Microsoft is building a new capability within its Purview compliance platform that allows administrators to scan every existing file in SharePoint and OneDrive for sensitive information—even if that data hasn’t been touched in years. The feature, Roadmap ID 499076, targets a growing compliance headache: dormant data that may be riddled with personally identifiable information (PII), trade secrets, or classified material but has never been systematically assessed.
What the Upgrade Changes for Data-at-Rest Scanning
Today, Microsoft Purview’s automatic labeling policies typically kick in when a file is created, modified, or shared. That leaves a massive blind spot: millions of documents, spreadsheets, and PDFs that predate a tenant’s classification rules and haven’t been opened in months or years sit untouched in SharePoint document libraries and OneDrive accounts.
Roadmap ID 499076 flips the script. Once deployed, compliance admins will be able to trigger on-demand scans against specific SharePoint sites, document libraries, or OneDrive user folders—retroactively hunting for predefined sensitive information types (credit card numbers, Social Security numbers, health records, custom regex patterns, and more). The scan inspects the content itself, not just the metadata, applying the same deep content analysis that Purview uses for real-time classification.
Key technical nuances:
- The feature is scoped to SharePoint Online and OneDrive for Business. On-premises SharePoint farms aren’t covered.
- Admins can target scans by site collection, folder path, or user principal. Pilot groups are strongly encouraged before broad rollouts.
- Detected matches can trigger automatic labeling, policy tips, or alerts—just like live classification events.
- Microsoft hasn’t disclosed performance envelopes, but early signals suggest throttling mechanisms to avoid overwhelming SharePoint search and indexing infrastructure. Plan scans during off-peak hours for large libraries.
- The feature lives in the Microsoft Purview compliance portal (compliance.microsoft.com) under Data Classification > Scanners (or a soon-to-be-added “On-demand scans” node).
Why Dormant Data Is a Ticking Time Bomb
The regulatory landscape has shifted seismically. Executive Order 14028 and OMB memoranda require federal agencies to identify and protect all sensitive data—active or dormant. Commercial sectors face similar pressure from GDPR, CCPA, and industry-specific mandates like HIPAA and PCI DSS. Dormant data often falls outside routine governance because it’s not part of active workflows, yet it frequently contains some of the most sensitive records: old contracts with SSNs, engineering drawings, legacy employee files, and merger-and-acquisition artifacts.
Compliance auditors have started specifically probing “data at rest” scanning capabilities. In government clouds (GCC, GCC High, DoD), meeting CMMC 2.0 Level 3 or FedRAMP High assessments increasingly demands proof that all stored data—regardless of when it was last accessed—is classified and protected according to its sensitivity.
Who Gains the Most—and Who Must Move Now
Compliance and data governance officers: This is your new best friend. Instead of exporting data to third-party eDiscovery tools or writing PowerShell scripts to crawl file contents, you can now build a sustainable, repeatable process directly inside Purview. Integrate scans with Retention labels to auto-delete or auto-archive low-value stale data after review, reducing storage costs.
IT admins and SharePoint farm managers: Prepare for a resource-intensive rollout. Content scanning at scale will consume tenant search capacity and temporarily increase transaction counts. Budget for after-hours execution windows, clear communication to site owners, and possibly a tiered approach: start with high-risk sites (Finance, HR, Legal) before tackling broad departmental drives.
End users: Most employees won’t see a change unless the scan discovers violations. If your organization configures automatic remediation, you might receive policy tip emails or discover that a file you haven’t touched for four years is suddenly locked behind sensitivity labels. Organizations should educate users beforehand that “old files aren’t invisible to compliance.”
Government cloud tenants: Take note of circulating reports that tie Roadmap ID 499076 to a December 2026 deadline. While Microsoft’s public roadmap description doesn’t explicitly mention a hard cutoff, independent tracking of catalog updates suggests that government clouds aiming for CMMC 2.0 or modernized FedRAMP assessment may be expected to have completed a comprehensive dormant-data scan by that date. Failing to do so could risk authorization to operate or complicate future audit cycles.
Planning Your Scan Strategy: Actionable Steps
Even before Microsoft lights up the feature (expected in a phased rollout across commercial clouds later this year, with government clouds typically trailing), you can lay the groundwork.
-
Inventory dormant locations. Use the SharePoint Admin Center and OneDrive Admin Center to list sites and users with no recent activity. Purview’s Activity explorer can help identify untagged or under-tagged content pools.
-
Define your sensitive information types (SITs). Beyond the built-in templates, craft custom SITs for internal project codes, proprietary formulas, or contract references that are unique to your business.
-
Run a pilot. Apply the on-demand scan on a small test library containing known sensitive data, then review results for false positives/negatives before expanding.
-
Set up automatic labeling and remediation policies early. A scan that only reports findings is a missed opportunity. Link detection events to auto-labeling and, where appropriate, auto-encryption. Plan a rollout schedule—don’t blast-label everything at once, or you’ll flood your service desk with permission-restore tickets.
-
Check your licensing. On-demand file scanning in Purview typically requires Microsoft 365 E5 Compliance, E5 Information Protection & Governance, or equivalent add-on licenses for every user whose data you scan. Government tenants should verify GCC or GCC High eligibility.
-
Prepare for the December 2026 rumor. If your organization operates in a regulated space, treat this as a planning milestone. Build a project timeline that assumes the on-demand scan must be completed and all findings remediated by mid-2026 to allow for a comfortable cushion.
The Bigger Picture: AI and Data Governance Convergence
This feature arrives just as Microsoft Copilot and other generative AI tools are beginning to index enterprise content. Unclassified dormant data could inadvertently surface in Copilot queries, exposing PII or trade secrets to employees who shouldn’t see them. A robust, retroactive classification sweep is no longer just about compliance checkboxes; it’s a prerequisite for safe AI adoption.
Microsoft hasn’t announced native integration between Purview on-demand scans and Copilot’s indexing pipeline yet, but the trajectory is clear. Expect tighter ties between data classification and AI readiness in future roadmap items. For now, treat Roadmap ID 499076 as your call to action: get your dormant data classified before your competitors—or your regulators—force the issue.