This post is in continuation with the previous AIP post.
Existing setup done:
- Two Local users created
- Azure AD Connect configured
- Seamless Single Sign-On (IE) configured
- Seamless Single Sign-On (Firefox) configured
- Hybrid Azure AD Join configured
- Intune enrollment – Domain Joined Windows 10 devices
- Azure AD Join
- Office 365 Pro Plus Application
- Sample SharePoint Team Site
- OneDrive Known Folder Migration and SharePoint library sync
- Copy necessary files (Win32 App)
- Set Desktop Background, Lock Screen and Screensaver
- Adding applications to StartUp folder
- Adding some 3rd Party applications (Browsers)
- Microsoft Store for Business configuration and integration and Store Apps.
- Windows Defender Application Guard configuration
- Extend Application Guard to Mozilla Firefox and Google Chrome
- Configure Windows Defender Antivirus
- Windows Defender Credential Guard
- Windows Defender Exploit Guard – Attack Surface Reduction
- Windows Defender Exploit Guard – CFA, NP, EP
- Windows Defender Application Control Part 1
- Windows Defender Application Control Part 2
- Azure Information Protection Part 1
- Azure Information Protection Part 2
Existing setup:
- SkyDC: Machine with ADDS, DNS, DHCP role
- SkyCON: Machine where we will install Azure AD Connect
- SkyCM: Machine with Configuration Manager Current Branch
- SkyTEN1: Domain Joined Windows 10 machine
- SkyTEN2: Domain Joined Windows 10 machine
- SkyTEN3i: Domain Joined Windows 10 machine (Intune Managed)
- SkyTEN4i: Domain Joined Windows 10 machine (Intune Managed)
- SkyTEN5i: Azure AD Joined Windows 10 (Intune Managed)
- SkyTEN6i: Azure AD Joined Windows 10 (Intune Managed)
- SkyTEN7i: Azure AD Joined Windows 10 (Cloud User, Intune Managed)
- SkyTEN8i: Azure AD Joined Windows 10 (Cloud User, Intune Managed)
This post is in continuation with the previous post.
Previous post talked on how we can do basic AIP configuration in a brand new Tenant. We also created few Sensitive Info Types, labels for the Sensitive Info Types. We also configured SharePoint Online so that it can process content in Office online files that have encrypted sensitivity labels applied.
In this post, we’ll configure AIP Scanner which we will use to scan on-premises repositories and label files in them taking SMB share as an example.
Already configured:
A Separate Server (domain joined) for AIP Scanner with SQL Server installed
Latest AIP client installed using installation file: AzInfoProtection.exe
Service Account for AIP Scanner
Create Service Account for AIP Scanner. Here I am using normal domain user instead of MSA.
Login to Domain Controller.
Open Active Directory Users and Computers.
Right click Users, click New and click User.
Enter appropriate name. I have used AIPScanSvc. Click Next.
Enter password and click Next.
Click Finish.
Add the user to Log on as a Service and Log on as a batch job.
You can create a new GPO and target it accordingly, but since this a small lab environment, I have modified Default Domain Policy itself.
Open Group Policy Management.
Right click Default Domain Policy and click Edit.
In the new window, navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment.
Double click Log on as a service.
Click Add User or Group … and add above created user.
Once the user is added, click OK.
Double click Log on as a batch job and add the above created user.
Once added, click OK.
Assign licenses to the Scanner service created above:
Once the user is synced to Azure AD, Assign AIP licenses.
Configure Scanner in Portal
Create a Scanner Cluster in Portal. This cluster defines the scanner and is used to identify the scanner instance, such as during installation, upgrades, and other processes. We can have multiple scanner nodes in one cluster.
Navigate to https://portal.azure.com. Open Azure Information Protection section.
Navigate to Scanner -> Clusters and click on +Add.
Enter appropriate Cluster name and Description. I have entered below:
AIPCluster1
Click Save.
Create a network scan job (public preview)
Starting in AIP version 2.8.85.0, we can scan your network for risky repositories. Add one or more of the repositories found to a content scan job to scan them for sensitive content.
Network discovery prerequisite 1 – Install the Network Discovery service
Import AIP PowerShell module by running below command:
Import-Module ‘C:\Program Files (x86)\Microsoft Azure Information Protection\Powershell\AzureInformationProtection\AzureInformationProtection.psd1’
Get AIP Scanner Service account credentials by running below command:
$serviceacct= Get-Credential -UserName Sky366\AIPScanSvc -Message ScannerAccount
Get Admin ID credentials by running below command:
$shareadminacct= Get-Credential -UserName Sky366\Administrator -Message ShareAdminAccount
Get normal User ID credentials by running below command. I am using LU01 user who is a normal domain user:
$publicaccount= Get-Credential -UserName Sky366\LU01 -Message PublicUser
Configure AIP Network Discovery service by running below command:
Install-MIPNetworkDiscovery -SqlServerInstance SkySRV2 -Cluster AIPCluster1 -ServiceUserCredentials $serviceacct -ShareAdminUserAccount $shareadminacct -StandardDomainsUserAccount $publicaccount
Network discovery prerequisite 2 – Have Azure Information Protection analytics enabled
We already configured AIP Analytics earlier as part of the lab.
Create a network scan job
Open Azure Information Protection section in Azure portal.
Navigate to Scanner -> Network scan jobs (Preview) and click on +Add.
In Add a new network scan job window, enter Network scan job name and Description. I have used below:
Network scan job name: Sky366 Network Scan
Description: Sky366 Network Scan
Select the cluster. We have just one cluster defined, so select that:
Cluster: AIPCluster1
Click on Configure IP ranges to discover.
Enter IP ranges where SMB shares can be found.
Click OK.
Close the window by clicking X icon.
Select schedule and start time as required.
Click Save.
Close the window by clicking X icon.
We need to run after Scanner is installed, we’ll do this later:
Set-AIPScannerConfiguration -OnlineConfiguration On
Create a content scan job
Open Azure Information Protection section in Azure portal.
Navigate to Scanner -> Content scan jobs and click on +Add.
Enter appropriate Content scan job name and Description. I have entered below:
Content scan job name: AIP Content Scan Job 1.
Description: AIP Content Scan Job 1.
You can see that configuring Repositories is locked. We need to save the job then only we can configure the Repositories.
Configure Content scan job settings, Policy enforcement and Configure file settings sections appropriately and click Save.
Note: You can configure the repositories now. If you want to add the repositories from the repositories discovered by Network scan then do not configure here, else click on Configure repositories.
Click +Add.
Enter Path.
Configure Policy enforcement and Configure files settings sections appropriately.
Click Save.
I am adding another repository here.
We see all the configured repositories here.
Navigate to Content scan jobs. We see the Content scan job created.
Click on +Assign to cluster.
Select appropriate Cluster. I have just one Cluster created so selecting that only.
Click Save.
Install AIP Scanner:
Install the AIP Scanner service using below command:
Install-AIPScanner -SqlServerInstance SkySRV2 -Profile AIPCluster1
In the credential window, enter the credential of the AIP Scanner services account we created earlier. I have used the below account:
User Name: Sky366\AIPScanSvc
Click OK when done.
We see that the command completed successfully.
Verify that AIPScanSvc account is used for the AIP Scanner Service
Open Services.msc and check for Azure Information Protection Scanner service. Also check the Log On As is reflecting the AIP Scanner service account.
Get an Azure AD token for the scanner
Log on to Azure Portal.
Navigate to Azure Active Directory. Under Manage, click on App registrations and click + New registration.
Enter appropriate name. I have used AIP-DelegatedUser.
Name: AIP-DelegatedUser
In Who can use this application or access this API, select Accounts in this organizational directory only.
In Redirect URI, select Web and enter http://localhost
Click Register.
You will get the Application Overview page.
Copy Application (Client) ID.
This value is used for the AppId parameter when we’ll run the Set-AIPAuthentication cmdlet. Paste and save the value for later reference.
In the Application, navigate to Certificates & secrets.
Once in Certificates & secrets, navigate to Client secrets and click on + New client secret.
Enter appropriate Description. I have used Azure Information Protection unified labeling client.
Select when the secret will expire and click Add.
You will be redirected back to Certificates & secrets.
Copy the secret’s Value and save it.
This value is used for the AppSecret parameter when we’ll run the Set-AIPAuthentication cmdlet.
Navigate to API permissions and click on + Add a permission.
On Request API permissions page, select Microsoft APIs and then click on Azure Rights Management Services.
Click on Application permissions.
Select Content.DelegatedReader and Content.DelegatedWriter.
Click on Add permissions.
You can see the permissions got added.
On the same page, click on Add a permission.
On Request API permissions, select APIs my organization uses.
Search “Microsoft Information” and click on Microsoft Information Protection Sync Service.
Here, click on Application permissions.
In Microsoft Information Protection Sync Service page, select UnifiedPolicy.Tenant.Read and click on Add permissions.
You can see that permission got added.
On the same page, click on “…” and click on Grant admin consent for Tenant.
Click on Yes.
You can see the status.
Get Azure AD Tenant ID:
Navigate to Azure Active Directory -> Overview.
You can see the Tenant ID. Copy and save it.
This value is used for the TenantId parameter when we run the Set-AIPAuthentication cmdlet.
Configure AIP Scanner:
Run PowerShell under in Administrative mode
Execute below command to get credentials of the AIP Scanner Service account:
$pscreds = Get-Credential Domain\AIPServiceAccount
I have used:
$pscreds = Get-Credential Sky366\AIPScanSvc
Enter below command to configure the AIP Scanner:
Set-AIPAuthentication -AppId “App_ID_copied_Earlier” -AppSecret “App_Secret_copied_Earlier” -TenantId “Tenant_ID_copied_Earlier” -DelegatedUser AIP_Scanner_Service_Account_in_UPN -OnBehalfOf $pscreds
I have used below:
Set-AIPAuthentication -AppId “xxxxx” -AppSecret “yyyyy” -TenantId “zzzzz” -DelegatedUser AIPScanSvc@Sky366.bid -OnBehalfOf $pscreds
In the same PowerShell session, enter:
Set-AIPScannerConfiguration -OnlineConfiguration On
Open Services.msc and Restart the Network Discovery service.
Back in AIP Portal:
Back in AIP Portal, you should see the node listed.
Note: If you do not get the Node listed in portal, then restart the AIP Scanner service
Navigate to Content scan jobs and click on Scan now.
Navigate to Nodes. You can see that Content Scan Job is running.
Navigate to Repositories (Preview).
You can see all the repositories getting discovered.
Select any repository to see all details.
To add any repository to Content Scan Job, select the repository and click on +Assign Selected Items.
Select the Content Scan Job.
Click Save.
Click Yes.
Click on Content scan jobs.
You can see the Content scan job. Click on the Repositories.
You can see the Repository.
Copy some test documents to the repository. I have copied some files which should be labeled as Finance due to its content.
Open Azure Information Protection blade in the portal.
Navigate to Analytics -> Usage report (Preview).
You can see that Scanner application is not yet listed.
Navigate to Content scan jobs and initiate the scan.
Navigate to Usage report (Preview) again.
After some time, we see that some files got labelled using AIP Scanner.
You can check the Activity logs also.
Check the Data discovery (Preview).
To protect all files using AIP Scanner
By default the AIP scanner protects Office file types and PDF files only. To protect other files or all files, we need to configure the scanner.
Connect to Security & Compliance Center PowerShell
Install Exchange Online V2 Module
Execute Import-Module to import Exchange Online V2 module. If it results in an error, then install the module.
Import-Module ExchangeOnlineManagement
Install-Module -Name ExchangeOnlineManagement
Capture credentials to connect to Security and Compliance PowerShell.
$UserCredential = Get-Credential
I am using Global Admin credentials.
Connect to Security and Compliance PowerShell by executing below cmdlet:
Connect-IPPSSession -Credential $UserCredential
To protect all supported extensions, execute below cmdlet:
Set-LabelPolicy -Identity “Global Policy” -AdvancedSettings @{PFileSupportedExtensions=”*”}
Here “Global Policy” is the AIP Policy name.
You can also use Policy ID instead of Policy name. Use any one method:
First get the Policy ID
Get-LabelPolicy
Guid : 700824ec-1c1d-4803-8d21-189d08f1b7ee
Then, use the Policy ID in the Set-LabelPolicy cmdlet:
Set-LabelPolicy -Identity 700824ec-1c1d-4803-8d21-189d08f1b7ee -AdvancedSettings @{PFileSupportedExtensions=”*”}
Restart the API Scanner service.
Testing:
Create a text file with content such that AIP Scanner automatically labels it.
Save it in the share.
Navigate to Content scan jobs, select the job and click Scan now.
Navigate to Activity logs (Preview).
After some time, you’ll see that the text document got labelled.