Overview of AIP Scanner
Azure information Protection allows document classification and this to apply protection. Microsoft implemented the AIP scanner to perform automatic document classification. Following the discovery of the files, an AIP label is positioned. This operation is performed automatically, so the protection is applied. In the same case, the protection can be removed.
A Windows indexed file inspection is performed by the scanner. This operation is performed using the iFilters installed on the computer. The scanner thus has the possibility of classifying and protecting these files if need be.
The scanner can be used in two modes
- Discovery mode only: Reports are made to verify which files are likely to be protected. So it is very easy to know the label applied to the scanned file(s).
- Run the scanner to automatically apply the labels: In this mode, the scanner discovers the files. If sensitive information is contained the labels are automatically applied.
It is interesting to note that the scan is not performed in real time. Indeed the cycles will be executed according to the configuration. It can be executed once or several times. To restrict the scan of files to certain types, it is necessary to define the file type list. To do this, the Powershell Set-AIPScannerScannedFileTypes command must be used.
Prerequisites for AIP Scanner
The AIP scanner requires the following prerequisites to be met.
- Windows Server 2016 or Windows Server 2012 R2
- Physical or virtual server with 4 GB of RAM and 4 cores processor
- 10 GB of disk space for temporary file
SQL Server Permit to store Scanner Configuration
- SQL Server 2012 or later
- SQL Server Enterprise, Standard or Express
SQL Server Permit to store Scanner Configuration
- The user account used must be an Active Directory account and synchronized into Azure AD.
- The user account must have the rights Log on locally and Log on as a service
- The user account must have the rights Read and Write permission into the data repositories
- the user account must be a super user for the Azure Rights Management service
Configure AIP Scanner
Install AIP Scanner
On the server, SQL Server has been installed. It’s necessary to download and install Azure Information Protection Client. It can be downloaded using the URL below :
Install Azure Information Protection Client. and restart server.
Launch a PowerShell command prompt as administrator. Run the following command to install the scanner.
- Install-AIPScanner -SqlServerInstance « database Server Name »
Enter the credential (service account for SQL Server) and click to OK.
AIP Scanner is now correctly installed.
Installation is now finished, you need obtain Azure AD token for the scanner. from the azure portal, click on Azure Active Directory then on App registrations
In the central panel, click New application registration. In the Name field, enter the desired name. Select Web app / API in the Application type drop-down list. Click Create to proceed with the creation.
In the central panel, select the previously created application.
Copy the Application ID (this value will be used in the next PowerShell command : WebAppId attribute) then click on parameters.
Into the Required permissions blade, click to Grant Permissions and click to Yes.
Select Keys and enter a key description. Select an expiration date and click to Save. Value appear in the field. This value will be used in the next PowerShell command (WebAppKey attribute).
You need create a new application.
- Application name : AIPClient
- Application type : Native
- Redirect URL : http://localhost
Copy the Application ID (this value will be used in the next PowerShell command : NativeAppId attribute) then click on parameters.
Click to Required Permission then click to Add.
Into the Required permissions blade, click to Grant Permissions and click to Yes. Click to Select an API and enter the name of the first application created.
On the Select Permissions tab, select the application and click Select. Click done to validate configuration. The two applications are now created. From the Windows server that has AIP scanner functionality, run the following PowerShell command :
- Set-AIPAuthentication -WebAppId « Id Of Your App AIPApp » -WebAppKey « Key Generated for AIPApp » -NativeAppId « Application ID for the second Application AIPClient »
A new Windows appear, enter your admin account of your tenant and click to Next. Enter the password and click to sign in.
The application token has now acquired.
Data stores for the scanner
In order to specify the directory to be scanned, the Add-AIPScannerRepository command must be used. It is possible to specify a local directory path, a SharePoint server URL for a SharePoint site or library.
On the server with the AIP scanner role, enter the following command to add the directory « Chapitres » into the scanner repository.
Replace « Chapitres » by the name of your repository.
- Add-AIPScannerRepository -Path « c:\Chapitres »
Repeat this command for all the data stores that you want to scan. If you can remove data stores ou need execute the cmdLets PowerShell : Remove-AIPScannerRepository.
You can check the data store using the cmdLets PowerShell Get-AIPScannerRepository.
Run a Discovery cycle
Azure Information Protection has been properly configured. A Policy and a label have been created. You need to configure label for applied automatically
From the Windows Services console, start the Azure Information Protection Scanner service.
The discovery cycle is ongoing, it is necessary to wait until it ends. At the end of the cycle execution, the service is stopped and an event with the ID 911 is added (Application and services log / Azure Information Protection).
If you want to execute a new discover, you need execute this command on the first time :
- Set-AIPScannerConfiguration -Enforce off -ReportLevel info -Schedule onetime -type full
- Start-service AIPSCANNER (for start Next Azure Information protection Services).
For more details, you can use reports. This file has stored into %localappdata%\Microsoft\MSIP\Scanner\Reports .
Run scanner for Apply classification
When your test it’s OK, you can configure Scanner for Apply protection into the file. Into the PowerShell console, run the commmand
- Set-AIPScannerConfiguration -Enforce On -Schedule Continuous
Now you can start Azure Information Protection services (Start-service AIPSCANNER in PowerShell) and configure this service for automatic startup.
Your file has now discovered, classifiedprotected.