Skip to content

Enterprise Mobility + Security


Hi everyone!

We mentioned the Azure Information Protection scanner in our Ignite blog and demonstrated how it works in this Ignite session. We’re very excited to announce that the feature is now available in public preview. We hope that this helps you manage and protect your significant on-premises data and prepare you for regulations such as GDPR.

We released Azure Information Protection (AIP) in October of 2016, providing the ability to define a data classification taxonomy and have that set of information business rules applied to emails and documents. We call this CLP (Classify, Label and Protect) which ensures that your information is appropriately managed throughout its lifecycle – regardless of where it is stored or shared.

This works great from “deployment forward”, but we also recognize that you have significant amounts of existing data, and you have asked how can we help you with that. You asked us to help to discover, label and protect existing files to ensure all sensitive information is appropriately managed, and to help…

  • Discover sensitive data that is stored in existing repositories when planning data-migration projects to cloud storage to ensure toxic data remains in place.
  • Discover data that includes personal data and learn where this data is stored in order to help meeting regulatory and compliance needs e.g. EU-GDPR.
  • Leverage existing metadata that was applied on files using other solutions.

These all were fair asks, and today we’re taking our first step to deliver on these asks!

We are excited to introduce the Azure Information Protection scanner in public preview.

So, what exactly does the scanner do? In concept, it is quite simple: You tell the scanner what locations to scan and what ‘rules’ to apply based on certain conditions. The scanner then runs across existing content and optionally continues to monitor the locations.

The scanner is now available in public preview as part of our latest client. This version of the scanner can be run against CIFS based file locations and SharePoint Server (2013/16), and either report on or apply the policies you define. You can also optionally configure the scanner to operate continuously against the defined locations.

Azure Information Protection scanner

The scanner crawls files stored in CIFS based storage locations (such as Windows File servers & NAS devices) and SharePoint Server* sites, and uses the AIP policies configured to determine the classification. You can then choose to apply appropriate labels and associated configuration (such as protection) or generate a report on how the data was classified and labeled.

*Note: You may wonder why we do not include SharePoint Online or other cloud repositories. We have designed the AIP scanner as an on-premises solution. Cloud repositories such as SharePoint Online and Exchange Online have existing data scanning capabilities using Office 365 DLP. For cloud repositories such as Box we offer data scanning capabilities using Microsoft Cloud App Security.

A common concern with a scanner is the changing of file attributes such as Author, Date Modified and the archive flag. We have worked hard to ensure that the scanner preserves the exiting file attributes and metadata, however as with anything that may make changes to a large volume of documents, please ensure you take into account the impact on the underlying infrastructure and operational processes like backups and archival.

Once the scanner has completed the inventory and scanning of documents, the results can help you to identify data that meets specific regulations and compliances, such as GDPR, and choose what gets migrated to the cloud or remains on-premises.

Experience the Azure Information Protection scanner

After downloading the preview bits, just install the scanner on a Windows Server, and let it crawl through files in your repositories and apply your information protection policy. We have created a handy step-by-step guide in our Docs so you know exactly what to do. You can also install the scanner on a Windows client for testing and demo purposes using the same set of instructions.

Not ready to actively label files? You can still try out the scanner because the guide takes you through running the scanner in “what if” mode, first. This still scans the documents but will only report on what would happen if you proceed to active labeling and protection.

What do you need to know?

  • When the feature is generally available, it’ll require any active user that authors content in repositories scanned by the scanner to be licensed for AIP P2 or EMS E5
  • You can scan any CIFS based file repositories or SharePoint Server 2013/2016 document libraries.
  • You can run the scanner in report mode or “Label and protect” mode.
  • The scanner uses the Azure Information Protection policy you have configured in the Azure portal and will extract all “automatic” conditions and use then to identify content in the scanning process.

Summary

We hope the work we have done on our scanner helps you with your Information Protection journey and you have what you need for testing, planning and deployments. We welcome your commentary and feedback and know this can be a lot to absorb. We are here to help! Engage with us on Yammer or Twitter and let us know what’s important to you by voting on UserVoice!

It really is very easy to get started with Azure Information Protection. We have a lot of information available to help you, from great documentation, to engaging with us via Yammer and email. What are you waiting for? Get to it!