In a world where organizations store data across Azure, Microsoft 365, and on-premises servers, maintaining visibility, protection, and compliance can feel overwhelming.
This is where Microsoft Purview brings everything together — unifying data governance and information protection into one intelligent platform.
But one common question I often hear from clients and IT teams is:
👉 “When should I use Purview Data Governance, and when do I need the Purview Scanner?”
Let’s break it down.
🔷 1. What Is Microsoft Purview Data Governance?
Microsoft Purview Data Governance (powered by the Unified Catalog) focuses on discovering, cataloging, and governing your organization’s data — primarily in cloud and structured data sources.
Think of it as the data map of your entire estate.
It tells you:
- What data you have
- Where it resides
- Who owns it
- How it’s connected and classified
🧩 Core Capabilities
| Feature | Description |
|---|---|
| 🔍 Data Discovery & Cataloging | Scans and registers data sources across Azure, Microsoft 365, and beyond. |
| 🧭 Data Lineage | Tracks how data moves between systems (e.g., Data Factory → Synapse → Power BI). |
| 🏷️ Classification | Automatically tags structured data with built-in or custom sensitivity types (like PII, PCI, or HR). |
| 👥 Ownership & Glossary | Assigns business owners and glossary terms to datasets for better governance. |
| 📈 Compliance Insights | Generates visibility into where regulated data (GDPR, NIS2, etc.) exists. |
🏗️ Architecture
- Fully cloud-based, no local installation.
- Scans structured or semi-structured sources such as:
- Azure SQL
- Azure Data Lake
- Synapse Analytics
- Power BI
- Microsoft Fabric
✅ You use it when you want to map, classify, and govern your enterprise data across Azure and SaaS platforms.
🟨 2. What Is the Microsoft Purview Information Protection Scanner?
The Purview Information Protection Scanner (previously known as AIP Scanner) extends Purview’s classification and labeling to on-premises or unstructured data.
It’s a local Windows service you install on your file servers or SharePoint servers.
The scanner connects securely to Microsoft Purview in the cloud, and then scans, classifies, and labels content on-prem — just like it does in Microsoft 365.
🧩 Core Capabilities
| Feature | Description |
|---|---|
| 🗂️ On-Premises Data Discovery | Scans file shares, network drives, and SharePoint Server libraries. |
| 🔐 Automatic Labeling & Protection | Applies sensitivity labels and encrypts confidential documents. |
| 🔎 Hybrid Visibility | Extends Purview’s discovery to data stored outside the cloud. |
| 🧾 Compliance Reporting | Sends scan and classification results to the Purview portal for centralized visibility. |
⚙️ Architecture
- Installed on Windows Server(s).
- Connects to your Purview tenant via Azure App Registration and a scanner service account.
- Reports results back to Purview Unified Catalog and the Compliance portal.
✅ You use it when you want to find, classify, and protect sensitive data stored on file servers or legacy SharePoint sites.
🔗 3. How They Work Together
| Capability | Purview Data Governance | Purview Scanner |
|---|---|---|
| Purpose | Catalog and classify cloud & structured data | Scan and label unstructured data |
| Deployment | Cloud-based (Azure) | On-premises agent |
| Data Type | Structured / semi-structured | Unstructured (files, docs) |
| Output | Metadata, data map, lineage | Sensitivity labels, classification logs |
| Audience | Data engineers, governance teams | Security & compliance admins |
| Best Use | Data visibility & governance | Data protection & compliance enforcement |
Together, they form a hybrid data protection and governance ecosystem:
- Data Governance → builds your map of all data assets.
- Information Protection Scanner → labels and protects the sensitive data wherever it resides.
🧭 4. Real-World Example
Imagine your organization has:
- Azure SQL and Data Lake for analytics
- SharePoint Online and OneDrive for collaboration
- On-premises file servers for archived projects
You would:
- Deploy Purview Data Governance → to scan Azure SQL, Data Lake, and Power BI datasets.
- Install the Purview Scanner → to classify and label sensitive files on your on-prem file servers.
- View all results in the Unified Purview portal, under a single compliance and governance view.
This hybrid approach ensures no data is left unmanaged or unprotected, regardless of where it’s stored.
🧩 5. When to Choose Each
| If your goal is to… | Use this |
|---|---|
| Build a central data map and metadata catalog | 🟦 Purview Data Governance |
| Scan, label, and protect on-premises files or SharePoint | 🟨 Purview Information Protection Scanner |
| Achieve complete hybrid data visibility and protection | ✅ Use both together |
💬 Final Thoughts
Microsoft Purview is not just a compliance platform — it’s the foundation of modern data governance and security.
- Use Purview Data Governance to know your data.
- Use the Purview Information Protection Scanner to protect your data.
Together, they deliver visibility, control, and compliance across your entire digital estate — from Azure to on-premises.
#MicrosoftPurview #DataGovernance #InformationProtection #AIPScanner #DataSecurity #Compliance #Microsoft365 #Azure
Abou Conde's Blog 