Freitag, 15. Juni 2018

Azure Information Protection Part III – AIP Scanner

The AIP Scanner is part of the AIP Client download. After you have downloaded and installed the AIP Client you can start the installation and configuration. But bevor we start the installation let’s have a look at some requirements:
  • A Windows Server 2012 R2 or 2016 Server to run the service (For test and demo you can install it on a Win10 machine)
  • A SQL Server 2012+ local or remote instance (Any version from Express or better is supported)
  • Sysadmin role needed to install scanner service
  • Service requires Log on locally right and Log on as a service right
  • AIP Scanner is an AIP Premium P2/EMS E5 feature for more details review this article: 

A really good steep-by-steep description about install and configure AIP Scanner is done by Kevin McKinnerney and can be found here:

As you see in Kevins steep-by-steep guide the scanner runs as a service and uses App Authentifiction to connect with the AIP Service. So we do not need to authenticate to use the scanner.
The scanner has two main configurations which we need to configure using PowerShell:
  • Add-AIPScannerRepository or Set-AIPScannerRepository -> it is about the locations and the conditions for this location
  • Set-AIPScannerConfiguration -> it is about what the scanner should do during the scan


This cmdlet adds a so called data repository to be scanned and creates a profile of settings. For example, you can specify a default label for unlabeled files, and whether to override an existing label or not. We can specify local folders, UNC paths, and SharePoint Server URLs for SharePoint sites and libraries. The scanner can handle more than one data repository. So you can configure a mix of local folders, UNC paths and SharePoint Server URLs with different setting covered by one AIP Scanner installation.
To change this settings we can use: Set-AIPScannerRepository cmdlet. To remove a data repository use: Remove-AIPScannerRepository cmdlet.
Set-AIPScannerRepository -Path C:\Temp2 -SetDefaultLabel UsePolicyDefault -MatchPolicy On

To review the settings, we can use Get-AIPScannerRepository. As you can see in my example I have configured two repositories with different settings:


Set-AIPScannerConfiguration cmdlet is used to configure settings for the AIP Scanner. These settings include:
  • Discovery mode or applies labels
  • File will be relabeled YES or NO
  • File attributes are changed YES or NO
  • What is logged in the reports
  • Scanner runs once or continuously
  • Justification message used when required
  • Rights Management owner for protected files

Set-AIPScannerConfiguration -Enforce On -Schedule OneTime -Type Full -DiscoverInformationTypes All


This cmdlet is used to let the scanner know which files types should be scanned.
The cmdlet sets a list of file types to scan or exclude from scanning. To scan all file types, use *. To scan only specific file types use *.<file name extension>. To exclude specific file types from being scanned use -*.<file name extension>. And to reset the list back to default use @().

If no data repository is specified the setup applies to all data repositories that do not have their own list specified.
To get more examples and details review the official documentation:


The scanner can typically be used for the following scenarios. Reports are stored in this location: %localappdata%\Microsoft\MSIP\Scanner\Reports

Scan for sensitive information types
#Configure data repository:
Add-AIPScannerRepository -Path C:\Temp2

#Configure Scan: Scan for all known sensitive types
Set-AIPScannerConfiguration -Enforce Off -Schedule OneTime  -Type Full -DiscoverInformationTypes All

#Start Scan
Start-Service AIPScanner

Label / Protect files
#Configure data repository:
Add-AIPScannerRepository -Path C:\Temp2 -OverrideLabel On -DefaultLabelId ae7eaeb0-cfdf-4217-a895-32a6b41311d9 -MatchPolicy Off

#Configure Scan: Scan for all knowen sensitive types
Set-AIPScannerConfiguration -Enforce On -Schedule OneTime -ReportLevel Debug -Type Full

#Start Scan
Start-Service AIPScanner

Scan for sensitive information types and labels and protect files that match
#Configure data repository:
Add-AIPScannerRepository -Path C:\Temp2 -OverrideLabel On -MatchPolicy On

#Configure Scan: Scan for all knowen sensitive types
Set-AIPScannerConfiguration -Enforce On -Schedule OneTime  -Type Full -DiscoverInformationTypes All

#Start Scan
Start-Service AIPScanner

Related posts:

Montag, 21. Mai 2018

Azure Information Protection Part II – PowerShell

This article is on overview about the functions and scenarios using PowerShell in the context of Azure Information Protection. Everything in this article is based on the official Microsoft documentation.
Microsoft published a brilliant Admin Guide about using PowerShell with Azure Information Protection containing all details and scenarios: Admin Guide: Using PowerShell with the Azure Information Protection client.


In Azure Information Protection we can use PowerShell to:
  • Administering Azure Information Protection
  • Configuration for the super user feature
  • Using Azure Information Protection
  • Work with the AIP Scanner

Azure Information Protection knows two PowerShell modules.
  • AADRM: These cmdlets are used to administer the protection service (Azure Rights Management) for Azure Information Protection.
  • AzureInformationProtection: These cmdlets are used to protect files, label files, and get information about files.

First step is to install the AADRM PowerShell module. To do this open PowerShell and use: Install-Module -Name AADRM. For more details and requirements about how to install AADRM PowerShell modules read this article: Installing the AADRM PowerShell module
To get an overview of all cmdlets use: Get-Command -Module AADRM or look at this list: Cmdlets grouped by administration task
The AzureInformationProtection cmdlets are part of the Azure Information Protection client. These cmdlets can be used with Azure Information Protection, the protection service (Azure Rights Management), and Active Directory Rights Management Services (AD RMS).
To get an overview of all cmdlets use: Get-Command -Module AzureInformationProtection

Main scenarios and some examples

We can use PowerShell for AIP for classification and protection. Let’s have a deeper look on some typical scenarios:

Scenario 1: remove protection from files for others using your own account

In this scenario we need PowerShell to configure the “super user feature”. In addition, we need to configure your account to be a super user for Azure Rights Management. To enable the super user feature, use the PowerShell cmdlet Enable-AadrmSuperUserFeature To assign your user or a groups we can use the Add-AadrmSuperUser cmdlet.

To get a complete overview about the super user feature in AIP refer to this official article: Configuring super users for Azure Rights Management and discovery services or data recovery
The super user feature is also needed if we need to index mailboxes for search operations or if DLP solutions. CEG or anti-malware products can also use the super user to inspect files that are protected by AIP.

Scenario 2: protect or unprotect files without user interaction

First step in this scenario is to connect to Azure Rights Management Service by using this cmdlet: Connect-AadrmService. To login enter your Azure Information Protection tenant administrator credentials.
To get an overview about the ARM instants and to verify that the login was successful use: Get-AadrmConfiguration. The result will be something like this for example:
In the next step we will use PowerShell to get a list of all available Labels using this cmdlet: Get-RMSTemplate. In my example it looks like this:
Now we can to several things:
  • Protect a file: Protect-RMSFile -File C:\Test.docx -InPlace -TemplateId e6ee3481-26b9-45g5-b33a-f774escd43b0
  • Protect all files in a folder: Protect-RMSFile -Folder \ServerABC\Docs -InPlace -TemplateId e6ee3481-26b9-45g5-b33a-f774escd43b0
  • Get the status of a file: Get-RMSFileStatus -File \Server1\Documents\TestABC.docx
  • Remove protection: Unprotect-RMSFile C:\testDoc1.docx -InPlace

Related posts:

Donnerstag, 10. Mai 2018

Azure Information Protection Part I – Overview

Azure Information Protection also known as AIP is an Azure solution that helps an organization to classify, label, and protect its content and emails. This can be done automatically by administrators who define rules and conditions, manually by users, or as a combination where users are given recommendations.
The following picture shows the overall solution and components:
  1. Azure Information Protection is a service in Azure
  2. You can download 3 different clients:
    • AzInfoProtection.exe: The client installer
    • AzInfoProtectionScanner: Can be used to classify and protecting documents stored on File Shares and On-Premises SharePoint servers
    • AzInfoProtectionViewer: Is used to open and view protected files
  3. Policies are configured in Azure management portal or with PowerShell. A Policy is assigned to a user or group
  4. PowerShell can be also used work with AIP
  5. Some Office clients and servers offers a native support for AIP
    • Clients: Word, Excel, PowerPoint, Outlook
    • Server: Exchange, SharePoint
  6. Labels are applied to documents and files. A label can contain different permission levels or specify individual usage rights
A very good starting point is the quick start tutorial for Azure Information Protection. In this tutorial you get a perfect overview about the configuration and settings in AIP.
More details can be found on the official Microsoft websites:
The missing piece in the quick start tutorial for Azure Information Protection is an overview about how Policies and Labels work together.


Policies are hosting administrative setting like for example:
A Policies must be applied to a user or a group and did not contain any permissions.


A Label contains different permission levels or specify individual usage rights based on this list:
  • View, Open, Read (VIEW)
  • View Rights (VIEWRIGHTSDATA)
  • Edit Content, Edit (DOCEDIT)
  • Save (EDIT)
  • Print (PRINT)
  • Copy (EXTRACT)
  • Reply (REPLY)
  • Reply All (REPLY ALL)
  • Forward (FORWARD)
  • Change Rights (EDITRIGHTSDATA)
  • Save As, Export (EXPORT)
  • Allow Macros (OBJMODEL)
  • Full Control (OWNER)

Protecting content

Depending on his assigned Policies a user can choose between different Labels to protect a document or files.

Related posts

Mittwoch, 2. Mai 2018

GDPR modifications and what it means to Office 365 and Azure

The EU made some changes on GDPR just 4 weeks bevor it is getting active. The changes are mostly spelling mistake and juridical details. The good news for all of you using the English text version: no changes with impact to IT, Office 365 or Azure.

Anpassung der DSGVO und die Auswirkungen auf Office 365 und Azure

4 Wochen bevor die DSGVO am 25.05.2018 aktive wird wurden letzte Änderungen vorgenommen. Die Änderungen betreffen in erster Linie Schreib- und Grammatikfehler und Formulierungen die vor allem für Juristen Relevanz haben.
Im Artikel 32 Absatz 1 heißt es jetzt zum Beispiel anstatt:
  • ALT: … diese Maßnahmen schließen unter anderem Folgendes ein:…
  • NEU: … diese Maßnahmen schließen gegebenenfalls unter anderem Folgendes ein:…
aus Sicht von Office 365 und Azure machen solche Änderungen keinen Unterschied.

Die einzige Anpassung die tatsächlich eine Auswirkung hat bezieht sich auf den Artikel 28, Absatz 3,g. Hier geht es um die Auftragsdatenverarbeitung, also genau das was mit Office 365 und Azure geschieht.
Im Artikel 28, Absatz 3, Buchstabe g heißt es jetzt anstatt:
  • ALT: …nach Abschluss der Erbringung der Verarbeitungsleistungen alle personenbezogenen Daten nach Wahl des Verantwortlichen entweder löscht oder zurückgibt, sofern nicht nach dem Unionsrecht oder dem Recht der Mitgliedstaaten eine Verpflichtung zur Speicherung der personenbezogenen Daten besteht...
  • NEU: …nach Abschluss der Erbringung der Verarbeitungsleistungen alle personenbezogenen Daten nach Wahl des Verantwortlichen entweder löscht oder zurückgibt und die vorhandenen Kopien löscht, sofern nicht nach dem Unionsrecht oder dem Recht der Mitgliedstaaten eine Verpflichtung zur Speicherung der personenbezogenen Daten besteht...

Da das in den Microsoft Online Services Terms schon immer genau so geregelt war bestehet für Office 365 und Azure Kunden kein Handlungsbedarf.

Freitag, 27. April 2018

UPDATE - GDPR/DSGVO Field Guide for Office 365 & Azure

Updated version of “GDPR/DSGVO Field Guide for Office 365 & Azure” is available!
Download the English version of the Whitetpaper for free: LINK
Kostenloser Download der Deutschen Version des WhitetpapersLINK

Sonntag, 18. Februar 2018

What comes next is the future – Microsoft Prognosis 2018

The new year just started. Highest time to look at what 2018 will bring our way in the Microsoft ecosystem
This article covers:
  • Hot topics and trends 2018
  • Trend topics around collaboration and communication
  • Teams will replace SharePoint as frontend in many places
  • The renaissance of email
  • AI, Machine Learning & Bots
  • Is Hybrid the new on-prem?
  • It has never been easier and more economical to integrate external users
  • GDPR is coming
  • Office 365, Dynamics 365, Bing for Business, LinkedIn and where else the journey is heading
Download the English version of the article for free: LINK

Das Jahr 2018 ist bereits einige Tage alt. Höchste Zeit, sich anzuschauen, was es im Microsoft Ökosystem tut.
  • Hot Topics und Trends 2018
  • Trendthemen rund um Kollaboration und Kommunikation
  • Teams wird SharePoint als Frontend an vielen Stellen ablösen
  • Renaissance der Email
  • AI, Mashine Learning & Bots
  • Ist das Hybrid das neue on-prem?
  • Nie war es einfacher und kostengünstiger Externe zu integrieren
  • Die DSGVO kommt
  • Office 365, Dynamics 365, Bing for Business, Linked und wohin die Reise noch gehen wird

Kostenloser Download der Deutschen Version des Artikels: LINK
(Eine online Version des Artikels gibt es auch hier: Teil1 | Teil 2)

Dienstag, 2. Januar 2018

Some insides about the new App Launcher in Office 365

Microsoft released a new Office 365 App Launcher version (version 3). Beside a massive experience change Microsoft also changes some stuff in the backend.

All info about the new experience can be found in this Microsoft post: New Office 365 app launcher and help you be more productive on the web

The “old” App Launcher needs an Exchange Online subscription for each user to let a user personalize his App Launcher. This was because of the App launcher settings are stored in the user mailbox. The settings are located in the PR_ROAMING_DICTIONARY property of the IPM.Configuration.Suite.Storage at the root folder of the mailbox. All this is based on JSON. The settings are located in Suite/AppsCustomizationDataTEST value and the property is called PinnedApps.

Scott Bueffe posted a detail description about this here: How to pin custom app tiles on behalf of your users in Office 365

With the new version Microsoft changed the way this information is stored. It is no longer located in a user’s Exchange Mailbox. Actually, we do not have any documentation about where the settings are stored now.

In fact, a user did not longer need an Exchange Online mailbox to customize the default Apps in his App Launcher.