Forum Discussion

JustinRCron's avatar
JustinRCron
Copper Contributor
May 20, 2025

Purview MIP On-premise scanner server, issues connecting to aadrm.us

Here is the output from running the Start-ScannerDiagnostics -

PS C:\Users\purviewscan_svc> Start-ScannerDiagnostics

Scanner information:

SQL server: <SQL Servername has been removed>.

Cluster: <Cluster name removed>. Scanner user: <service account username removed>

Connectivity check for: "https://login.microsoftonline.us/" common completed successfully

Connectivity check for: "https://usg02b.dataservice.protection.office365.us" completed successfully

"https://aadrm.us" is not accessible. Error: The remote name could not be resolved: 'aadrm.us'

Database check completed successfully

Authentication check completed successfully

Content scan job check completed successfully

Configuration check completed successfully

Rules configuration: Verify you did not define your automatic rules as recommended. By default, scanner does not apply recommended rules. You can either change the recommended rule to automatic, or enable the 'Treat recommended as automatic' option in the scanner profile.

Logs exported to: C:\Users\purviewscan_svc\AppData\Local\Microsoft\MSIP\DiagnosticsLogs.zip

Any help would be greatly appreciated.

 

Thank you

1 Reply

  • Ankit365's avatar
    Ankit365
    Iron Contributor
    May 25, 2025

    If you're using the Microsoft Purview MIP on-premises scanner in a U.S. Government (GCC High) environment and encountering issues connecting to https://aadrm.us, even after successful connectivity to other endpoints, the problem likely goes beyond basic DNS or firewall. One common but overlooked cause is that the scanner may have been installed with default Commercial (Global) cloud settings, and thus doesn’t recognize .us endpoints. To fix this, you should uninstall and reinstall the scanner using the -AzureRegion USGov flag to ensure it targets the correct environment. Additionally, make sure you're using the latest version of the AIP Unified Labeling client (v3.15 or newer), as older versions can fail in sovereign clouds. Also check if the required U.S. Government and DoD root certificates are present in the Trusted Root Certification Authorities store—missing these can silently block TLS connections to aadrm.us. Finally, confirm that the Service Connection Point (SCP) and scanner authentication are aligned with the USGov cloud by running Set-AIPAuthentication -Cloud USGov. These are critical yet commonly missed steps that ensure the scanner functions correctly in Microsoft’s sovereign cloud infrastructure.