Azure Information Protection scanner

Question

Has anyone used the Azure Information Protection scanner for scanning files on internal networks? We are looking to use this for identifying all Personally Identifiable Information (PII) to meet the General Data Protection Regulation that goes into effect May 25, 2018.

I am looking for feedback on anyone's experience with this.

Thanks, Roger

Answer 1

I have used the AIP Scanner (embedded in legacy 1.x client) for identifying PII data across CIFS based shares and SharePoint on-premise environments.

One more advantage of the scanner is that you can run it in Discovery mode where in you can pull up a report on matches instead of actually labeling the files.

Note:

1. The label setting in AIP Console should be having "automatic" to allow the AIP scanner to actually apply the label.
2. AIP Scanner is not yet GA in the new Unified Labeling Client (2.x) - where it talks to Security & Compliance Center
3. Current AIP Scanner cannot be extended w.r.t custom rules like in SCC where custom sensitive information types can be created.

Answer 2

The EMS (Enterprise Mobility+Security) team recently announced GA (general availability) of the AIP Scanner.

They are also introducing an AIP SDK that you can use to apply labels, classification and protection in custom developed software. (AIP SDK is currently in private preview). I also wrote a small blog post about this.

I have not used AIP Scanner in production-scale environments yet, but the labs and proof-of-concepts I have worked with shows great potential in this product.

Note that only the following data stores are supported:

• Network shares that use CIFS (SMB) and are exposed as UCN paths
• Local folders on the server (must be a Windows Server 2012R2/2016) that runs Azure Information Protection Scanner
• Libraries and sites on SharePoint 2016/13