I worked around this issue by obtaining the logon locally right via the client. However, I have found this requirement listed at numerous sites which have been listed below:
https://techcommunity.microsoft.com/t5/security-compliance-identity/installation-configuration-and-usage-of-the-aip-scanner/ba-p/221792
Direct from Microsoft
https://learn.microsoft.com/en-us/azure/information-protection/deploy-aip-scanner-prereqs
Requirement Details
Log on locally user right assignment Required to install and configure the scanner, but not required to run scans.
Once you've confirmed that the scanner can discover, classify, and protect files, you can remove this right from the service account.
If granting this right even for a short period of time is not possible because of your organization policies, see Deploying the scanner with alternative configurations.