https:\/\/docs.microsoft.com\/en-us\/azure\/information-protection\/deploy-aip-scanner-prereqs<\/strong><\/a><\/p>\n\n\n\n
For the basics we have the following:<\/p>\n\n\n\n
The prerequisites below are still required for successful AIP scanner installation.<\/p>\n\n\n\n
- A Windows Server 2012 R2 or greater Server to run the service
- Minimum 4 CPU and 4GB RAM physical or virtual.
NOTE: More RAM is better<\/strong>. The scanner will allocate RAM 2.5-3 times of size of all files being scanned in parallel. Thus, if you scan 40 files that are 20MB each at the same time, it should take about 202.5<\/em>40=2GB RAM. However, if you have one big 1GB file it can take 3GB of RAM just for that file.
<\/li><\/ul><\/li>- Internet connectivity necessary for Azure Information Protection<\/li>
- A SQL Server 2012+ local or remote instance (Any version from Express or better is supported)<\/em><\/strong>
- Sysadmin role needed to install scanner service (the user running Install-AIPScanner, not the service account)<\/em>
NOTE: If using SQL Server Express, the SQL Instance name is ServerName\\SQLExpress.
<\/strong>
NOTE: At this time, a different SQL instance is needed for each AIP Scanner node.<\/strong>
<\/li><\/ul><\/li>- Service account created in On Premises AD (I will call this account AIPScanner in this document).
- Service requires Log on locally<\/strong> right and Log on as a service<\/strong> right (the second will be given during scanner service install).<\/li>
- Service account requires Read permissions<\/strong> to each repository for discovery<\/strong> and Read\/Write permissions<\/strong> for classification\/protection<\/strong>.
<\/li><\/ul><\/li>- AzInfoProtection_UL.exe<\/strong> is available on the Microsoft Download Center<\/strong><\/a> (The scanner bits are included with the AIP Client)<\/li>
- The Azure AD Preview PowerShell module. From the machine you’re installing AIP Scanner on, run the following from an Administrator PowerShell:<\/li><\/ul>\n\n\n
Install-Module AzureADPreview<\/pre>\n\n\n\n
Configure the scanner in the Azure portal<\/h2>\n\n\n\n
Before you install the scanner, or upgrade it from an older general availability version, configure or verify your scanner settings in the Azure Information Protection area of the Azure portal.<\/p>\n\n\n\n
To configure your scanner:<\/p>\n\n\n\n
- Sign in to the Azure portal<\/a> with one of the following roles:
- Compliance administrator<\/strong><\/li>
- Compliance data administrator<\/strong><\/li>
- Security administrator<\/strong><\/li>
- Global administrator<\/strong>
Then, navigate to the Azure Information Protection<\/strong> pane. For example, in the search box for resources, services, and docs, start typing Information<\/strong> and select Azure Information Protection<\/strong>.
<\/li><\/ul><\/li>- Create a scanner cluster<\/a>. This cluster defines your scanner and is used to identify the scanner instance, such as during installation, upgrades, and other processes.<\/li>
- Scan your network for risky repositories<\/a>. Create a network scan job to scan a specified IP address or range, and provide a list of risky repositories that may contain sensitive content you’ll want to secure. Run your network scan job and then analyze any risky repositories found<\/a>.<\/li>
- Create a content scan job<\/a> to define the repositories you want to scan.<\/li><\/ol>\n\n\n\n
Create a scanner cluster<\/h3>\n\n\n\n
- From the Scanner<\/strong> menu on the left, select Clusters<\/strong>
![\"clusters](\"https:\/\/docs.microsoft.com\/en-us\/azure\/information-protection\/media\/i-clusters.png\")
.<\/li>- On the Azure Information Protection – Clusters<\/strong> pane, select Add<\/strong>
![\"add](\"https:\/\/docs.microsoft.com\/en-us\/azure\/information-protection\/media\/i-add.png\")
.<\/li>- On the Add a new cluster<\/strong> pane, enter a meaningful name for the scanner, and an optional description. The cluster name is used to identify the scanner’s configurations and repositories. For example, you might enter Europe<\/strong> to identify the geographical locations of the data repositories you want to scan. You’ll use this name later on to identify where you want to install or upgrade your scanner.<\/li>
- Select Save<\/strong>
![\"save](\"https:\/\/docs.microsoft.com\/en-us\/azure\/information-protection\/media\/qs-tutor\/save-icon.png\")
to save your changes.<\/li>- On the Add a new cluster<\/strong> pane, enter a meaningful name for the scanner, and an optional description. The cluster name is used to identify the scanner’s configurations and repositories. For example, you might enter Europe<\/strong> to identify the geographical locations of the data repositories you want to scan. You’ll use this name later on to identify where you want to install or upgrade your scanner.<\/li>
- Select Save<\/strong>
to save your changes.<\/li><\/ol>\n\n\n\nCreate a network scan job (public preview)<\/h3>\n\n\n\n
Starting in version 2.8.85.0<\/a>, you can scan your network for risky repositories. Add one or more of the repositories found to a content scan job to scan them for sensitive content.<\/p>\n\n\n\n
Note: The network discovery<\/strong> interface is currently in gradual deployment and will be available in all regions by September 15, 2020.<\/p>\n\n\n\n
- Network discovery prerequisites<\/a><\/li>
- Creating a network scan job<\/a><\/li><\/ul>\n\n\n\n
Network discovery prerequisites<\/h4>\n\n\n\n
- Creating a network scan job<\/a><\/li><\/ul>\n\n\n\n
- On the Azure Information Protection – Clusters<\/strong> pane, select Add<\/strong>
- Compliance data administrator<\/strong><\/li>
- Compliance administrator<\/strong><\/li>
- Service account requires Read permissions<\/strong> to each repository for discovery<\/strong> and Read\/Write permissions<\/strong> for classification\/protection<\/strong>.
- Service account created in On Premises AD (I will call this account AIPScanner in this document).
- Minimum 4 CPU and 4GB RAM physical or virtual.
![\"network](\"https:\/\/docs.microsoft.com\/en-us\/azure\/information-protection\/media\/i-network-scan-jobs.png\")
.<\/li>![\"repositories](\"https:\/\/docs.microsoft.com\/en-us\/azure\/information-protection\/media\/i-repositories.png\")
.![\"columns](\"https:\/\/docs.microsoft.com\/en-us\/azure\/information-protection\/media\/i-columns.png\")
Select Columns<\/strong> to change the table columns displayed.![\"refresh](\"https:\/\/docs.microsoft.com\/en-us\/azure\/information-protection\/media\/i-refresh.png\")
If your scanner has recently run network scan results, select Refresh<\/strong> to refresh the page.![\"Log](\"https:\/\/docs.microsoft.com\/en-us\/azure\/information-protection\/media\/i-log-analytics.png\")
In the top-right corner of the unmanaged repositories graph, click the Log Analytics<\/strong> icon to jump to Log Analytics data for these repositories.<\/li><\/ol>\n\n\n\n![\"Configure](\"https:\/\/docs.microsoft.com\/en-us\/azure\/information-protection\/media\/scanner-repositories-bar.png\")
![\"Add](\"https:\/\/docs.microsoft.com\/en-us\/azure\/information-protection\/media\/scanner-repository-add.png\")