There is a current BUG is has been filed with Microsoft that relates to AIP/MIP Scanner and running a Unified Labeling content scan on premises. The main issue is with the Security and Compliance Center and it replicating the Policies that you create for your Sensitivity Labels in your M365 Tenant.
Since these Policies will not replicate, your content scans will fail and you will see the following error within the Azure Portal under Azure Information Protection:
You will be able to verify that the Policies are present in the Security and Compliance Center under the Information Protection page and the Policies Page in Azure Information Protection:
NOTE: I had created my labels and label policies in Azure AIP and migrated them to Security and Compliance Center via the following LINK
What you will also notice, if you create a policy in SCC, it will NOT replicate to Azure.
Next, I checked to see if the AIP Scanner Service Account has the policies applied to it as a member recipient of the policies. It needs to so that the account can apply labels to on premises accounts through the policy.
Let’s continue troubleshooting…
The AIP Scanner account was a member of a defined policies in the Security & Compliance Center and you are still having issues:
- Is the AIP Scanner service started?
- If the answer is no, start it
- From PowerShell run the following:
Get-AIPScannerStatus | fl
It says it is scanning, but you are not getting results AND you have that Error: Policy is missing statement in the Nodes Tab of AIP.
The next thing to verify this whether or not the policy is replicating from SCC to Azure. This is done through PowerShell by running the following:
Connect to SCC PowerShell
$userCredential = get-credential
Write-Host "Connecting to your Security and Compliance Center PowerShell Console"
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session -DisableNameChecking
Check the policy replication status
Get-labelpolicy | select-object Name,DistributionStatus,WhenCreated,WhenChanged | FL
Normal replication is up to 24 hours for a change or policy addition. So, if your WhenChanged or WhenCreated values are more than 24 hours old, then they are NOT replicating. You can further verify this by running the following:
get-labelpolicy -identity "Name of your Policy" | fl DistributionResults,LastStatusUpdateTime
What do I do next?
If you have this error, it would be best to log a support call with Microsoft and explain that you have the AIP UL Policy Replication Error. From my sources they are saying this is a known issue with the SCC and Azure that will be remediated by the end of October.
So, in the meantime, I guess we will wait!
After troubleshooting with this issue with some of my Microsoft Colleagues, I was able to get the Scanner to start scanning properly with out the error being listed in the Azure Portal. Here are the steps.
On the scanner node, right-click a file or folder and choose to protect it:
Next, within the AIP Application, choose Help and Feedback
Next, choose Reset Settings
Once completed, click Close, then exit the AIP application. This clears all the registry settings within the scanner node.
Now you will want to reset all the local files for the scanner
First, stop the scanner services for the scanner and network discovery
Next, navigate to the following folder for the local account that is used for AIP scanner. Example – C:\Users\AIPScanner\AppData\Local\Microsoft\MSIP
Rename or Delete the MIP folder in that MSIP directory.
(I renamed my folder to mip-old2)
Restart the services you stopped
You should now see the scanner as Running and Working within the Azure Portal. No more errors should be listed.
Thanks to Angel Marroquin at Microsoft for the assistance on this workaround!