Configuring AIP Scanner

Azure Information Protection (AIP) scanner provides option to discover, classify and protect files from following locations:

Local folders
UNC paths for network shares that use CIFS protocol
Site libraries for Sharepoint Server 2013 & 2016

AIP Scanner can be very helpful when classification needs to be done automatically at on-premises and I assume that many of my clients who are not using AIP as they could, can have huge benefit of AIP Scanner at the future. When AIP labeling has been configured beforehand files, that scanner discovers can also be automatically labeled.

Pre-requirements

Windows Server 2012R2 or 2016, virtual or physical
Can be configured with Internet connection or disconnected mode
SQL Server 2012 is minimum (Enterprise, Standard or Express)
Service Account which runs the scanner services needs following permissions to Windows Server: Log on locally, Log on as a Service, permissions to data repositories. Read if using only discovery mode, read & write if using classification and protection mode
Azure Information Client installed to Server
Configure labels that apply automatic classification and protection

The Lab

I have following lab environment:
1 Domain Controller
1 ADFS which has AAD Connect installed
1 WAP server
1 W2016 server for AIP Scanner

Install AIP Scanner

Fill all the pre-requirements above
Logon to Server with service account created earlier
Install-AIPScanner -SqlServerInstance SQLSERVER1\SQLEXPRESS – I’m using SQL Express in my scenario

When configuration finished I face first error, problem with creating database which was fixed with the help of my collegue.

I installed SQL management studio and added SA permissions to my service account. After permissions were correctly in place AIP scanner installation went smoothly through.

4. Register two applications to Azure AD with necessary permissions in place. Docs.microsoft.com instructions found from here. When applications has been registered AIP Scanner needs to be configured to use those applications and label files non-interactively (explanation from docs.microsoft.com)

By default, when you run the cmdlets for labeling, the commands run in your own user context in an interactive PowerShell session. To run them unattended, create a new Azure AD user account for this purpose. Then, in the context of that user, run the Set-AIPAuthentication cmdlet to set and store credentials by using an access token from Azure AD. This user account is then authenticated and bootstrapped for the Azure Rights Management service. The account downloads the Azure Information Protection policy and any Rights Management templates that the labels use.

5. Command to run (application ID and Keys from tenant)

Set-AIPAuthentication -webAppId <ID of the “Web app / API” application> -webAppKey <key value generated in the “Web app / API” application> -nativeAppId <ID of the “Native” application >

I faced next problem during authentication and was not abel to acquire a token from Azure AD.

I have been working quite a long time with ADFS and federation I knew where to investigate more about this error. I used ADFSDiagnostics module to track events regarding ActivityID above and found event that used authentication method is not supported by ADFS.

I was logged to server in internal network which was joined to on-premises AD, and received forms based authentication. That meant I needed to check supported authentication methods from ADFS.

I added Forms based authentication supported to Intranet section.