Configuring on-premises labeling – Microsoft SC-400 Certification

The AIPService PowerShell module is utilized for the installation and configuration of the unified labeling scanner. This module is traditionally installed on a server that will act as the unified labeling scanner within the infrastructure. Please note that the PowerShell module is installed automatically during the AIPService installation.

Unified labeling scanner install

After ensuring that all the prerequisites have been met, it will be possible to install the unified labeling scanner by completing the following steps:

  1. Log in to the Windows server that will be used as the on-premises scanning server.
  2. Run the unified labeling client install on the server.
  3. Once the install is complete, start PowerShell as an Administrator for elevated permissions.
  4. Utilize the following cmdlet from the AIPService PowerShell module to install the AIP scanner:

Install-AIPScanner -SqlServerInstance <name> -Cluster <cluster name>

5. You can check whether the installation has been successful by checking in the Services Administrative tool for the Azure Information Protection Scanner service and that it is configured to run by utilizing the scanner service account you made.

At this stage, the unified label should be installed on the server, and it should be connected to the SQL server. The following steps will explain how to connect the service to the Azure environment by utilizing an Azure AD token.

Obtaining an Azure AD token

You will be required to complete the following steps to acquire an Azure AD token for the unified scanner:

  1. In the Azure portal, type App Registrations and select this service.
  2. Click on New Registration.
  3. Type in a relevant name.
  4. Choose a Supported account type. You also have the option of leaving this as the default option.
  5. Configure the redirect URL to https://localhost.
  6. Click on Register.
  7. Make a note of the Application (client) ID value, as we will need this in a later step.
  8. Click on the Certificates & Secrets option.
  9. Browse to Client Secrets, and then select New client secret.
  10. Enter a description and select the expiration interval.
  11. Make a copy of the new secret to a safe and secure location. Please note that this value is only displayed once so you need to ensure you make a copy and store it.
  12. Click Add.
  13. Browse to API permissions.
  14. Click on Add permission.
  15. Choose Azure rights management services > application permissions.
  16. Expand content permissions.
  17. Choose Content.DelegateReader and Content.DelegatedWriter.
  18. Choose Add permission.
  19. Choose + Add a permission > APIs my organization uses.
  20. Browse for Microsoft Information Protection Sync Service.
  21. Click on Microsoft Information Protection Sync Service > Application Permission.
  22. Choose content permissions.
  23. Choose UnifiedPolicy.Tenant.Read.
  24. Choose Add permission.
  25. Choose Grant admin consent.
  26. Browse to Azure Active Directory.
  27. Copy the Tenant ID value to a notepad.
  28. Start the PowerShell session by utilizing the AzureInformationProtection module. Use the following cmdlet:

Set-AIPAuthentication -AppId <ID of the registered app> -AppSecret <client secret sting> -TenantId <your tenant ID> -DelegatedUser <Azure AD account>

Once these steps have been followed and are complete, the scanner will have an Azure AD token and will be enrolled as an app in the Azure tenant. We will now take a look at monitoring label performance by utilizing label analytics.

Leave a Reply

Your email address will not be published. Required fields are marked *