Forum Discussion

zwethuko's avatar
zwethuko
Copper Contributor
Jun 21, 2021

AIP Scanner - Unable to authenticate and setup Microsoft Azure Information Protection

Hi All,   I'm getting stuck in below issues to test AIP Scanner.   Error Set-AIPAuthentication :        As I worked through below the steps I had faced the following issue and cannot m...
mykhan's avatar
mykhan
Copper Contributor
Sep 19, 2023
Thank you for your response. I have tried all the possible steps, but no luck.
Our network is very restrictive. Based on the DLP scanner documentation, I have allowed my server to reach out to these URLs.

Source- AIP-Scanner Server
Destination: Below URLs/ Wildcards
*.aadrm.com
*.azurerms.com
*.informationprotection.azure.com
informationprotection.hosting.portal.azure.net
*.aria.microsoft.com
*.protection.outlook.com

Am I missing anything?
terryhugill's avatar
terryhugill
Brass Contributor
Oct 25, 2023
I am having the same issue. When I run Set-Aipauthentication without parameters, it brings up a connection to Azure Information Protection and asks for credentials. When I run the full command, it does not. This is the problem. How I get around that is another question. I will post when I find an answer.
  • mykhan's avatar
    mykhan
    Copper Contributor
    Oct 25, 2023

    Hi, how are you?

    No errors occur when running Set-AipAuthentication without any parameters, but running the full command results in errors.

    I would appreciate it if someone could verify if I am on the correct path.

    My service account is created via on-premises AD and can be synchronized via Azure AD.

    • The service account has the following privileges:
      • Can log in locally with user rights.
      • The account is the local admin on the machine.
      • This account has local administrator rights and has permission to write to the SQL Server master database.
      • One of the four accesses mentioned below is all that is missing.
        • Compliance Administrator
        • Compliance Data Administrator
        • Security Administrator
        • Organization Management

    My official account is being used as a delegated user due to having one of the four accesses mentioned above in the purview portal.

    Thanks in advance,

    • terryhugill's avatar
      terryhugill
      Brass Contributor
      Oct 25, 2023
      Have you created the Application registration and given it the appropriate permissions in Entra ID/Azure AD?
      • mykhan's avatar
        mykhan
        Copper Contributor
        Oct 25, 2023
        All necessary permissions are granted when creating the application registration, sir.
  • terryhugill's avatar
    terryhugill
    Brass Contributor
    Oct 25, 2023

    mykhan In my case, I recreated the secret in the app registration and it worked. I don't know if there was a copy/paste error in the original, but it is working now. If you haven't already, please check your settings using this guide: - https://learn.microsoft.com/en-gb/azure/information-protection/rms-client/clientv2-admin-guide-powershell#how-to-label-files-non-interactively-for-azure-information-protection.

    • JXG2300's avatar
      JXG2300
      Copper Contributor
      Oct 25, 2023
      The registry entry worked for me, again... except not immediately, again. After adding the registry entry, we re-ran the Set-AIPAuthentication command and it did not work immediately after, we came back to it the next day and it worked.
      • terryhugill's avatar
        terryhugill
        Brass Contributor
        Oct 25, 2023

        JXG2300the only thing I can think of that would cause this would be the server was rebooted or patched afterwards. I rebooted my server and it was still doing it. 

Resources