Share via

On-demand classification

Microsoft Purview on-demand classification identifies and classifies sensitive content in historical data stored in SharePoint, OneDrive, and endpoints. This extends the classification capabilities to files that haven't been classified or modified for a long time, have never been classified or need updated classification on previously classified files.

Note

On-demand classification for endpoints is available in preview and limited to Windows 10 and 11 devices with the latest updates installed.

As data volumes grow and AI tools become more deeply integrated into daily work, the risk of exposing unlabeled or unprotected information increases—especially when that data sits untouched in SharePoint or OneDrive. To help close these gaps, Microsoft Purview now offers on-demand classification: a targeted way to scan and identify files at rest, using your latest sensitive information types and classification policies. This gives admins more control to protect inactive content that might otherwise be missed by real-time systems.

On-demand classification in Microsoft Purview offers a targeted way to scan and label files at rest, using your current sensitive information types and classification policies. This gives admins more control to protect inactive content that might otherwise be missed by real-time systems.

On-demand classification taken with Information Protection’s continuous classification brings a two-pronged approach to keeping sensitive items aligned with your organizations latest security policies.

With on-demand classification, organizations can:

  • Extend protection to previously unclassified or inactive files, increasing overall coverage
  • Strengthen data protection across your environment without relying on end-user actions
  • Reduce the risk of AI tools surfacing unlabeled or unprotected information and do it all natively, without exporting your data or relying on fragmented tools

SKU/subscriptions licensing

For information on licensing, see

Permissions

To run a scan, you must be a member of the following role group:

  • Compliance Administrator

To view classification results, you must be a member of one of these role groups:

  • Content Explorer Content Viewer
  • Content Explorer List Viewer

Create an on-demand classification scan

  1. Sign in to the Microsoft Purview portal

  2. Navigate to Data loss prevention > Classifiers > On-demand classification or Information Protection > Classifiers > On-demand classification

  3. Select New scan.

  4. Follow the instructions of the wizard. During this process, you'll define the following:

    • Name and description
    • Scope and location - You can choose to scan all SharePoint sites and OneDrive accounts, only specific ones, or skip certain sites and accounts from the scan. For endpoint devices, you can scope the scan by users.
    • Classifiers to scan for
    • File last modified date range you want to scan
    • File extentions you want to scan

    After you complete the wizard, the estimation process begins. The duration depends on the scope of the scan.

    Note

    By default, the scan includes all items created or modified within the past year, across all supported file extensions. It also includes every available classifier configured in your tenant. If you choose to scan for specific classifiers, you can select up to 50 at a time.

  5. From the On-demand classification list view, select the scan you created.

  6. Select View estimation.

    Note

    After reviewing the estimates, you can edit the scan to narrow or expand the scope. Select Edit scan and rerun simulation.

  7. Select Start classification.

Analyze on-demand classification results

  1. From the On-demand classification page, select a scan from the list.
  2. Select View estimation.
  3. On the Estimation overview tab, review scan results, including progress, items found, and estimated cost. Optionally, you can cancel in-progress scans by selecting Cancel Scan.
  4. On the Items for review tab, review specific items found during the scan. You can filter and export the result.

Devices not responding are ones that haven’t sent any signals for over 72 hours. Devices with expired scan validity haven’t had a valid scan in the last 72 hours either.

Additional considerations

  • Classification can begin up to 30 days after estimation, but minimizing the gap ensures greater accuracy in final counts and costs.

Applies to SharePoint and OneDrive

  • Each scan can process up to 50,000 locations and 20 million files. These limits are enforced based on scan estimation results.
  • If specific classifiers are selected during a scan, only those classifiers will have their classification results updated for the scanned files. Other classifiers present in the files may remain unevaluated and might not trigger their associated policies.
  • If a location is in scope of multiple active scans, it will be processed successfully by only one scan and marked skipped for others.
  • Each file, once scanned, is evaluated against Data Loss Prevention (DLP), Information Protection (MIP), Data Lifecycle Management (DLM), and Insider Risk Management (IRM) policies, triggering appropriate actions as per matching policies.
  • Content Explorer updates within seven days of scanning to reflect newly classified content.

Applies to Windows 10/11 endpoints

  • Ensure that the machine has a minimum four virtual processors and a minimum of 4,096 MB memory.

  • Each device is limited to 2GB of data discovery bandwidth per rolling 24-hour period (independent of DLP). Scanning pauses once the limit is reached and resumes after 24 hours.

  • Only devices that successfully complete estimation are included in classification.

  • In addition to DLP-excluded paths, certain system folders are automatically excluded from data discovery.

    %WinDir%
    %ProgramFiles%
    %ProgramFiles(x86)%
    %SystemDrive%\Windows.old
    %SystemDrive%\Users\*(1)\Application Data
    %SystemDrive%\Users\*(1)\AppData\Local\Application Data
    %SystemDrive%\Users\*(1)\Local Settings\Application Data
    %SystemDrive%\Documents and Settings\*(1)\Application Data
    %SystemDrive%\Documents and Settings\*(1)\AppData\Local\Application Data
    %SystemDrive%\Documents and Settings\*(1)\Local Settings\Application Data
    %ProgramData%\Application Data
    %ProgramData%\Microsoft\Windows\WER\

See Also

Learn about trainable classifiers
Learn about sensitive information types
Deploy an information protection solution with Microsoft Purview