Configure AIP Scanner


Overview of AIP Scanner

Azure information Protection allows document classification and this to apply protection. Microsoft implemented the AIP scanner to perform automatic document classification. Following the discovery of the files, an AIP label is positioned. This operation is performed automatically, so the protection is applied. In the same case, the protection can be removed.

A Windows indexed file inspection is performed by the scanner. This operation is performed using the iFilters installed on the computer. The scanner thus has the possibility of classifying and protecting these files if need be.
The scanner can be used in two modes

  • Discovery mode only: Reports are made to verify which files are likely to be protected. So it is very easy to know the label applied to the scanned file(s).
  • Run the scanner to automatically apply the labels: In this mode, the scanner discovers the files. If sensitive information is contained the labels are automatically applied.

It is interesting to note that the scan is not performed in real time. Indeed the cycles will be executed according to the configuration. It can be executed once or several times. To restrict the scan of files to certain types, it is necessary to define the file type list. To do this, the Powershell Set-AIPScannerScannedFileTypes command must be used.

Prerequisites for AIP Scanner

The AIP scanner requires the following prerequisites to be met.
Windows Server

  • Windows Server 2016 or Windows Server 2012 R2
  • Physical or virtual server with 4 GB of RAM and 4 cores processor
  • 10 GB of disk space for temporary file

SQL Server
SQL Server Permit to store Scanner Configuration

  • SQL Server 2012 or later
  • SQL Server Enterprise, Standard or Express

Service account
SQL Server Permit to store Scanner Configuration

  • The user account used must be an Active Directory account and synchronized into Azure AD.
  • The user account must have the rights Log on locally and Log on as a service
  • The user account must have the rights Read and Write permission into the data repositories
  • the user account must be a super user for the Azure Rights Management service

Configure AIP Scanner

Install AIP Scanner
On the server, SQL Server has been installed. It’s necessary to download and install Azure Information Protection Client. It can be downloaded using the URL below :

Azure Information Protection client

Configure AIP Scanner

Install Azure Information Protection Client. and restart server.

Configure AIP Scanner

Launch a PowerShell command prompt as administrator. Run the following command to install the scanner.

  • Install-AIPScanner -SqlServerInstance “database Server Name”

Enter the credential (service account for SQL Server) and click to OK.

Enter credential for AIP Scanner

AIP Scanner is now correctly installed.

AIP Scanner is configured

Installation is now finished, you need obtain Azure AD token for the scanner. from the azure portal, click on Azure Active Directory then on App registrations.

Create app registration for authentification configure AIP Scanner

In the central panel, click New application registration. In the Name field, enter the desired name. Select Web app / API in the Application type drop-down list. Click Create to proceed with the creation.

Configure AIP Scanner

In the central panel, select the previously created application.

Configure Authentification application

Copy the Application ID (this value will be used in the next PowerShell command : WebAppId attribute) then click on parameters.

Copy the Application ID (this value will be used in the next PowerShell command : WebAppId attribute) then click on parameters.

Copy the application ID

Into the Required permissions blade, click to Grant Permissions and click to Yes.

Configure AIP Scanner

Select Keys and enter a key description. Select an expiration date and click to Save. Value appear in the field. This value will be used in the next PowerShell command (WebAppKey attribute).

Select expiration date for the key Scanner

You need create a new application.

  • Application name : AIPClient
  • Application type : Native
  • Redirect URL : http://localhost

Configure application on Azure

Copy the Application ID (this value will be used in the next PowerShell command : NativeAppId attribute) then click on parameters.

Configure authentification

Click to Required Permission then click to Add.

Configure permission

Into the Required permissions blade, click to Grant Permissions and click to Yes. Click to Select an API and enter the name of the first application created.

Configure AIP Scanner

On the Select Permissions tab, select the application and click Select. Click done to validate configuration. The two applications are now created. From the Windows server that has AIP scanner functionality, run the following PowerShell command :

  • Set-AIPAuthentication -WebAppId “Id Of Your App AIPApp” -WebAppKey “Key Generated for AIPApp” -NativeAppId “Application ID for the second Application AIPClient”

Copy application key

A new Windows appear, enter your admin account of your tenant and click to Next. Enter the password and click to sign in.

Configure AIP Scanner

The application token has now acquired.
Data stores for the scanner

In order to specify the directory to be scanned, the Add-AIPScannerRepository command must be used. It is possible to specify a local directory path, a SharePoint server URL for a SharePoint site or library.

On the server with the AIP scanner role, enter the following command to add the directory “Chapitres” into the scanner repository.
Replace “Chapitres” by the name of your repository.

  • Add-AIPScannerRepository -Path “c:\Chapitres”

Repeat this command for all the data stores that you want to scan. If you can remove data stores ou need execute the cmdLets PowerShell : Remove-AIPScannerRepository.

Add AIP Scanner repository

You can check the data store using the cmdLets PowerShell Get-AIPScannerRepository.

Verify AIP Configuration

Run a Discovery cycle
Azure Information Protection has been properly configured. A Policy and a label have been created. You need to configure label for applied automatically

Configure label AIP Scanner

From the Windows Services console, start the Azure Information Protection Scanner service.

Start service of Scanner

The discovery cycle is ongoing, it is necessary to wait until it ends. At the end of the cycle execution, the service is stopped and an event with the ID 911 is added (Application and services log / Azure Information Protection).

Event is present

If you want to execute a new discover, you need execute this command on the first time :

  • Set-AIPScannerConfiguration -Enforce off -ReportLevel info -Schedule onetime -type full
  • Start-service AIPSCANNER (for start Next Azure Information protection Services).

For more details, you can use reports. This file has stored into %localappdata%\Microsoft\MSIP\Scanner\Reports .

Run scanner for Apply classification
When your test it’s OK, you can configure Scanner for Apply protection into the file. Into the PowerShell console, run the commmand.

  • Set-AIPScannerConfiguration -Enforce On -Schedule Continuous

Configure AIP Scanner

Now you can start Azure Information Protection services (Start-service AIPSCANNER in PowerShell) and configure this service for automatic startup.
Your file has now discovered, classifiedprotected.

Document is protected

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.