Azure Information Protection PowerShell Commands

Azure Information Protection provides an on-premises scanning component for applying protections to content stored within network shares or SharePoint document libraries and folders. The scanner is part of the unified labeling client and uses the same mechanisms as the client application for identifying and labeling content.

The scanner provides the ability to identify files that need labeling, contain sensitive information, apply labels, and include or exclude files and file types. You perform most of the configuration within the Azure Information Protection portal within the main Azure Portal.

https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/scannerProfilesBlade

However, you can utilize PowerShell for managing Azure Information Protection. You first need to be on the server you installed the Azure Information Protection Unified Client and Scanner to get started. From there, launch a PowerShell window as an administrator then you can import the PowerShell module.

Import-Module AzureInformationProtection

You may not need to load this module as it should automatically load when you launch PowerShell. However, if it is not, then you can load it manually. To check it is loaded, you can execute the following command:

 Get-Module AzureInformationProtection -ListAvailable

Once the module is loaded, all the PowerShell commands become available for execution. I am using a freshly installed Azure Information Protection Unified Client and Scanner with minimal configuration for this post.

Retrieve the current Azure Information Protection Scanner Configuration

Get-AIPScannerConfiguration

If the returned value for “OnlineConfiguration” returns “On,” it is configured as default, meaning it connects to the Azure Information Protection Service. Management of the policy when in this mode is done within the Azure Information Protection center. 

If the server is not allowed internet access, you can export the configuration.

Extracting the downloaded zip file allows you to modify the JSON document that contains the configuration.

Creating a Local Configuration for Azure Information Protection Scanner

With the configuration exported, you can start to make changes to allow the scanner to work offline. The first step is to set the scanner into offline mode.

Set-AIPScannerConfiguration -OnlineConfiguration Off

With this set, you can now modify the JSON file and import it into the scanner. Let’s say you make the following adjustments.

{
    "Timestamp": "2021-11-10T17:47:49.183Z",
    "Name": "Files",
    "DiscoveredInformationTypes": 1,
    "RecommendedAsAutomatic": true,
    "Schedule": 1,
    "Repositories": [
        {
            "Path": "\\\\10.0.0.7\\Files\\Labeled",
            "Enforce": true,
            "LabelFilesByContent": true,
            "RelabelFiles": true,
            "DefaultLabelType": 2,
            "DefaultLabelId": "8ed98c24-295c-4058-9ee4-68ef3d697eb6",
            "AllowLabelDowngrade": true,
            "PreserveDetails": false,
            "DefaultOwner": "Scanner",
            "ExcludeFileTypes": null,
            "IncludeFileTypes": null,
            "EnforceDefaultLabel": true,
            "EnableDLP": true,
            "RepositoryOwner": null
        }
    ]
}

You must save the changes into either the same JSON file or create a new one. We can then use the “Import-AIPScannerConfiguration” command to update the current configuration with the modified.

Import-AIPScannerConfiguration -FileName "C:\Files\Config.json"

If you execute the import and nothing seems to change, you might need first to run “Remove-AIPScannerContentScanJob.“

Once completed, you can rerun the import command.

Import-AIPScannerConfiguration -FileName "C:\Files\Config.json"

Resetting Azure Information Protection Scanner to Online

With the configuration set to offline, to revert to online, you rerun the same “Set” command enabling the online property.

Set-AIPScannerConfiguration -OnlineConfiguration On

Exporting the Azure Information Protection Logs

During the testing and management of the Azure Information Protection Scanner, you may need to get copies of the logs. Though you can navigate through the file structure, an effortless way is to export them using PowerShell.

Export-AIPLogs -FileName C:\Files\Logs.zip

Checking the Azure Information Protection Scanner

Often you need to check the scanner and its associated components. PowerShell is your go-to tool for this, providing commands for checking if it is working, connected correctly, and it’s status.

# Get the current status
Get-AIPScannerStatus

# Run dagnostics using "OnBehalfOf"
$creds = Get-Credential
Start-AIPScannerDiagnostics -OnBehalfOf $creds

# Retrieve scanner node details
$scanner = Get-AIPScannerStatus
$scanner.NodesInfo
$scanner.NodesInfo[0].Summary

# Resync the current schema from Microsoft 365 to the scanner
Update-AIPScanner

The Azure Information Protection scanner is an excellent tool for connecting on-premises locations to the cloud for sensitivity labeling and data loss prevention. PowerShell provides an easy way to manage this tool. I highly recommend you learn more about the scanner:

https://docs.microsoft.com/en-us/azure/information-protection/deploy-aip-scanner