In my previous blog posts, I explained what Azure information protection is and how we can use it to do data classification and protect sensitive data. In those, I was using data stored in corporate OneDrive accounts. But in most cases organizations use on-premises file servers. in this blog post I am going to explain how we can use Azure information protection with on-premises file shares.
To do this we are going to use component called Azure Information Protection Scanner. This comes with Azure Information Protection add-on that we normally install in user computers.
1) Windows Server 2012 R2 or newer
2) Minimum SQL Server 2012 (Express, Standard or Enterprise)
3) Service Account to run the service – Ideally this should be AD sync account and should have log on locally & log on as a service permission. If you have lockdown environment, you can use local account to run service and separate Azure AD account to do authentication. In my demo I am going to use this method.
4) The Azure Information Protection client installed
5) Classification with automatic protection – More details can find under https://www.rebeladmin.com/2018/12/step-step-guide-automatic-data-classification-via-azure-information-protection/
Create Service Account
In my demo server I have created a local user called aipsa and assign local administrator rights.
For demo purpose I have created a file share called DataShare and add different types of files to it.
SQL Server 2017 Express
In my demo server I have SQL Server 2017 Express installed. This will use for AIP Scanner.
AIP Client Install
We need full AIP client install before we start the scanner configuration.
1) Log in to the server as Administrator
2) Download AIP client from https://www.microsoft.com/en-gb/download/details.aspx?id=53018
3) Run the AzInfoProtection.exe as Administrator
4) Accept terms & conditions in first screen
5) It will start the installation