πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided SC-401 Domain 1
Domain 1 β€” Module 8 of 8 100%
8 of 25 overall

SC-401 Study Guide

Domain 1: Implement Information Protection

  • Know Your Data: Sensitive Info Types Free
  • Custom Sensitive Info Types: Build Your Own Free
  • EDM & Fingerprinting: Detect Exact Data
  • Trainable Classifiers: AI-Powered Detection Free
  • Sensitivity Labels: Create & Protect Free
  • Sensitivity Labels: Publish & Auto-Apply
  • Email Encryption: Lock Down Messages
  • Purview IP Client: Classify Files at Scale

Domain 2: Implement DLP and Retention

  • DLP Foundations: Stop Data Leaks
  • DLP Policies: Build, Manage & Extend
  • DLP: Precedence & Adaptive Protection
  • Endpoint DLP: Setup & Configuration
  • Endpoint DLP: Advanced Rules & Monitoring
  • Retention: Plan Your Data Lifecycle
  • Retention Labels: Publish & Auto-Apply
  • Retention: Policies, Precedence & Recovery

Domain 3: Manage Risks, Alerts, and Activities

  • Insider Risk: Foundations & Setup
  • Insider Risk: Policies & Indicators
  • Insider Risk: Investigate & Close Cases
  • Adaptive Protection: Risk Levels Meet DLP
  • Purview Audit: Investigate & Retain
  • Activity Explorer & Content Search
  • Alert Response: Purview, XDR & Cloud Apps
  • DSPM for AI: Setup & Controls
  • DSPM for AI: Policies & Monitoring

SC-401 Study Guide

Domain 1: Implement Information Protection

  • Know Your Data: Sensitive Info Types Free
  • Custom Sensitive Info Types: Build Your Own Free
  • EDM & Fingerprinting: Detect Exact Data
  • Trainable Classifiers: AI-Powered Detection Free
  • Sensitivity Labels: Create & Protect Free
  • Sensitivity Labels: Publish & Auto-Apply
  • Email Encryption: Lock Down Messages
  • Purview IP Client: Classify Files at Scale

Domain 2: Implement DLP and Retention

  • DLP Foundations: Stop Data Leaks
  • DLP Policies: Build, Manage & Extend
  • DLP: Precedence & Adaptive Protection
  • Endpoint DLP: Setup & Configuration
  • Endpoint DLP: Advanced Rules & Monitoring
  • Retention: Plan Your Data Lifecycle
  • Retention Labels: Publish & Auto-Apply
  • Retention: Policies, Precedence & Recovery

Domain 3: Manage Risks, Alerts, and Activities

  • Insider Risk: Foundations & Setup
  • Insider Risk: Policies & Indicators
  • Insider Risk: Investigate & Close Cases
  • Adaptive Protection: Risk Levels Meet DLP
  • Purview Audit: Investigate & Retain
  • Activity Explorer & Content Search
  • Alert Response: Purview, XDR & Cloud Apps
  • DSPM for AI: Setup & Controls
  • DSPM for AI: Policies & Monitoring
Domain 1: Implement Information Protection Premium ⏱ ~12 min read

Purview IP Client: Classify Files at Scale

Extend sensitivity labels beyond the cloud. The Microsoft Purview Information Protection client and scanner classify files on Windows devices, network file shares, and on-premises SharePoint libraries.

Why do you need an on-premises solution?

β˜• Simple explanation

Imagine your house alarm only works when you are home. Helpful, but what about when you go to work?

Microsoft 365 sensitivity labels work brilliantly in the cloud β€” SharePoint, OneDrive, Exchange, Teams. But what about the file server in the basement? The shared network drive with 10 years of documents? The on-premises SharePoint farm that has not been migrated yet?

The Purview Information Protection client extends labels to Windows desktop apps (Word, Excel, PowerPoint, Outlook) and File Explorer. The Information Protection scanner crawls your file servers and on-premises SharePoint libraries, discovering and auto-labeling sensitive data at scale β€” like deploying a robot that reads every file in every cabinet and stamps it with the right classification.

The Microsoft Purview Information Protection client (formerly Azure Information Protection unified labeling client) is a Windows application that extends sensitivity labeling and protection to desktop Office apps, File Explorer, and PowerShell. It enables users to apply labels manually and provides right-click classification in File Explorer.

The Information Protection scanner is a service that runs on a Windows Server to discover, classify, and optionally protect files on network file shares (SMB/NFS) and on-premises SharePoint Server (2013, 2016, 2019) document libraries. It uses the same SITs and sensitivity labels configured in Microsoft Purview, providing a unified classification approach across cloud and on-premises.

The Information Protection client

What it enables

CapabilityWithout ClientWith Client
Labels in OfficeBuilt-in labeling in M365 Apps (cloud-connected)Same + enhanced features for complex scenarios
File Explorer labelingNot availableRight-click any file to apply or view a sensitivity label
PowerShell classificationNot availableBulk label files via Set-AIPFileLabel cmdlet
Protected file viewerView protected PDFs in browserOpen protected PDFs, images, and text files natively
Track & revokeNot available for on-prem filesTrack who accessed protected files, revoke access

Built-in labeling vs the IP client

Microsoft 365 Apps include built-in sensitivity labeling. The IP client adds features on top:

Built-in labeling handles most scenarios; the IP client adds File Explorer and PowerShell for on-prem
FeatureBuilt-in Labeling (M365 Apps)Purview IP Client
Available inWord, Excel, PowerPoint, Outlook (M365 Apps)Same + File Explorer + PowerShell
Cloud-connected?Yes β€” labels from Purview portalYes β€” same labels, same policies
File Explorer supportNoYes β€” right-click to classify any file type
PowerShell cmdletsNoYes β€” Set-AIPFileLabel, Get-AIPFileStatus
Non-Office filesLimitedClassify and protect PDFs, images, text files, CAD files
InstallationShips with M365 Apps (no extra install)Separate download and deployment
Recommended forMost organisations β€” default choiceOrganisations with on-prem file classification needs or non-Office file types
πŸ’‘ Exam tip: built-in vs client β€” when to use which

Microsoft recommends built-in labeling for most organisations. The IP client is needed when you require:

  • File Explorer right-click labeling β€” classify files outside Office apps
  • PowerShell bulk operations β€” label thousands of files programmatically
  • Non-Office file protection β€” PDFs, images, text files, CAD drawings
  • On-premises scanner β€” the scanner component requires the IP client infrastructure

On the exam, if a scenario involves on-premises file classification or non-Office file types, the IP client is the answer.

The Information Protection scanner

The scanner is the workhorse for on-premises classification β€” it crawls file repositories, discovers sensitive data, and applies labels automatically.

How the scanner works

PhaseWhat Happens
1. InstallDeploy the scanner service on a Windows Server in your network
2. ConfigureIn the Purview portal, create a scanner cluster and content scan job
3. DiscoveryThe scanner crawls configured repositories and reports what it finds
4. EnforceOptionally auto-label files based on SIT matches and label policies

Scanner requirements

RequirementDetail
Server OSWindows Server 2016, 2019, or 2022
SQL ServerLocal or remote SQL Server instance for the scanner database
Network accessServer must reach file shares and SharePoint farms
Service accountEntra ID service principal with Purview permissions
Client installedPurview IP client must be installed on the scanner server

Scanner modes

Always start with discovery mode before enabling enforcement
FeatureDiscovery ModeEnforce Mode
What it doesScans and reports β€” does not change any filesScans, reports, AND applies labels to files
Use caseInitial assessment β€” see what sensitive data existsOngoing classification β€” automatically label files
Risk levelZero risk β€” read-only operationMedium β€” modifies files by adding labels/protection
Recommended first?Yes β€” always start hereAfter reviewing discovery results

What the scanner can scan

Repository TypeSupported?
Network file shares (SMB)Yes β€” UNC paths
SharePoint Server 2013Yes
SharePoint Server 2016Yes
SharePoint Server 2019Yes
SharePoint OnlineNo β€” use auto-labeling policies for cloud SharePoint
OneDriveNo β€” use auto-labeling policies
NFS sharesYes (with configuration)
πŸ’‘ Scenario: Dr. Liam scans the hospital file server

St. Harbour Health has a legacy file server with 2 million documents accumulated over 15 years β€” patient records, administrative files, research data, and old HR documents. Nobody knows exactly what sensitive data is in there.

Dr. Liam deploys the scanner:

  1. Discovery mode first: Scans the entire server over a weekend. Results: 340,000 documents contain patient health identifiers, 28,000 contain financial data, 95,000 contain employee PII.
  2. Review: Dr. Liam reviews the discovery report with the compliance team and confirms the label mapping.
  3. Enforce mode: Enables auto-labeling. β€œPatient Data β€” Confidential” label applied to the 340,000 PHI documents. β€œInternal β€” Financial” applied to financial data.
  4. Schedule: Scanner runs nightly to catch new files.

Content scan jobs

A content scan job defines WHAT the scanner looks at:

SettingWhat It Configures
RepositoriesList of file share paths and/or SharePoint URLs
File typesWhich file types to scan (all, or a filtered list)
Label policyWhich auto-labeling rules to apply
Default labelApply a specific label to all files that match no other rule
RelabelWhether to change existing labels or leave labelled files alone
ScheduleOne-time scan or recurring (daily, weekly)
Question

What is the difference between the Purview IP client and the Information Protection scanner?

Click or press Enter to reveal answer

Answer

The IP client is installed on Windows devices to enable File Explorer labeling, PowerShell classification, and non-Office file protection for individual users. The scanner is a service on a Windows Server that crawls file shares and on-premises SharePoint libraries to discover and auto-label files at scale. The scanner uses the IP client infrastructure.

Click to flip back
Question

Should you start the Information Protection scanner in discovery mode or enforce mode?

Click or press Enter to reveal answer

Answer

Always start in discovery mode. Discovery scans and reports what sensitive data exists without changing any files. After reviewing the results, switch to enforce mode to automatically apply labels. This reduces the risk of unintended labeling.

Click to flip back
Question

Can the Information Protection scanner scan SharePoint Online?

Click or press Enter to reveal answer

Answer

No. The scanner is designed for on-premises repositories β€” network file shares and SharePoint Server (2013, 2016, 2019). For SharePoint Online, use service-side auto-labeling policies in the Purview portal.

Click to flip back
Knowledge Check

Dr. Liam needs to classify 2 million files on an on-premises file server at St. Harbour Health. The files include Word documents, PDFs, images, and proprietary medical formats. He has never scanned this server before. What should he do FIRST?
Knowledge Check

Zara at Atlas Global needs HR staff to classify employee documents stored locally on their Windows laptops β€” not in SharePoint or OneDrive, but local files. The documents include PDFs and TIFF scans of employment contracts. What solution should she deploy?

🎬 Video coming soon

Domain 1 complete! You now know how to classify, label, encrypt, and scan data across cloud and on-premises.

Next up: DLP Foundations: Stop Data Leaks β€” Domain 2 begins with the policies that enforce your classification work.

← Previous

Email Encryption: Lock Down Messages

Next β†’

DLP Foundations: Stop Data Leaks

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.