![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 13%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESL%3C/text%3E%3C/svg%3E)
Azure Information Protection
An Azure service that is used to control and help secure email, documents, and sensitive data that are shared outside the company.
529 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hi @Steve l ,
Thanks for reaching out.
This is expected behavior when you run the command Set-AIPAuthentication which will allow AIP scanner service account to authenticate AIP service. Token sets and stores credentials for the delegated user to authenticate to Azure Information Protection.
There is no direct way to validate that token has been acquired or prevent the access utilization, but your on-prem service account need to be in synchronized to Microsoft Entra ID to download and execute the scanner's policy.
Reference- https://learn.microsoft.com/en-us/purview/deploy-scanner-prereqs#service-account-requirements
I would suggest you post this idea at the Azure Feedback Portal, which is monitored by the product team for feature enhancements.
Hope this will help.
Thanks,
Shweta