This article is contributed. See the original author and article here.

Microsoft Information Protection is a built-in, intelligent, unified, and extensible solution to protect sensitive data across your enterprise – in Microsoft 365 cloud services, on-premises, third-party SaaS applications, and more. Microsoft Information Protection provides a unified set of capabilities to know your data, protect your data, and prevent data loss across cloud services, devices, and on-premises file shares.

For data you have in file shares and SharePoint sites on-premises, scanner helps you discover the sensitive content and enables you to automatically label and protect it per policy you have configured in the Microsoft 365 compliance center. Every month, billions of files are scanned and protected on-premises using scanners by hundreds of different organizations to comply with internal policy and external regulations.

But customers looking to discover and protect sensitive data on premises are faced with two challenges. One is knowing where to start. This challenge is compounded by the fact that new content and new file shares are being constantly created by your end users. The second challenge is determining how to prioritize scanning among the thousands of repositories with petabytes of data. The new network discovery feature within a scanner, that is part of the latest Q3 preview, helps you tackle both these challenges. You can now use this as a step zero in your on-premises data discovery journey to map your file shares and identify the overexposed file shares to prioritize. The network discovery feature of the scanner enables you to target your IP ranges, or specific IPs, to find the shares hosted in these networks and use access information to identify overexposed file shares.

With this nee network discovery feature of the scanner it’s a matter of few hours to scan class B subnets with 65K IP addresses. Once the network discovery is finished the admins get a report of all shares, their share permissions, NTFS permissions and effective access to a standard user with access to the network. The report includes a hint on what shares are open to Everyone / Authenticated Users / Domain Users, which helps admins to identify assets that can be accessed by to anybody with physical access to your network. The next step will be triaging the discovered file repositories and adding them to a content scan job for deeper investigation.

The new methodology for on-premises scanner deployment includes four steps:

  • First – define the target repositories that might contain sensitive information. With the new network discovery feature that was just released you can now map your file shares by scanning IP ranges and feeding the results into deep file content inspection
  • Second – inspection of files stored in the scanned file shares and SharePoint on-premises sites. The goal of this step is to discover what sensitive information is stored in these files.
  • Third – apply MIP sensitivity labels on files. Labeling enables end users to be aware of file sensitivity and handle the files according to the organization’s policy, and allows other systems, for example DLP, to use sensitivity labels for data exposure mitigation.
  • Last step – apply protection per MIP policy on most sensitive files that require right management enforcement.


 Figure 1: Microsoft Information Protection methodology for implementation of on-premises scanner for data at rest

So, how can you start? Download the latest preview release and upgrade your existing scanner deployment or install a fresh new deployment. Once the setup is completed you use PowerShell cmdlet to create the Network Discovery service and create a new Network scan job that contains a list of the IP ranges you would like to scan.

After configuring the network scan job and allocating a scanner cluster to execute it, the scan will start according to the schedule. Once the scan is completed all the discovered file shares will be listed under Repositories blade. You can filter the discovered repositories by setting “Discovered By” filter to “Network scan”.



Figure 2: Network scan results

You can now review the results and select the repositories you would like to add to the deep scan using the Content scan job.

Similar to the existing scanner deployments you can also use Network discovery with offline configuration or in air-gap scenarios. In this case your results will be available in the Report folder under scanner account profile at %localappdata%MicrosoftMSIPScannerReports.


As always, we encourage you to download the bits, deploy and share your feedback on Yammer community to help us to build the best product to meet your security needs.



Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.