Azure Information Protection (AIP) scanner provides option to discover, classify and protect files from following locations:

  • Local folders
  • UNC paths for network shares that use CIFS protocol
  • Site libraries for Sharepoint Server 2013 & 2016

AIP Scanner can be very helpful when classification needs to be done automatically at on-premises and I assume that many of my clients who are not using AIP as they could, can have huge benefit of AIP Scanner at the future.  When AIP labeling has been configured beforehand files, that scanner discovers can also be automatically labeled.


  • Windows Server 2012R2 or 2016, virtual or physical
  • Can be configured with Internet connection or disconnected mode
  • SQL Server 2012 is minimum (Enterprise, Standard or Express)
  • Service Account which runs the scanner services needs following permissions to Windows Server: Log on locally, Log on as a Service, permissions to data repositories. Read if using only discovery mode, read & write if using classification and protection mode
  • Azure Information Client installed to Server
  • Configure labels that apply automatic classification and protection


The Lab

  • I have following lab environment:
  • 1 Domain Controller
  • 1 ADFS which has AAD Connect installed
  • 1 WAP server
  • 1 W2016 server for AIP Scanner


Install AIP Scanner

  1. Fill all the pre-requirements above
  2. Logon to Server with service account created earlier
  3. Install-AIPScanner -SqlServerInstance SQLSERVER1\SQLEXPRESS – I’m using SQL Express in my scenario

When configuration finished I face first error, problem with creating database which was fixed with the help of my collegue.


I installed SQL management studio and added SA permissions to my service account. After permissions were correctly in place AIP scanner installation went smoothly through.

4. Register two applications to Azure AD with necessary permissions in place. instructions found from here. When applications has been registered AIP Scanner needs to be configured to use those applications and label files non-interactively (explanation from

By default, when you run the cmdlets for labeling, the commands run in your own user context in an interactive PowerShell session. To run them unattended, create a new Azure AD user account for this purpose. Then, in the context of that user, run the Set-AIPAuthentication cmdlet to set and store credentials by using an access token from Azure AD. This user account is then authenticated and bootstrapped for the Azure Rights Management service. The account downloads the Azure Information Protection policy and any Rights Management templates that the labels use.

5. Command to run (application ID and Keys from tenant)

  • Set-AIPAuthentication -webAppId <ID of the “Web app / API” application> -webAppKey <key value generated in the “Web app / API” application> -nativeAppId <ID of the “Native” application >

I faced next problem during authentication and was not abel to acquire a token from Azure AD.



I have been working quite a long time with ADFS and federation I knew where to investigate more about this error. I used ADFSDiagnostics module to track events regarding ActivityID above and found event that used authentication method is not supported by ADFS.

I was logged to server in internal network which was joined to on-premises AD, and received forms based authentication. That meant I needed to check supported authentication methods from ADFS.

I added Forms based authentication supported to Intranet section.


Next authentication went through without problems

When performing first authentication AIPClient application needs authorization and permission to user profile


Finally application was able to acquire the access token



Testing the AIP scanner

By default scanner is running at discover mode. Repositories needs to be added and commands can be found from here.

Add-AIPScannerRepository -path “folder path” – adds folder

Remove-AIPScannerRepository – removes folder

Get-AIPScannerRepository – shows current repositories

Get-AIPScannerConfiguration – shows current configuration



Scan report is saved to ” %localappdata%\Microsoft\MSIP\Scanner\Reports


More information

How to label files non-interactively for Azure Information Protection

Add AIP Scanner Repository


In part 2 I’ll dig more into automatic classification and protection.