locked
AIP Scanner - enforce protection on already-classified file RRS feed

  • Question

  • Hi Fellows.

    I have an AIP Scanner deployed and connected with a SharePoint library. It automatically apply a label (with protection) when a new unclassified file is uploaded to library.

    But if a file which is already Classified (label only without any RMS protection) is uploaded no change happen. AIP Scanner does not apply the label (with protection) on it.

    On AIP Scanner below event is logged:

    Event Type: Information

    Event ID: 106

    Source: Azure Information Protection

    Client Version: 1.29.5.0
    Client Policy ID: b942xxxx-xxxx-xxxx-xxxx-xxxxxxx
    Item Full Path: http://sp.domain.com/sites/dataclassification/Test DataClassification Library/Public Classified File Test 2.docx
    Item Name: Public%20Classified%20File%20Test%202.docx
    Item Directory: http://sp.domain.com/sites/dataclassification/Test DataClassification 
    IP Addresses: ##.##.##.##
    Process Name: MSIP.Scanner
    Action: Discover
    Owner After Action: azure@domain.com
    Owner Before Action: uatuser@domain.com
    Label Before Action: Public
    Label ID Before Action: 896300ae-bddf-4ea8-957d-fda2b95320b3
    User Justification: Applied by AIP Scanner Automatically
    Labeled Before Action: Manually
    Action Source: Automatic

    I need to ensure that any file whether classified or non-classified when uploaded to this SharePoint Library gets the label (and protection associated with label) enforced.

    any help would be appreciated. 


    J.A

    Tuesday, September 25, 2018 7:44 AM

All replies

  • Using Set-AIPScannerRepository for your SharePoint data store, try the OverrideLabel parameter:

    https://docs.microsoft.com/en-us/powershell/module/azureinformationprotection/set-aipscannerrepository?view=azureipps#optional-parameters

    Specify whether to apply a different label to a file that's already labeled. By default, the scanner doesn't relabel the files, unless the new label has higher sensitivity than current label, and the initial label was not manually applied by an end user.

    If set to On, the scanner replaces an existing label when the configured conditions apply.

    Tuesday, September 25, 2018 11:05 PM
  • Hi Carol.

    Thank you for the guidance.

    Yes Override Label is already ON.

    Probably the issue is with sensitivity level which you pointed rightly --> "unless the new label has higher sensitivity than current label"

    In our scenario, user is manually applying a "Public" label which appears as the last label (hence highest sensitivity)

    while "internal" label which is enforced by AIP-Scanner appears before "public" label (hence lower sensitivity).

    I will change the order and try again.

    Regards.


    J.A

    Wednesday, September 26, 2018 10:25 AM
  • Hi Carol.

    I have made the change and moved the Public Label to be most left (least sensitive) and the "Internal" label is now most-right (most sensitive).

    I have created two files. one manually classified as "Public" and another one automatic classified using an automatic condition in the "Public" label.

    I uploaded both files to the AIP-Scanner-Integrated SharePoint library but nothing happened. File remain same classified as "Public" and not override by AIP-Scanner.

    AIP Scanner logged below event (Event ID 106)


    Log Name:      Azure Information Protection
    Source:        Azure Information Protection
    Date:          10/3/2018 11:59:01 AM
    Event ID:      106
    Task Category: None
    Level:         Information
    Keywords:      Classic
    User:          DOMAIN\pocazure
    Computer:      AIPSCANNER.domain.com
    Description:
    Client Version: 1.29.5.0
    Client Policy ID: 5d4cxxxxx-xxxx-xxxx-xxxx-xxxxxxx8f40
    Item Full Path: http://sp.domain.com/sites/dataclassification/Test DataClassification Library/ReClassificationTestpublictestAuto2.docx
    Item Name: ReClassificationTestpublictestAuto2.docx
    Item Directory: http://sp.domain.com/sites/dataclassification/Test DataClassification Library/
    IP Addresses: xx.xxx.xx.xxx
    Process Name: MSIP.Scanner
    Action: Discover
    Owner After Action: azurepoc@domain.com
    Owner Before Action: uatuser@domain.com
    Label Before Action: Public
    Label ID Before Action: 896300xx-xxxx-xxxx-xxxx-xxxxxx20b3
    User Justification: Applied by AIP Scanner Automatically
    Labeled Before Action: Automatically
    Action Source: Automatic
    --------------------
    Below is AIP Scanner configuration for your reference
    PS> Get-AIPScannerConfiguration
    Enforce : On
    ReportLevel : Debug
    Schedule : Continuous
    Type : Incremental
    DiscoverInformationTypes : All
    JustificationMessage : Applied by AIP Scanner Automatically
    ScannedFileTypes : *,-.lnk,-.exe,-.com,-.cmd,-.bat,-.dll,-.ini,-.pst,-.sca,-.drm,-.sys,-.cpl,-.inf,-.drv,-.dat,-.tmp,-.msp,-.msi,-.pdb,-.jar,-.ocx
    PS > Get-AIPScannerRepository
    Repository : http://sp.domain.com/sites/dataclassification/Test DataClassification Library
    OverrideLabel : On
    PreserveFileDetails : Off
    DefaultOwner :
    DefaultLabel : 8724xxxx-xxxx-xxxx-xxxx-xxxxxx2850b
    ScannedFileTypes : *,-.lnk,-.exe,-.com,-.cmd,-.bat,-.dll,-.ini,-.pst,-.sca,-.drm,-.sys,-.cpl,-.inf,-.drv,-.dat,-.tmp ,-.msp,-.msi,-.pdb,-.jar,-.ocx
    MatchPolicy : Off


    J.A


    Wednesday, October 3, 2018 8:31 AM
  • Finally figured this out (I think!) - it's because you have OverrideLabel:On but MatchPolicy:Off and this combination isn't compatible.

    To override an existing label requires MatchPolicy:On.

    I've clarified this in the online docs: https://docs.microsoft.com/en-us/powershell/module/azureinformationprotection/set-aipscannerrepository#optional-parameters 

    Wednesday, October 17, 2018 10:57 PM
  • Hi Carol,

    Thank you for your reply and efforts. One clarification required here though.

    If I turn on OverrideLabel:On and MatchPolicy:On. but I do not have any automatic condition defined in any of my AIP policy or labels.

    AIP Label - Configure conditions for automatically applying this label (empty)

    Will AIP scanner be able to override the label?


    J.A

    Friday, October 26, 2018 12:15 PM