Before installing the scanner from Microsoft Purview Information Protection, make sure that your system complies with basic Azure Information Protection requirements.
Additionally, the following requirements are specific for the scanner:
If you can't meet all the requirements listed for the scanner because they are prohibited by your organization policies, see the alternative configurations section.
To support scans on NFS shares, services for NFS must be deployed on the scanner machine.
On your machine, navigate to the Windows Features (Turn Windows features on or off) settings dialog, and select the following items: Services for NFS > Administrative Tools and Client for NFS.
Microsoft Office iFilter
When your scanner is installed on a Windows server machine, you must also install the Microsoft Office iFilter in order to scan .zip files for sensitive information types.
You must have a service account to run the scanner service on the Windows Server computer, as well as authenticate to Microsoft Entra ID and download the scanner's policy.
Your service account must be an Active Directory account and synchronized to Microsoft Entra ID.
This right is automatically granted to the service account during the scanner installation and this right is required for the installation, configuration, and operation of the scanner.
Permissions to the data repositories
- File shares or local files: Grant Read, Write, and Modify permissions for scanning the files and then applying classification and protection as configured.
- SharePoint: You must grant Full Control permissions for scanning the files and then applying classification and protection to the files that meet the conditions in the Azure Information Protection policy.
- Discovery mode: To run the scanner in discovery mode only, Read permission is sufficient.
For labels that reprotect or remove protection
To ensure that the scanner always has access to encrypted files, make this account a super user for Azure Information Protection, and ensure that the super user feature is enabled.
Additionally, if you've implemented onboarding controls for a phased deployment, make sure that the service account is included in the onboarding controls you've configured.
Specific URL level scanning
To scan and discover sites and subsites under a specific URL, grant Site Collector Auditor rights to the scanner account on the farm level.
License for information protection
Required to provide file classification, labeling, or protection capabilities to the scanner service account.
To store the scanner configuration data, use an SQL server with the following requirements:
A local or remote instance.
We recommend hosting the SQL server and the scanner service on different machines, unless you're working with a small deployment. Additionally, we recommend having a dedicated SQL instance that serves the scanner database only, and that is not shared with other applications.
If you're working on a shared server, make sure that the recommended number of cores are free for the scanner database to work.
SQL Server 2016 is the minimum version for the following editions:
SQL Server Enterprise
SQL Server Standard
SQL Server Express (recommended for test environments only)
An account with Sysadmin role to install the scanner.
The Sysadmin role enables the installation process to automatically create the scanner configuration database and grant the required db_owner role to the service account that runs the scanner.
Multiple configuration databases on the same SQL server are supported when you specify a custom cluster name for the scanner, or when you use the preview version of the scanner.
Storage requirements and capacity planning for SQL Server
The amount of disk space required for the scanner's configuration database and the specification of the computer running SQL Server can vary for each environment, so we encourage you to do your own testing. Use the following guidance as a starting point.
For example, to scan 1 million files that have an average file name length of 250 bytes, allocate 2-GB disk space.
For multiple scanners:
Up to 10 scanners, use:
4 core processors
8-GB RAM recommended
More than 10 scanners (maximum 40), use:
8 core processes
16-GB RAM recommended
Information protection client requirements
For a production network, you must have the current general availability version of the Microsoft Purview Information Protection client installed on the Windows Server computer.
You must install the full client for the scanner. Do not install the client with just the PowerShell module.
Label configuration requirements
You must have at least one sensitivity label configured in the Microsoft Purview portal or Microsoft Purview compliance portal for the scanner account, to apply classification and, optionally, encryption.
The scanner account is the account that you'll specify in the DelegatedUser parameter of the Set-Authentication cmdlet, run when configuring your scanner.
If you have long file paths in SharePoint, ensure that your SharePoint server's httpRuntime.maxUrlLength value is larger than the default 260 characters.
If you have long file paths in SharePoint version 2013 or higher, ensure that your SharePoint server's httpRuntime.maxUrlLength value is larger than the default 260 characters.
This value is defined in the HttpRuntimeSection class of the ASP.NET configuration.
To update the HttpRuntimeSection class:
Back up your web.config configuration.
Update the maxUrlLength value as needed. For example:
By default, to scan files, your file paths must have a maximum of 260 characters.
To scan files with file paths of more than 260 characters, install the scanner on a computer with one of the following Windows versions, and configure the computer as needed:
Windows version
Description
Windows 2016 or later
Configure the computer to support long paths
Windows 10 or Windows Server 2016
Define the following group policy setting: Local Computer Policy > Computer Configuration > Administrative Templates > All Settings > Enable Win32 long paths.
For more information long file path support in these versions, see the Maximum Path Length Limitation section from the Windows 10 developer documentation.
Deploying the scanner with alternative configurations
The prerequisites listed above are the default requirements for the scanner deployment, and recommended because they support the simplest scanner configuration.
The default requirements should be suitable for initial testing, so that you can check the capabilities of the scanner.
However, in a production environment, your organization's policies may be different than the default requirements. The scanner can accommodate the following changes with additional configuration:
Discover and scan all SharePoint sites and subsites under a specific URL
The scanner can discover and scan all SharePoint sites and subsites under a specific URL with the following configuration:
Start SharePoint Central Administration.
On the SharePoint Central Administration website, in the Application Management section, click Manage web applications.
Click to highlight the web application whose permission policy level you want to manage.
Choose the relevant farm and then select Manage Permissions Policy Levels.
Select Site Collection Auditor in the Site Collection Permissions options, then grant View Application Pages in the Permissions list, and finally, name the new policy level Scanner site collection auditor and viewer.
Add your scanner user to the new policy and grant Site collection in the Permissions list.
Add a URL of the SharePoint that hosts sites or subsites that need to be scanned. For more information, see Configure the scanner settings.
Restriction: The scanner server cannot have internet connectivity
While the information protection client can't apply encryption without an internet connection, the scanner can still apply labels based on imported policies.
To support a disconnected computer, use one of the following methods:
Create a new content scan job using the Set-ScannerContentScan cmdlet, making sure to use the mandatory -Enforce On parameter.
Add your repositories using the Add-ScannerRepository cmdlet, with the path to the repository you want to add.
Tip
To prevent the repository from inheriting settings from your content scan job, add the OverrideContentScanJob On parameter, as well as values for additional settings.
If you can be granted the Sysadmin role temporarily to install the scanner, you can remove this role when the scanner installation is complete.
Do one of the following, depending on your organization's requirements:
Restriction
Description
You can have the Sysadmin role temporarily
If you temporarily have the Sysadmin role, the database is automatically created for you and the service account for the scanner is automatically granted the required permissions.
However, the user account that configures the scanner still requires the db_owner role for the scanner configuration database. If you only have the Sysadmin role until the scanner installation is complete, grant the db_owner role to the user account manually.
You cannot have the Sysadmin role at all
If you cannot be granted the Sysadmin role even temporarily, you must ask a user with Sysadmin rights to manually create a database before you install the scanner.
For this configuration, the db_owner role must be assigned to the following accounts: - Service account for the scanner - User account for the scanner installation - User account for scanner configuration
Typically, you will use the same user account to install and configure the scanner. If you use different accounts, they both require the db_owner role for the scanner configuration database. Create this user and rights as needed. If you specify your own cluster name, the configuration database is named AIPScannerUL_<cluster_name>.
Additionally:
You must be a local administrator on the server that will run the scanner
The service account that will run the scanner must be granted Full Control permissions to the following registry keys:
If, after configuring these permissions, you see an error when you install the scanner, the error can be ignored and you can manually start the scanner service.
Manually create a database and user for the scanner, and grant db_owner rights
If you need to manually create your scanner database and/or create a user and grant db_owner rights on the database, ask your Sysadmin to perform the following steps:
Create a database for scanner:
**CREATE DATABASE AIPScannerUL_[clustername]**
**ALTER DATABASE AIPScannerUL_[clustername] SET TRUSTWORTHY ON**
Grant rights to the user that runs the installation command and is used to run scanner management commands. Use the following script:
if not exists(select * from master.sys.server_principals where sid = SUSER_SID('domain\user')) BEGIN declare @T nvarchar(500) Set @T = 'CREATE LOGIN ' + quotename('domain\user') + ' FROM WINDOWS ' exec(@T) END
USE DBName IF NOT EXISTS (select * from sys.database_principals where sid = SUSER_SID('domain\user')) BEGIN declare @X nvarchar(500) Set @X = 'CREATE USER ' + quotename('domain\user') + ' FROM LOGIN ' + quotename('domain\user'); exec sp_addrolemember 'db_owner', 'domain\user' exec(@X) END
Grant rights to scanner service account. Use the following script:
if not exists(select * from master.sys.server_principals where sid = SUSER_SID('domain\user')) BEGIN declare @T nvarchar(500) Set @T = 'CREATE LOGIN ' + quotename('domain\user') + ' FROM WINDOWS ' exec(@T) END
Restriction: The service account for the scanner cannot be granted the Log on locally right
If your organization policies prohibit the Log on locally right for service accounts, use the OnBehalfOf parameter with Set-Authentication.
This module examines the process for implementing sensitivity labels, including applying proper administrative permissions, determining a deployment strategy, creating, configuring, and publishing labels, and removing and deleting labels.