On-demand classification

Microsoft Purview on-demand classification identifies and classifies sensitive content in historical data stored in SharePoint, OneDrive, and endpoints. This feature extends the classification capabilities to files that aren't classified or modified for a long time, files that are never classified, or files that need updated classification on previously classified files.

As data volumes grow and AI tools become more deeply integrated into daily work, the risk of exposing unlabeled or unprotected information increases - especially when that data sits untouched in SharePoint or OneDrive. To help close these gaps, Microsoft Purview now offers on-demand classification: a targeted way to scan and identify files at rest, using your latest sensitive information types and classification policies. This feature gives admins more control to protect inactive content that might otherwise be missed by real-time systems.

On-demand classification in Microsoft Purview offers a targeted way to scan and label files at rest, using your current sensitive information types and classification policies. This feature gives admins more control to protect inactive content that might otherwise be missed by real-time systems.

On-demand classification taken with Information Protection’s continuous classification brings a two-pronged approach to keeping sensitive items aligned with your organization's latest security policies.

By using on-demand classification, organizations can:

  • Extend protection to previously unclassified or inactive files, increasing overall coverage.
  • Strengthen data protection across your environment without relying on end-user actions.
  • Reduce the risk of AI tools surfacing unlabeled or unprotected information. Do it all natively, without exporting your data or relying on fragmented tools.

SKU and subscriptions licensing

For information on licensing, see

Billing

This feature uses pay-as-you-go billing or per-user licensing for Microsoft Purview capabilities or both. To help you understand and manage your usage, Microsoft Purview provides a Usage center in the Microsoft Purview portal. For more information, see Manage pay-as-you-go and per-user licensing usage. To learn more about Purview billing, see Purview billing models..

Note

The actual billed amount may be lower than the estimated cost if some items or locations are skipped during the scan. Items can be skipped if they are empty files (excluded to avoid unnecessary billing), if the scan is canceled, or if the subscription expires before completion. Locations may be skipped if another scan is already running on the same location at the same time.

Permissions

To run a scan, you must be a member of the following role group:

  • Compliance Administrator

To view classification results, you must be a member of one of these role groups:

  • Content Explorer Content Viewer
  • Content Explorer List Viewer

Create an on-demand classification scan

  1. Sign in to the Microsoft Purview portal.

  2. Go to Data loss prevention > Classifiers > On-demand classification or Information Protection > Classifiers > On-demand classification.

  3. Select New scan.

  4. Follow the instructions in the wizard. During this process, you define the following settings:

    • Name and description
    • Scope and location - You can choose to scan all SharePoint sites and OneDrive accounts, only specific ones, or skip certain sites and accounts from the scan. For endpoint devices, you can scope the scan by users.
    • Classifiers to scan for
    • File last modified date range you want to scan
    • File extensions you want to scan

    After you complete the wizard, the estimation process begins. The duration depends on the scope of the scan.

    Note

    By default, the scan includes all items created or modified within the past year, across all supported file extensions. It also includes every available classifier configured in your tenant. If you choose to scan for specific classifiers, you can select up to 50 at a time.

  5. From the On-demand classification list view, select the scan you created.

  6. Select View estimation.

    Note

    After reviewing the estimates, you can edit the scan to narrow or expand the scope. Select Edit scan and rerun simulation.

  7. Select Start classification.

Analyze on-demand classification results

  1. From On-demand classification, select a scan from the list.
  2. Select View estimation.
  3. On the Estimation overview tab, review scan results, including progress, items found, and estimated cost. To cancel in-progress scans, select Cancel Scan.
  4. On the Items for review tab, review specific items found during the scan. You can filter and export the result.

Devices that don't respond are ones that don't send any signals for over 72 hours. Devices with expired scan validity don't have a valid scan in the last 72 hours.

Additional considerations

  • Classification can start up to 30 days after estimation, but minimizing the gap ensures greater accuracy in final counts and costs.
  • Tenants using EDM classifiers should be aware that On-Demand Classification scans (including estimation and classification) rescan previously classified files, which can increase overall scan costs. To mitigate this impact, tenants can exclude the EDM classifier from the scan scope.
  • Impact of classifier selection on scan cost: The classifiers selected for an on‑demand scan influence how many files are identified for processing. Scan cost is determined by the total number of files scanned—not the number of classifiers. Selecting a broader set of classifiers may increase the number of files in scope and raise overall cost. However, this approach ensures files are assessed against all relevant classifiers in a single scan, reducing the risk of missed sensitive data and limiting the need for additional scans later.

Applies to SharePoint and OneDrive

  • Each scan can process up to 150,000 locations and 100 million files. The system enforces these limits based on scan estimation results.

    Note

    In On-Demand Classification estimation scans (simulation), you see a difference between the number of matched locations and the number of users or accounts included in the scan scope. Simulation results are based on mailbox locations rather than unique users. A single user can have multiple mailboxes (for example, a primary mailbox along with archive or system mailboxes), and each mailbox is treated as a separate location during scanning. As a result, the total number of matched locations can exceed the number of users in scope, even when the scan is correctly applied at the user level.

  • If you select specific classifiers during a scan, only those classifiers have their classification results updated for the scanned files. Other classifiers present in the files might remain unevaluated and might not trigger their associated policies.

  • If a location is in scope of multiple active scans, only one scan processes it successfully and marks it skipped for others.

  • Each file, once scanned, is evaluated against Data Loss Prevention (DLP), Information Protection (MIP), Data Lifecycle Management (DLM), and Insider Risk Management (IRM) policies, triggering appropriate actions as per matching policies.

  • Content Explorer updates within seven days of scanning to reflect newly classified content.

  • Adaptive scopes for SharePoint on-demand classification let administrators define scan scope dynamically based on site attributes (such as URL, name, or metadata) instead of selecting sites manually. The scan automatically includes all sites that match the criteria and updates as sites change, enabling scalable, accurate coverage with minimal manual maintenance. To learn more, see Adaptive scopes.

  • Administrative units (AUs) for SharePoint on-demand classification let organizations scope and manage scans within defined administrative boundaries, enabling delegated administration across large or distributed environments. Administrators can create and manage scans only for sites within their assigned AUs, and access to scan configuration and results is limited to AU-scoped admins. This supports least-privilege access, simplifies ownership across regions or departments, and ensures alignment with existing governance in Microsoft Purview. For more information, see Administrative units in Microsoft Purview.

Applies to Windows 10/11 endpoints

  • Ensure that the machine has a minimum four virtual processors and a minimum of 4,096 MB memory.

  • Each device is limited to 2 GB of data discovery bandwidth per rolling 24-hour period (independent of DLP). Scanning pauses once the limit is reached and resumes after 24 hours.

  • Only devices that successfully complete estimation are included in classification.

  • In addition to DLP-excluded paths, certain system folders are automatically excluded from data discovery.

    %WinDir%
    %ProgramFiles%
    %ProgramFiles(x86)%
    %SystemDrive%\Windows.old
    %SystemDrive%\Users\*(1)\Application Data
    %SystemDrive%\Users\*(1)\AppData\Local\Application Data
    %SystemDrive%\Users\*(1)\Local Settings\Application Data
    %SystemDrive%\Documents and Settings\*(1)\Application Data
    %SystemDrive%\Documents and Settings\*(1)\AppData\Local\Application Data
    %SystemDrive%\Documents and Settings\*(1)\Local Settings\Application Data
    %ProgramData%\Application Data
    %ProgramData%\Microsoft\Windows\WER\

See also

Learn about trainable classifiers
Learn about sensitive information types
Deploy an information protection solution with Microsoft Purview

  • Last updated on