Blog Post

Security, Compliance, and Identity Blog
1 MIN READ

MIP Scanner deployment - watch our video!

Mavi Etzyon-Grizer's avatar
Dec 30, 2020

Attached is quick video that walks you through our scanner architecture and deployment steps!

FYI - when referring to "Discover and Protect" video we are referring to the Ignite one: Discover and protect your on-premises data using Microsoft Information Protection

 

 

Enjoy!

 

 

Updated May 11, 2021
Version 5.0
  • Hello Mavi Etzyon-Grizer Dean_Gross you can use this

    AIP Client: (deployed/in-progress)
    Whitelist AIP URLS : (Yes/No)
    SQL DB =  (Name) or (SERVER\Instance)
    
    Label Configuration Req
    ##########################
    Create and publish at least one lable to the scanner
    Recommended to set up automatic rules, or if not, must use info types to be discovered = All
    ##########################
    
    Create Scanner cluster = CLUSTERNAME
    COntent Scan Job
    Network Scan Job (optional)
    
    
    Configure AAD App and grand permissions
    ##########################
    AppName		=	AIP-ScannerUL
    Web URI 	=	https://localhost
    AppId		=
    AppSecret	=
    TenantId	=	XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    
    Rights to give
    Azure Rights Management Services (3)
    Content.DelegatedReader
    Content.DelegatedWriter
    Content.SuperUser
    
    Microsoft Information Protection Sync Service (1)
    UnifiedPolicy.Tenant.Read
    
    Accounts and apps
    ###########################
    Service Account (AD account) 						= 
    DelegatedUser (AAD Account)							= 
    Share Admin Account									=
    Standard (Weak) Account	(only domain user group)	= 
    
    
    Installing scanner service
    ##########################
    Installing account
    sysadmin + local admin on the scanner
    
    Scanner service account
    granted all rights by installing user
    
    $serviceaccount = Get-Credential -Username SERVICEACCOUNTNAME -Message -ScannerAccount
    
    Install-AIPscanner -SqlServerInstance SQLDBNAME -Cluster CLUSTERNAME - ServiceUserCredentials $serviceaccount
    
    Set-AIPAuthentication -AppId "" -AppSecret "" -TenantId "" -DelegatedUser "DELEGATEDUSERNAME" -onBehalfOf $serviceaccount
    
    Verify the installation
    ##########################
    Start-AIPscannerDiagnostics -onBehalfOf $serviceaccount
    
    
    Network Discovery
    ##########################
    $shareadminaccount = Get-Credential -Username SHAREADMINACCOUNTNAME -Message -ShareAdminAccount
    $publicaccount = Get-Credential -Username STANDARDACCOUNTNAME -Message -PublicUser
    
    Install-MIPNetworkDiscovery -SqlServerInstance SQLDBNAME -Cluster CLuSTERNAME - ServiceUserCredentials $serviceaccount -ShareAdminUserAccount $shareadminaccount -StandardDomainUserAccount $publicaccount
  • Dean_Gross's avatar
    Dean_Gross
    Silver Contributor

    Thanks for doing this, watching someone else go through all of the steps is very helpful. Please do more of these for all of the various MIP installation/configuration tasks.

     

    Please share the checklist also. 

    Mavi Etzyon-Grizer 

  • BTW the install of MIPnetworkDisovery is not necessary. You better put the Install AIPScanner with all the users necessary. It installs the AIPnetworkdiscovery in the same time

     

    BTW try to avoid having proxy on your scanner...this is a real pain..

  • Hello Hen David 

     

    I have setup the scanner with 3 different accounts as explained

    The service account

    The sharedadmin account which has access to the share file

    the simple user

     

    The content scan was not able to crawl the content of the shared folder. As a temp measure we have allowed the service account to access the fileshare

     

    Best regards