The AIP Scanner, licensing, usage and more.

Previously I have promised that I would write a post about the AIP scanner, how it is installed and more, but the good installation guides from Microsoft rendered this kind of unnecessary.
  It is true: For those of us who haven’t had a lot of experience with creating and configuring Azure AD applications for instance, installing the AIP Scanner can seem fairly complicated, but if you follow this guide from Microsoft:  you should be fine.

A couple of things I have noted after doing a few installs is that although Microsoft has specified quite low HW requirements for the Scanner, I do suggest giving quite a bit more when it comes to disk space.

Another thing (might just be me who made mistakes during my first setup but …) : Read the guide! I mean really read the guide and follow it to the letter.

What happens after I have installed the Scanner?

Nothing happens really. You have a new service, and everything is ready, but before you tell it what you want it to do, it does nothing. It needs to be told what (where) to scan and what to do with the information. The first thing you should do when things are up and running is therefore to decide what you want it to do (Or preferably you will have decided this before you started).

Tip: Be sure of what licenses you have. It can seem a bit ambiguous, but the requirement is - every user that contribute to the scanned repository need to be licensed accordingly. So, what does this mean? Well, if you use the AIP scanner to apply automatic labeling then ALL the contributing users need to have a P2 license (or EMS E5)

Can AIP Scanner still have value for those of us who has EMS E3/P1?

The answer is yes! If you only have EMS E3, or P1 licenses and still want to run the scanner that is perfectly doable. It is when you use it to automatically apply labels you need to upgrade the licenses.

So, what can you do with the Scanner without the automatic labelling? You can run it to discover files that have content that should be protected, and if you like, label/protect them manually with PowerShell. The PowerShell modules are installed when you install the AIP Client and you can run:

Set-AIPFileLabel -Path “Specify the path here” -LabelId “specify the label id here”

It might be interesting to know that if you have EMS E5/P2 and want to scan a folder and apply automatic labels/protection you can use this command:

Set-AIPFileClassification -Path “Specify the file path here” -PreserveFileDetails

You can also use the Classify and Protect option that is added into File Explorer after installing the client. (Right click a file or folder and select Classify and Protect)

Classify and Protect

This means that in the days of GDPR focus the AIP Scanner can be an excellent tool to look through all your file shares/file servers to find out what you have and if there is anything that should not be there/should be protected. When you have specified which repositories you want to scan, you can run the following command to do a full discovery:

Set-AIPScannerConfiguration -Enforce Off -Schedule OneTime -Type Full -DiscoverInformationTypes All

When this is done you can look at the logs to see what is found:


You could also go into the scanner services’ AppData folder: C:\users\”the profile of the scanner service”\appdata\local\Microsoft\MSIP\Scanner\Reports
There are certainly a lot of things to consider here, but as a tool to get an overview of all your old data, this is pretty cool. As some of my customers have done you can combine it with Microsoft Cloud App security and gain control of you data both on-premises and in the cloud.


Popular posts from this blog

Do not Forward and the protection of attachments

Using Do not Forward or Encrypt Only as the results of a Sensitivity Label