Site icon Windows Active Directory

How to use AIP scanner to discover sensitive data

Sensitive data, such as personally identifiable information (PII) and financial records, must be protected according to compliance requirements. It is crucial to maintain data privacy to build and retain trust with stakeholders. A company’s competitive advantage depends on intellectual property protection, while data sovereignty ensures compliance with local storage laws. Moreover, security measures protect against a range of threats, from cyberattacks to insider threats. With so many interconnected systems and networks, securing on-premise data has never been more important. Organizations that prioritize this reduce security breaches significantly.

Why use Azure Information Protection (AIP) scanner?

You can efficiently protect your on-premises data with Azure Information Protection (AIP):

In addition to regulatory compliance, the AIP scanner provides valuable insights into the usage and access patterns of the data. This information can be used to detect and prevent potential security risks, such as unauthorized access or data breaches. By analyzing usage patterns, administrators can identify suspicious activity and take proactive measures to mitigate the risks. This is particularly important in industries where data privacy and security regulations are stringent, such as healthcare, finance, and government.

Steps to protect your on-premise data using AIP scanner

Pre-requisites:

Installing the AIP client:

  1. Log in to the server as an administrator.
  2. Download the AIP client.
  3. Run the installation as the administrator.

Installing the AIP scanner:

Install-AIPScanner -SqlServerInstance ABC\SQLEXPRESS

Creating an Azure AD token for AIP scanner:

Grant permissions for a non-Azure AD sync account:

Additional configuration is required if the AIP service account is not an Azure AD sync account:

  1. Run the following command as administrator:
    New-AzureADServicePrincipal -ApplicationId <WebAppId>
    New-AzureADServicePrincipal -ApplicationId <NativeAppId>
  2. Log in using your Azure AD account for AIP authentication when the ‘Sign in to your account’ window opens up.
  3. Save the token value.
  4. Enter the following PowerShell script:
    $token = "<token_value>"
  5. Then run the following command:
    Set-AIPAuthentication -AppId <WebAppId> -AppKey <WebAppKey> -NativeAppId <NativeAppId> -Token $token
  6. Create a task schedule using Task Scheduler and run the script with the following:
    • Action: Start a Program
    • Program: Powershell.exe
    • Argument: -NoProfile -WindowStyle Hidden -command “&{C:\Filename.ps1}”
  7. Save the script using the service account details.

Specifying the data repository:

  1. Use the following command, replacing ‘abc’ with the repository name:
    Add-AIPScannerRepository -Path \\Server\DataShare -DataState Enabled -SetAsDefault
  2. To verify the repositories, use:
    Get-AIPScannerRepository

Configuring the scanner to apply classifications:

By default, the AIP scanner runs in report-only mode. To force it to start classification, use:

Set-AIPScannerConfiguration -ReportMode Disabled

You can view the reports for scanning in:

%localappdata%\Microsoft\MSIP\Scanner\Reports

Exit mobile version