When using a MS Entra token for the AIP Scanner, it isn't telling me it acquired the app token?

Steve l 0 Reputation points
2023-12-13T20:41:13.31+00:00

When following the instruction set here: https://learn.microsoft.com/en-us/purview/deploy-scanner-configure-install?tabs=azure-portal-only#get-a-microsoft-entra-token-for-the-scanner

To utilize the entra application token instead of the account token in order to run the AIP Scanner for 2 years instead of resetting it every 90 days.

Testing has provided the following results:

PS C:\Windows\system32> Set-AIPAuthentication
Acquired access token. - as expected, indicates it is utilizing the account logged in with (scanner service account).  Will require re-running this command every 90 days.


PS C:\Windows\system32> Set-AIPAuthentication -AppID "
Azure Information Protection
Azure Information Protection
An Azure service that is used to control and help secure email, documents, and sensitive data that are shared outside the company.
518 questions
Microsoft Purview
Microsoft Purview
A Microsoft data governance service that helps manage and govern on-premises, multicloud, and software-as-a-service data. Previously known as Azure Purview.
944 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,572 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 34,046 Reputation points Microsoft Employee
    2023-12-15T20:19:36.7833333+00:00

    @Steve l ,

    Under your App Registration > Certificates and Secrets > New client secret/Add a client secret , you need to set "Expires" to 24 months.

    User's image

    You can also use Powershell to set the secret expiration:

    startDate = Get-Date
$endDate = $startDate.AddYears(2)
$aadAppsecret01 = New-AzureADApplicationPasswordCredential -ObjectId xxxxx -StartDate $startDate -EndDate $endDate

    The scanner should pull from the client secret settings.

    If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar questions . Otherwise let me know if you still face this issue or have further questions.

  2. Marilee Turscak-MSFT 34,046 Reputation points Microsoft Employee
    2023-12-18T21:31:07.76+00:00

    Hi @Steve l ,

    Your example is missing the full PowerShell command. In your PowerShell command, you need to "Run as Administrator", which is required for the OnBehalfOf parameter. You need to include the "Get-Credential" portion as well to create a PSCredential object and stores the specified Windows user name and password in the $pscreds variable. In addition, you need to include the full portion of the command with the TenantId and OnBehalfOf credentials included, as in the example here.

    PS C:\>$pscreds = Get-Credential CONTOSO\scanner PS C:\> Set-AIPAuthentication -AppId "77c3c1c3-abf9-404e-8b2b-4652836c8c66" -AppSecret "OAkk+rnuYc/u+]ah2kNxVbtrDGbS47L4" -DelegatedUser scanner@contoso.com -TenantId "9c11c87a-ac8b-46a3-8d5c-f4d0b72ee29a" -OnBehalfOf $pscreds Acquired application access token on behalf of CONTOSO\scanner.

    Otherwise if you are not using the Unified Labeling Client, when you run Set-AIPAuthentication , it is expected behavior to see "Acquired access token." The command allows the AIP scanner service account to authenticate.

    If the configuration is set correctly in the application, the command should use the app token.

    Let me know if you still run into any issues.

    0 comments