AIP UL Scanner completely offline

CALVO CABEZAS, PABLO 1 Reputation point
2020-10-05T13:19:44.457+00:00

Hello Community,

I was wondering if it possible to install a single node of Azure Information Protection completely offline. Anyone has tried it?
I mean there wouldn't be connection at any time...nor at the time of generating the token. Completely offline before the installation, during instalation and after doing it.

Microsoft Learn says that it is possible but is not really clear, because it seems like there must be a step where it is mandatory to have internet connection to join the node to the tenant (after that, is possible to disconnect it).

I know that RMS wouldn't work, but I only want to use AIP for labeling.

Many thanks and best regards!

Azure Information Protection
Azure Information Protection
An Azure service that is used to control and help secure email, documents, and sensitive data that are shared outside the company.
530 questions
{count} votes

3 answers

Sort by: Most helpful
  1. CALVO CABEZAS, PABLO 1 Reputation point
    2020-10-06T08:14:59.607+00:00

    Yes James! thanks. Starting from pre-requirements : https://learn.microsoft.com/es-es/azure/information-protection/deploy-aip-scanner-prereqs
    it says that : "If you can't meet all the requirements in the table because they are prohibited by your organization policies, see the alternative configurations section.".

    In the alternative configurations sections, the first restriction talks about no-internet connectivity: "Restriction: The scanner server cannot have internet connectivity".

    Docs is clear in this point: "While the unified labeling client cannot apply protection without an internet connection, the scanner can still apply labels based on imported policies". We don't want to use AIP for RMS, but only for labels. It fit perfect for us. the tricky point comes after the first required step:
    1.-Configure labels in your policy, and then use the procedure to support disconnected computers to enable offline classification and labeling..

    Here is the tricky point. If you navigate to the "procedure tu support disconnected computers", says that: "If you have computers that cannot connect to the internet for a period of time, you can export and copy files that manually manages the policy for the unified labeling client."

    The scanner is supposed to have no-internet connection in any time, so there is no "period of time" as the docs says.

    After folliwing all the steps:

    1. Set the scanner to function in offline mode, using the Set-AIPScannerConfiguration cmdlet.
    2. Configure the scanner in the Azure portal by creating a scanner cluster. For more information, see Configure the scanner in the Azure portal.
    3. Export your content job from the Azure Information Protection - Content scan jobs pane using the Export option.
    4. Import the policy using the Import-AIPScannerConfiguration cmdlet.
    5. Results for offline content scan jobs are located at: %localappdata%\Microsoft\MSIP\Scanner\Reports

    There are no reports located in that folder (after Start-AIPScan), and MSIPScanner Logs show the next:

    Warn 2020-10-06 10:07:02.2797 MSIP.Scanner MSIP.Scanner (536) Failed to validate policy and confiuguration "System.InvalidOperationException: Engine is not initialized, bootstrap might have failed ---> System.AggregateException: One or more errors occurred. ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The remote name could not be resolved: 'login.windows.net'
    at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
    at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
    --- End of inner exception stack trace ---

    Is trying to connect, and it seems that need to validate in order to perform a scan.

    Thanks in advance, @JamesTran-MSFT


  2. JamesTran-MSFT 36,541 Reputation points Microsoft Employee
    2020-10-06T22:35:32.28+00:00

    @CALVO CABEZAS, PABLO
    I received a response from our engineering team and will post it below. If you continue to run into issues, can you provide screenshots or a copy/paste of the error message you're seeing.

    PG response:
    Can you wait 24hrs and retry the operation.

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.


  3. CALVO CABEZAS, PABLO 1 Reputation point
    2020-10-08T10:19:19.357+00:00

    Hello James,

    We've wait 24 hours and the service status is the same: Error after Start-AIPScan. We will try to solve it throught a Microsft internal support ticket and the solution will be posted here (if we reach it)

    Thanks!