How to use AIP scanner to discover sensitive data

Sensitive data, such as personally identifiable information (PII) and financial records, must be protected according to compliance requirements. It is crucial to maintain data privacy to build and retain trust with stakeholders. A company’s competitive advantage depends on intellectual property protection, while data sovereignty ensures compliance with local storage laws. Moreover, security measures protect against a range of threats, from cyberattacks to insider threats. With so many interconnected systems and networks, securing on-premise data has never been more important. Organizations that prioritize this reduce security breaches significantly.

Why use Azure Information Protection (AIP) scanner?

You can efficiently protect your on-premises data with Azure Information Protection (AIP):

• Scanning and identifying data: The AIP scanner helps organizations protect their sensitive data by scanning and identifying data based on pre-configured policies like GDPR or IP protection policies that can be customized.
• Applying labels and encryption: Once your data is identified, the scanner applies appropriate labels and encryption techniques to ensure its confidentiality and integrity.
• Regulatory compliance: The AIP scanner helps organizations comply with regulatory requirements by enforcing data protection policies consistently throughout the on-premise environment.

In addition to regulatory compliance, the AIP scanner provides valuable insights into the usage and access patterns of the data. This information can be used to detect and prevent potential security risks, such as unauthorized access or data breaches. By analyzing usage patterns, administrators can identify suspicious activity and take proactive measures to mitigate the risks. This is particularly important in industries where data privacy and security regulations are stringent, such as healthcare, finance, and government.

Steps to protect your on-premise data using AIP scanner

Pre-requisites:

• Windows Server 2019 R2 or other recent versions
• SQL Server 2019 (Express, Standard, or Enterprise)
• Service account – an AD sync account that has permission to log on locally and as a service
• Azure Information Protection client

Installing the AIP client:

1. Log in to the server as an administrator.
2. Download the AIP client.
3. Run the installation as the administrator.

Installing the AIP scanner:

• Log in to the server and run PowerShell as an Administrator.
• Run the following command (replace ABC\SQLEXPRESS with your SQL instance):

Install-AIPScanner -SqlServerInstance ABC\SQLEXPRESS

• Log in with your service account credentials.
• After installation, verify that the AIP Scanner service is running under services.

Creating an Azure AD token for AIP scanner:

• Log in to the Azure AD portal as a Global Administrator.
• Navigate to Azure Active Directory > App registrations > New application registration.
• In the new window, enter:
  • Name: (Must be unique)
  • Application Type
  • Sign-on URL
• Click Create.
• Copy the Application ID value (WebAppId) and save it.
• Under Application settings > Required permissions > Grant Permissions > Yes.
• Select Keys > Create a new key > Save the value (WebAppKey).
• Go back to Application registration and create another application.
• Copy the Application ID (NativeAppId) and save it.
• Under Required permissions > Add > Select an API, pick the one you just created.
• Under Select permissions, choose the available access permissions and click Select > Done > Grant permissions > Yes.

Grant permissions for a non-Azure AD sync account:

Additional configuration is required if the AIP service account is not an Azure AD sync account:

1. Run the following command as administrator:
   New-AzureADServicePrincipal -ApplicationId <WebAppId>
New-AzureADServicePrincipal -ApplicationId <NativeAppId>

2. Log in using your Azure AD account for AIP authentication when the ‘Sign in to your account’ window opens up.
3. Save the token value.
4. Enter the following PowerShell script:
   $token = "<token_value>"

5. Then run the following command:
   Set-AIPAuthentication -AppId <WebAppId> -AppKey <WebAppKey> -NativeAppId <NativeAppId> -Token $token

6. Create a task schedule using Task Scheduler and run the script with the following:
   • Action: Start a Program
   • Program: Powershell.exe
   • Argument: -NoProfile -WindowStyle Hidden -command “&{C:\Filename.ps1}”
7. Save the script using the service account details.

Specifying the data repository:

1. Use the following command, replacing ‘abc’ with the repository name:
   Add-AIPScannerRepository -Path \\Server\DataShare -DataState Enabled -SetAsDefault

2. To verify the repositories, use:
   Get-AIPScannerRepository


Configuring the scanner to apply classifications:

By default, the AIP scanner runs in report-only mode. To force it to start classification, use:

Set-AIPScannerConfiguration -ReportMode Disabled

You can view the reports for scanning in:

%localappdata%\Microsoft\MSIP\Scanner\Reports