Azure Information Protection (AIP) scanner provides option to discover, classify and protect files from following locations:
- Local folders
- UNC paths for network shares that use CIFS protocol
- Site libraries for Sharepoint Server 2013 & 2016
AIP Scanner can be very helpful when classification needs to be done automatically at on-premises and I assume that many of my clients who are not using AIP as they could, can have huge benefit of AIP Scanner at the future. When AIP labeling has been configured beforehand files, that scanner discovers can also be automatically labeled.
- Windows Server 2012R2 or 2016, virtual or physical
- Can be configured with Internet connection or disconnected mode
- SQL Server 2012 is minimum (Enterprise, Standard or Express)
- Service Account which runs the scanner services needs following permissions to Windows Server: Log on locally, Log on as a Service, permissions to data repositories. Read if using only discovery mode, read & write if using classification and protection mode
- Azure Information Client installed to Server
- Configure labels that apply automatic classification and protection
- I have following lab environment:
- 1 Domain Controller
- 1 ADFS which has AAD Connect installed
- 1 WAP server
- 1 W2016 server for AIP Scanner
Install AIP Scanner
- Fill all the pre-requirements above
- Logon to Server with service account created earlier
- Install-AIPScanner -SqlServerInstance SQLSERVER1\SQLEXPRESS – I’m using SQL Express in my scenario
When configuration finished I face first error, problem with creating database which was fixed with the help of my collegue.
I installed SQL management studio and added SA permissions to my service account. After permissions were correctly in place AIP scanner installation went smoothly through.
4. Register two applications to Azure AD with necessary permissions in place. Docs.microsoft.com instructions found from here. When applications has been registered AIP Scanner needs to be configured to use those applications and label files non-interactively (explanation from docs.microsoft.com)
By default, when you run the cmdlets for labeling, the commands run in your own user context in an interactive PowerShell session. To run them unattended, create a new Azure AD user account for this purpose. Then, in the context of that user, run the Set-AIPAuthentication cmdlet to set and store credentials by using an access token from Azure AD. This user account is then authenticated and bootstrapped for the Azure Rights Management service. The account downloads the Azure Information Protection policy and any Rights Management templates that the labels use.
5. Command to run (application ID and Keys from tenant)
- Set-AIPAuthentication -webAppId <ID of the “Web app / API” application> -webAppKey <key value generated in the “Web app / API” application> -nativeAppId <ID of the “Native” application >
I faced next problem during authentication and was not abel to acquire a token from Azure AD.
I have been working quite a long time with ADFS and federation I knew where to investigate more about this error. I used ADFSDiagnostics module to track events regarding ActivityID above and found event that used authentication method is not supported by ADFS.
I was logged to server in internal network which was joined to on-premises AD, and received forms based authentication. That meant I needed to check supported authentication methods from ADFS.
I added Forms based authentication supported to Intranet section.
Next authentication went through without problems
When performing first authentication AIPClient application needs authorization and permission to user profile
Finally application was able to acquire the access token
Testing the AIP scanner
By default scanner is running at discover mode. Repositories needs to be added and commands can be found from here.
Add-AIPScannerRepository -path “folder path” – adds folder
Remove-AIPScannerRepository – removes folder
Get-AIPScannerRepository – shows current repositories
Get-AIPScannerConfiguration – shows current configuration
Scan report is saved to ” %localappdata%\Microsoft\MSIP\Scanner\Reports
How to label files non-interactively for Azure Information Protection
In part 2 I’ll dig more into automatic classification and protection.