This post is in continuation with the previous AIP post.

Existing setup done:

  1. Two Local users created
  2. Azure AD Connect configured
  3. Seamless Single Sign-On (IE) configured
  4. Seamless Single Sign-On (Firefox) configured
  5. Hybrid Azure AD Join configured
  6. Intune enrollment – Domain Joined Windows 10 devices
  7. Azure AD Join
  8. Office 365 Pro Plus Application
  9. Sample SharePoint Team Site
  10. OneDrive Known Folder Migration and SharePoint library sync
  11. Copy necessary files (Win32 App)
  12. Set Desktop Background, Lock Screen and Screensaver
  13. Adding applications to StartUp folder
  14. Adding some 3rd Party applications (Browsers)
  15. Microsoft Store for Business configuration and integration and Store Apps.
  16. Windows Defender Application Guard configuration
  17. Extend Application Guard to Mozilla Firefox and Google Chrome
  18. Configure Windows Defender Antivirus
  19. Windows Defender Credential Guard
  20. Windows Defender Exploit Guard – Attack Surface Reduction
  21. Windows Defender Exploit Guard – CFA, NP, EP
  22. Windows Defender Application Control Part 1
  23. Windows Defender Application Control Part 2
  24. Azure Information Protection Part 1
  25. Azure Information Protection Part 2

Existing setup:

  1. SkyDC: Machine with ADDS, DNS, DHCP role
  2. SkyCON: Machine where we will install Azure AD Connect
  3. SkyCM: Machine with Configuration Manager Current Branch
  4. SkyTEN1: Domain Joined Windows 10 machine
  5. SkyTEN2: Domain Joined Windows 10 machine
  6. SkyTEN3i: Domain Joined Windows 10 machine (Intune Managed)
  7. SkyTEN4i: Domain Joined Windows 10 machine (Intune Managed)
  8. SkyTEN5i: Azure AD Joined Windows 10 (Intune Managed)
  9. SkyTEN6i: Azure AD Joined Windows 10 (Intune Managed)
  10. SkyTEN7i: Azure AD Joined Windows 10 (Cloud User, Intune Managed)
  11. SkyTEN8i: Azure AD Joined Windows 10 (Cloud User, Intune Managed)

This post is in continuation with the previous post.

Previous post talked on how we can do basic AIP configuration in a brand new Tenant. We also created few Sensitive Info Types, labels for the Sensitive Info Types. We also configured SharePoint Online so that it can process content in Office online files that have encrypted sensitivity labels applied.

In this post, we’ll configure AIP Scanner which we will use to scan on-premises repositories and label files in them taking SMB share as an example.

Already configured:

A Separate Server (domain joined) for AIP Scanner with SQL Server installed

Latest AIP client installed using installation file: AzInfoProtection.exe

Service Account for AIP Scanner

Create Service Account for AIP Scanner. Here I am using normal domain user instead of MSA.

Login to Domain Controller.

Open Active Directory Users and Computers.

Right click Users, click New and click User.

Enter appropriate name. I have used AIPScanSvc. Click Next.

Enter password and click Next.

Click Finish.

Add the user to Log on as a Service and Log on as a batch job.

You can create a new GPO and target it accordingly, but since this a small lab environment, I have modified Default Domain Policy itself.

Open Group Policy Management.

Right click Default Domain Policy and click Edit.

In the new window, navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment.

Double click Log on as a service.

Click Add User or Group … and add above created user.

Once the user is added, click OK.

Double click Log on as a batch job and add the above created user.

Once added, click OK.

Assign licenses to the Scanner service created above:

Once the user is synced to Azure AD, Assign AIP licenses.

Configure Scanner in Portal

Create a Scanner Cluster in Portal. This cluster defines the scanner and is used to identify the scanner instance, such as during installation, upgrades, and other processes. We can have multiple scanner nodes in one cluster.

Navigate to Open Azure Information Protection section.

Navigate to Scanner -> Clusters and click on +Add.

Enter appropriate Cluster name and Description. I have entered below:


Click Save.

Create a network scan job (public preview)

Starting in AIP version, we can scan your network for risky repositories. Add one or more of the repositories found to a content scan job to scan them for sensitive content.

Network discovery prerequisite 1 – Install the Network Discovery service

Import AIP PowerShell module by running below command:

Import-Module ‘C:\Program Files (x86)\Microsoft Azure Information Protection\Powershell\AzureInformationProtection\AzureInformationProtection.psd1’

Get AIP Scanner Service account credentials by running below command:

$serviceacct= Get-Credential -UserName Sky366\AIPScanSvc -Message ScannerAccount

Get Admin ID credentials by running below command:

$shareadminacct= Get-Credential -UserName Sky366\Administrator -Message ShareAdminAccount

Get normal User ID credentials by running below command. I am using LU01 user who is a normal domain user:

$publicaccount= Get-Credential -UserName Sky366\LU01 -Message PublicUser

Configure AIP Network Discovery service by running below command:

Install-MIPNetworkDiscovery -SqlServerInstance SkySRV2 -Cluster AIPCluster1 -ServiceUserCredentials $serviceacct -ShareAdminUserAccount $shareadminacct -StandardDomainsUserAccount $publicaccount

Network discovery prerequisite 2 – Have Azure Information Protection analytics enabled

We already configured AIP Analytics earlier as part of the lab.

Create a network scan job

Open Azure Information Protection section in Azure portal.

Navigate to Scanner -> Network scan jobs (Preview) and click on +Add.

In Add a new network scan job window, enter Network scan job name and Description. I have used below:

Network scan job name: Sky366 Network Scan

Description: Sky366 Network Scan

Select the cluster. We have just one cluster defined, so select that:

Cluster: AIPCluster1

Click on Configure IP ranges to discover.

Enter IP ranges where SMB shares can be found.

Click OK.

Close the window by clicking X icon.

Select schedule and start time as required.

Click Save.

Close the window by clicking X icon.

We need to run after Scanner is installed, we’ll do this later:

Set-AIPScannerConfiguration -OnlineConfiguration On

Create a content scan job

Open Azure Information Protection section in Azure portal.

Navigate to Scanner -> Content scan jobs and click on +Add.

Enter appropriate Content scan job name and Description. I have entered below:

Content scan job name: AIP Content Scan Job 1.

Description: AIP Content Scan Job 1.

You can see that configuring Repositories is locked. We need to save the job then only we can configure the Repositories.

Configure Content scan job settings, Policy enforcement and Configure file settings sections appropriately and click Save.

Note: You can configure the repositories now. If you want to add the repositories from the repositories discovered by Network scan then do not configure here, else click on Configure repositories.

Click +Add.

Enter Path.

Configure Policy enforcement and Configure files settings sections appropriately.

Click Save.

I am adding another repository here.

We see all the configured repositories here.

Navigate to Content scan jobs. We see the Content scan job created.

Click on +Assign to cluster.

Select appropriate Cluster. I have just one Cluster created so selecting that only.

Click Save.

Install AIP Scanner:

Install the AIP Scanner service using below command:

Install-AIPScanner -SqlServerInstance SkySRV2 -Profile AIPCluster1

In the credential window, enter the credential of the AIP Scanner services account we created earlier. I have used the below account:

User Name: Sky366\AIPScanSvc

Click OK when done.

We see that the command completed successfully.

Verify that AIPScanSvc account is used for the AIP Scanner Service

Open Services.msc and check for Azure Information Protection Scanner service. Also check the Log On As is reflecting the AIP Scanner service account.

Get an Azure AD token for the scanner

Log on to Azure Portal.

Navigate to Azure Active Directory. Under Manage, click on App registrations and click + New registration.

Enter appropriate name. I have used AIP-DelegatedUser.

Name: AIP-DelegatedUser

In Who can use this application or access this API, select Accounts in this organizational directory only.

In Redirect URI, select Web and enter http://localhost

Click Register.

You will get the Application Overview page.

Copy Application (Client) ID.

This value is used for the AppId parameter when we’ll run the Set-AIPAuthentication cmdlet. Paste and save the value for later reference.

In the Application, navigate to Certificates & secrets.

Once in Certificates & secrets, navigate to Client secrets and click on + New client secret.

Enter appropriate Description. I have used Azure Information Protection unified labeling client.

Select when the secret will expire and click Add.

You will be redirected back to Certificates & secrets.

Copy the secret’s Value and save it.

This value is used for the AppSecret parameter when we’ll run the Set-AIPAuthentication cmdlet.

Navigate to API permissions and click on + Add a permission.

On Request API permissions page, select Microsoft APIs and then click on Azure Rights Management Services.

Click on Application permissions.

Select Content.DelegatedReader and Content.DelegatedWriter.

Click on Add permissions.

You can see the permissions got added.

On the same page, click on Add a permission.

On Request API permissions, select APIs my organization uses.

Search “Microsoft Information” and click on Microsoft Information Protection Sync Service.

Here, click on Application permissions.

In Microsoft Information Protection Sync Service page, select UnifiedPolicy.Tenant.Read and click on Add permissions.

You can see that permission got added.

On the same page, click on “” and click on Grant admin consent for Tenant.

Click on Yes.

You can see the status.

Get Azure AD Tenant ID:

Navigate to Azure Active Directory -> Overview.

You can see the Tenant ID. Copy and save it.

This value is used for the TenantId parameter when we run the Set-AIPAuthentication cmdlet.

Configure AIP Scanner:

Run PowerShell under in Administrative mode

Execute below command to get credentials of the AIP Scanner Service account:

$pscreds = Get-Credential Domain\AIPServiceAccount

I have used:

$pscreds = Get-Credential Sky366\AIPScanSvc

Enter below command to configure the AIP Scanner:

Set-AIPAuthentication -AppId “App_ID_copied_Earlier” -AppSecret “App_Secret_copied_Earlier” -TenantId “Tenant_ID_copied_Earlier” -DelegatedUser AIP_Scanner_Service_Account_in_UPN -OnBehalfOf $pscreds

I have used below:

Set-AIPAuthentication -AppId “xxxxx” -AppSecret “yyyyy” -TenantId “zzzzz” -DelegatedUser -OnBehalfOf $pscreds

In the same PowerShell session, enter:

Set-AIPScannerConfiguration -OnlineConfiguration On

Open Services.msc and Restart the Network Discovery service.

Back in AIP Portal:

Back in AIP Portal, you should see the node listed.

Note: If you do not get the Node listed in portal, then restart the AIP Scanner service

Navigate to Content scan jobs and click on Scan now.

Navigate to Nodes. You can see that Content Scan Job is running.

Navigate to Repositories (Preview).

You can see all the repositories getting discovered.

Select any repository to see all details.

To add any repository to Content Scan Job, select the repository and click on +Assign Selected Items.

Select the Content Scan Job.

Click Save.

Click Yes.

Click on Content scan jobs.

You can see the Content scan job. Click on the Repositories.

You can see the Repository.

Copy some test documents to the repository. I have copied some files which should be labeled as Finance due to its content.

Open Azure Information Protection blade in the portal.

Navigate to Analytics -> Usage report (Preview).

You can see that Scanner application is not yet listed.

Navigate to Content scan jobs and initiate the scan.

Navigate to Usage report (Preview) again.

After some time, we see that some files got labelled using AIP Scanner.

You can check the Activity logs also.

Check the Data discovery (Preview).

To protect all files using AIP Scanner

By default the AIP scanner protects Office file types and PDF files only. To protect other files or all files, we need to configure the scanner.


Connect to Security & Compliance Center PowerShell

Install Exchange Online V2 Module

Execute Import-Module to import Exchange Online V2 module. If it results in an error, then install the module.

Import-Module ExchangeOnlineManagement

Install-Module -Name ExchangeOnlineManagement

Capture credentials to connect to Security and Compliance PowerShell.

$UserCredential = Get-Credential

I am using Global Admin credentials.

Connect to Security and Compliance PowerShell by executing below cmdlet:

Connect-IPPSSession -Credential $UserCredential

To protect all supported extensions, execute below cmdlet:

Set-LabelPolicy -Identity “Global Policy” -AdvancedSettings @{PFileSupportedExtensions=”*”}

Here “Global Policy” is the AIP Policy name.

You can also use Policy ID instead of Policy name. Use any one method:

First get the Policy ID


Guid : 700824ec-1c1d-4803-8d21-189d08f1b7ee

Then, use the Policy ID in the Set-LabelPolicy cmdlet:

Set-LabelPolicy -Identity 700824ec-1c1d-4803-8d21-189d08f1b7ee -AdvancedSettings @{PFileSupportedExtensions=”*”}

Restart the API Scanner service.


Create a text file with content such that AIP Scanner automatically labels it.

Save it in the share.

Navigate to Content scan jobs, select the job and click Scan now.

Navigate to Activity logs (Preview).

After some time, you’ll see that the text document got labelled.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.