP scanner in large production environments, and scan petabytes of data across different geo-locations and domains. We’ve heard your feedback and today we’re announcing new scanner UI.  


New AIP scanner management UI is here!

Today we are announcing the public preview of the ability to manage AIP scanner configuration and scanned repositories in one central place, using the Azure portal. You are now able to manage multiple scanners without the need to sign in to the Windows computers running the scanner, set whether the scanner runs in Discovery or Enforcement mode, configure which sensitive information types are discovered and set repository related settings, like file types scanner, default label etc. Configuration from the Azure portal helps your deployments be more centralized, manageable, and scalable.



Figure 1. Scanner profiles management page that enables admins to set scanner configuration.


To make the admin’s life easier we created a repository default that can be set one time on the profile level and can be reused for all added repositories. You can still adjust settings for each repository in case you have a repository that requires some special treatment. For example, you no longer need to create a separate profile for discovery and policy enforcement. You can now set the same scanner to crawl two repositories using different modes: one mode to discover and one mode to label and protect. It’s extremely useful when you want to add new repositories to an existing scanner deployment - you continue to label and protect your existing repositories and just add another repository to the same profile in discovery mode. You do not need to run a new scanner instance every time you want to crawl new repositories with special settings.

You can learn more about the new scanner UI from Configure the scanner in the Azure portal. If you upgrade your existing scanners to the new version, you will have to recreate your scanning profiles in the Azure portal. You can use the Import option for bulk import of multiple repositories (up to 1000 repositories in single import). After you create the profile, use the Update-AIPScanner PowerShell command to tell the scanner to use this profile. More about the upgrade procedure can be found from Upgrading the Azure Information Protection scanner


General availability of AIP scanner operational UI

At the Microsoft Ignite conference in Orlando last year, we announced the public preview of the AIP scanner operational UI. Today we’re announcing that this is now generally available. The AIP scanner operational UI helps you run your operations remotely using a few simple clicks.  Now you can:

  • Monitor the status of all scanner nodes in the organization in a single place
  • Get scanner version and scanning statistics
  • Initiate on-demand incremental scans or run full rescans without having to sign in to the computers running the scanners



Figure 2. Scanner nodes management blade that enables admins to get the current status of all scanners in the organization


Single SQL instance for all your scanners

In the past, you had to maintain one SQL Server instance per scanner node. With the latest update, you can use the scanner database to reflect the profile name and it allows a single SQL Server instance to be used by multiple scanner nodes.

This has been one of the most asked features, and now it is available for you!


More file types – PDF, ZIP and more

PDF Files:  Following the Adobe integration announcement and introduction of the new ISO standard for PDF encryption that allows PDF protection without changing the file extension, we have aligned the AIP scanner to work with  PDF files exactly as it works with Office files: label and protect PDF files by default. AIP scanner now uses the new PDF protection format recognized by Adobe.

ZIP Files: ZIP is a pretty common file type on file servers and we support it now. You can now enable the AIP scanner to scan zip files when you install the Office Filter Pack. For more information, see How to scan .zip files.

TIFF Files: We have enabled support for TIFF files as well. In order to enable OCR recognition in TIFF files, please follow the instruction to enable the OCR filter, in To inspect .tiff files by using OCR.


Microsoft IT uses AIP scanner

With these new capabilities, the AIP scanner is easier to deploy and manage – and help provide more comprehensive protection of your sensitive information. Our own Microsoft IT replaced a 3rd party DLP solution by using AIP scanners to crawl millions of files a month. You can read more about it at the following showcase: Automating data protection with Azure Information Protection scanner.


Next steps

The latest client version with these new capabilities can be found at For detailed instructions to set up the new AIP scanner, see Deploying the preview version of the Azure Information Protection scanner to automatically classify ....


You feedback is valuable and allows us to understand better what you need to help you in your information protection strategy. We encourage you to try the new features and share your feedback using our Yammer community.





Version history
Last update:
‎May 11 2021 03:14 PM
Updated by: