Use Azure Information Protection Scanner to Classify and Protect Content in File Shares & SharePoint Sites

What is AIP?

Azure Information Protection... aka AIP helps organizations classify and protect documents & emails. The labels/protection templates it contains can be applied automatically based on certain conditions or manually by users & administrators alike. When a document or email is labelled, and optionally protected, access to it can be controlled. An administrator and/or document owner can track and revoke access, analyse data flows to gain insight into movement of protected documents.

How does it look like?

Once a document is labelled & optionally protected, certain visual markings are added as illustrated below:
AIP Screenshot Visual Marking

How to classify and (optionally) protect?

You will need a subscription to Azure Information Protection, label policies with classification and optionally protection configured. With Azure Information Protection Client, end users can consume these policies to classify and protect documents and emails on their workstations. For those using Microsoft Office, an AIP add-in is available that makes classifying and protecting a breeze.

Can AIP be used to protect on-premises data?

Short Answer: YES!!!

While AIP makes it possible for organizations to enforce policies that mandate all documents & emails to be classified, and optionally protected at create/modify time going forward, the real question that bothers the InfoSec teams is classification & protection of existing documents spread across multiple data repositories. Mostly, these data repositories are File Shares and SharePoint Sites. Well, there is a solution for that too!

What is it, you ask?

Short Answer: Microsoft AIP Scanner

So, what exactly does the scanner do? In principle, it is quite simple:

  • You tell the scanner what location(s) to scan and what ‘rules’ to apply based on certain conditions.
  • The scanner then runs across existing content, does what its been told and optionally continues to monitor the locations.
  • You are all set!

This scanner runs as a service on Windows Server and lets you discover, classify, and protect files on the following data stores:

  • Local folders on the Windows Server computer that runs the scanner.
  • UNC paths for network shares that use the Server Message Block (SMB) protocol.
  • Sites and libraries for SharePoint Server 2016 and SharePoint Server 2013.

Microsoft AIP scanner allows you to run the scan in a Discover Mode or Enforce Mode.

In Discover mode, it only discovers sensitive data for you.
In Enforce mode, it enforces protection on the documents.

All you have to do is run a couple of PowerShell cmdlets to add scanner repositories, set scanner configurations and start the scan.
alt

That's all PowerShell there. You need to run multiple commands, check here and there for scan results, events and so on. To summarise, it is a time consuming activity. Unlucky for System Admins, there is no GUI tool available for AIP Scanner.

So, how can Attosol's AIP Scanner help?

Wouldn't it be good if there was a GUI tool, where all changes can be controlled from a single pane? Wouldn't it be good if you can run custom scans for certain repositories and not on all the repositories? What if the GUI can provide a single control panel? Add locations, change scanner configuration, start/stop scan, view reports, all from a single pane!

If that is what you were looking for, we have a solution for you. We've created a wrapper that basically puts a UI for AIP Scanner and makes the common tasks easier for you.

You can use our AIP Scanner UI to:

  • Work with AIP Scanner using a GUI
  • View current scan settings
  • Change scan settings
  • Start a scan
  • Do a custom scan (which is very tedious to do directly using PowerShell and prone to error)
  • View reports

View Github Repository

Download from Github

alt

We hope this tool saves your precious time.

Enjoy!

References:

What next?

Well, stay tuned for upcoming articles. Say hi, share this article, leave a comment or Subscribe now to stay updated through our newsletter. Also, check out our services or contact us at contact@attosol.com for your software and consultancy requirements.

Noble Varghese

Consultant - Security, Messaging & Collaboration

Bangalore, India

Subscribe to Attosol Technologies

Get the latest posts delivered right to your inbox.

or subscribe via RSS with Feedly!