Scan file servers, network shares, and SharePoint with Azure Information Protection Scanner


 

With GDPR just around the corner (May 2018), organizations are heads down identifying data, creating compliance processes, and hiring additional resources to lead the compliance and reporting required by GDPR.

In a previous post I reviewed GDPR as well as the technologies and services Microsoft offers to assist with discovery, managing, protecting, and reporting on data.

For this post I’ll expand on the topic of scanning file servers and SharePoint servers using a the Azure Information Protection Scanner or AIP Scanner.

 

Scanning SharePoint Server and File Shares

Azure Information Protection includes a scanning tool called the Azure Information Protection scanner or AIP scanner.  The AIP scanner is used to comb through file shares and SharePoint and identity and/or classify + protect data.

 

The scanner runs as a service on Windows Server and lets you discover, classify, and protect files on the following data stores:

  • Local folders on the Windows Server computer that runs the scanner.

  • UNC paths for network shares that use the Common Internet File System (CIFS) protocol.

  • Sites and libraries for SharePoint Server 2016 and SharePoint Server 2013.

Source: https://docs.microsoft.com/en-us/information-protection/deploy-use/deploy-aip-scanner 

 

Once the AIP scanner is deployed, use it to report on information you’re looking for and when discovery is complete, run the AIP scanner and apply classification with or without protection across those files.

The classification labels and encryption policies come from the Azure Information Protection service in Azure.  Labels may be defined with or without encryption.  At a minimum I recommend all information at least be classified.  To learn more about creating classification labels using Azure Information Protection please visit: https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-information-protection

 

I won’t go through the details of installation process as it’s clearly documented in the link I provide below.  However, the output below is from a scan I completed using the AIP scanner against a few sample files.  The AIP scanner will look for specific information based on the AIP policies that are configured (e.g. credit card info, passport numbers, etc.).

clip_image001

For more information about the Azure Information Protection scanner please visit: https://docs.microsoft.com/en-us/information-protection/deploy-use/deploy-aip-scanner

 

Automation

To help with automating the AIP Scanner process I created a script to walk through each option.  Feel free to utilize, however keep in mind when new AIP scanner versions are released you may need to update the script to accommodate new features. I also make no guarantees so use at your own risk.

 

#AIP Scanner Script

#Created by Courtenay Bernier

 

 

$AIPScannerLogFiles = $env:LOCALAPPDATA + '\Microsoft\MSIP\Scanner\Reports'

 

#AIP scanner config

Write-Host ""

Write-Host 'AIP scanner configuration'

Write-Host ""

$ScanMode = Read-Host -Prompt 'ScanMode: Enforce | Discover'

$Type = Read-Host -Prompt 'ScanType: Incremental | Full'

$ReportLevel = Read-Host -Prompt 'ReportLevel: Off | Debug | Info | Error'

$Schedule = Read-Host -Prompt 'Scanner Runtime Schedule: OneTime | Continuous | Never'     

$JustificationMessage  = Read-Host -Prompt 'JustificationMessage: Free Text or leave blank'

 

Write-Host "The AIPScannerConfiguration options selected are: '$ScanMode', '$Type', $ReportLevel, $Schedule, $JustificationMessage"

 

Set-AIPScannerConfiguration -ScanMode $ScanMode -Type $Type -ReportLevel $ReportLevel -Schedule $Schedule -JustificationMessage $JustificationMessage

 

Write-Host ""

Write-Host 'This is the AIP Scanner Configuration set:'

Get-AIPScannerConfiguration

 

 

 

#AIP scanner repository

Write-Host ""

Write-Host 'AIP scanner repository'

Write-Host ""

$OverrideLabel = Read-Host -Prompt 'OverrideLabel: On | Off'

$SetDefaultlabel = Read-Host -Prompt 'SetDefaultLabel: UsePolicyDefault | On | Off'

$PreserveFileDetails = Read-Host -Prompt 'PreserveFileDetails: On | Off'

$DefaultOwner = Read-Host -Prompt 'Specify the default owner by: email address or leave blank'

 

do {$DLID = Read-Host -Prompt 'Add a default label ID by GUID? Yes or No' }

until ('yes','no' -contains $DLID)

 

if ($DLID -eq 'yes')

    {

        $DefaultLabelID = Read-Host -Prompt 'specify the label GUID found in the AIP label policy'

 

    }

elseif ($DLID -eq 'no')

    {

       Write-Host ""

       write-host "No default label ID was added"

       Write-Host ""

    }

 

 

#add file location

$Path = Read-Host -Prompt 'Fileshare or SPS Path: e.g. F:\Shares\FileShare or \\network\path or http://sp2013/Shared Documents'

Add-AIPScannerRepository $Path

Write-Host ""

 

 

#ask to add for more file locations

do {$answer = Read-Host -Prompt 'Would you like to add another file location? Yes or No'

 

if ($answer -eq 'yes')

    {

       $Path = Read-Host -Prompt 'Fileshare or SPS Path: e.g. F:\Shares\FileShare or \\network\path or http://sp2013/Shared Documents'  

  

       #add file location

       Add-AIPScannerRepository $Path

       Write-Host ""

 

    }

 

else

    {

       Write-Host ""

       write-host "No additional paths were added"

       Write-Host ""

       Write-Host "To remove repositories: use Remove-AIPScannerRepository share/sps path"

       Write-Host ""

       Get-AIPScannerRepository

       Write-Host ""

  

    }

}

Until ($answer -eq 'no')

 

 

#set AIP scanner repository

Write-Host ""

Write-Host 'Setting scanner repository config:'

Set-AIPScannerRepository -OverrideLabel $OverrideLabel -PreserveFileDetails $PreserveFileDetails -DefaultOwner $DefaultOwner -Path $Path -DefaultLabelId $DefaultLabelID -SetDefaultLabel $SetDefaultLabel

 

 

#show file location(s)

Get-AIPScannerRepository

Write-Host ""

 

 

#start AIP scanner service or abort

do {$answer = Read-Host -Prompt 'Are you ready to start the AIP Scanner Service? Yes or No' }

until ('yes','no' -contains $answer)

 

if ($answer -eq 'yes')

    {

       write-host "Starting AIP Scanner Service for ($ScanMode)"

       start-Service 'Azure Information Protection Scanner'

       Write-Host ""

  

       #Show last AIP events

       Write-Host "waiting for eventlogs to populate"

       Start-Sleep -s 15

       Get-EventLog -Newest 4 -LogName 'Azure Information Protection' | Format-List -Property *

       Write-Host ""

  

       #Open Scanner Report Folder

       explorer $AIPScannerLogFiles

       Write-Host ""

    }

elseif ($answer -eq 'no')

 

    {

       Write-Host ""

       write-host "Canceling AIP Scan"

       Write-Host ""

       Write-Host "To remove repositories: use Remove-AIPScannerRepository share/sps path"

       Write-Host ""

    }

 

 

Comments (0)

Skip to main content