Configure on-premises labeling for the Unified Labeling Scanner


The installation and configuration of the Unified Labeling Scanner is done from the AIPService PowerShell module on a server that will act as the Unified Labeling Scanner in an environment.

Installation of the unified labeling scanner

After fulfilling the requirements like service accounts and a SQL Server instance, it´s possible to install the Unified Labeling Scanner in the following steps:

  1. Install and sign into a Windows Server computer or VM.

  2. Install the Unified Labeling Client on the machine.

  3. Run the Windows PowerShell as local administrator in an elevated command shell.

  4. Run the cmdlet from the AIPService PowerShell module to install the AIP Scanner:

    Install-AIPScanner -SqlServerInstance <name> -Cluster <cluster name>
  5. Verify that the service is now installed by using Administrative Tools > Services. The installed service is named Azure Information Protection Scanner and is configured to run by using the scanner service account that you created.

  6. You can control the installation and operation in the Task Manager of the Windows Server, which is the host for the scanner.

Configuration of the unified labeling scanner

The Unified label is installed on a Windows server and is connected to the SQL Server instance. In the next steps to configure the Scanner we need to connect the local instance with the Azure environment with an Azure AD Token and after it we can configure it to make the first run.

Acquire an Azure AD Token for the scanner

Perform the following steps to fetch an Azure AD Token for the Unified Labeling Scanner:

  1. Navigate to the Azure portal at

  2. In the top search bar, enter App Registrations and select App registrations.

  3. Select + New registration.

  4. Provide a meaningful name.

  5. Select the Supported account type (or leave as default).

  6. Set the Redirect url to: https://localhost

  7. Select Register.

  8. The overview page provides the Application (client) ID, copy this ID for use later.

  9. Select the Certificates & secrets setting.

  10. Under Client secrets, select + New client secret to create a new secret.

  11. Provide a description for the secret and choose the desired expiration interval.

  12. Immediately copy the value of the new secret to a secure location. The full value is displayed to you only once.

  13. Select Add.

  14. Navigate to API Permissions.

  15. Select + Add a permission.

  16. Select Azure Rights Management Services > application permissions.

  17. Expand the content permissions.

  18. Select Content.DelegatedReader and Content.DelegatedWriter.

  19. Select Add Permission.

  20. Select + Add a permission > APIs my organization uses.

  21. Search for Microsoft Information Protection Sync Service.

  22. Select Microsoft Information Protection Sync Service > Application permissions.

  23. Expand the content permissions.

  24. Select UnifiedPolicy.Tenant.Read.

  25. Select Add Permission.

  26. Select the Grant admin consent button.

  27. Navigate to the Azure Active Directory.

  28. Within the overview page copy, the Tenant ID required for the next step.

  29. Configure the Azure AD applications for Set-AIP Authentications from the Windows Server computer, if your scanner service account has been granted the sign in locally right for the installation, sign in with this account and start a PowerShell session using the AzureInformationProtection module.

    Set-AIPAuthentication -AppId <ID of the registered app> -AppSecret <client secret sting> -TenantId <your tenant ID> -DelegatedUser <Azure AD account>
  30. After this cmdlet is run the scanner will have an Azure AD Token and be registered as an application in the Azure environment. With this connection, the scanner has access to the label scheme and the settings.

Configuration of the scanner and scan methods

The configuration for the scanner is done in the Azure portal. Follow these steps to configure and set up the Scanner to perform scans in an organization's network:

  1. Sign into the Azure portal at

  2. The user requires one of the roles (requirements).

  3. Create a scanner cluster.

  4. Scan your network for risky repositions (optional).

  5. Run your network scan job (Public Preview).

  6. Create a content scan job.

  7. Start the Scan.

Moreover, it´s also possible to restart the scan and rescan all the files.


The Unified Labeling scanner does not scan and protect in real time. The crawler runs a cycle and repeat.

Operational scenarios for the unified labeling scanner

The Unified labeling scanner can be used for different operational scenarios, some of them include:

Scenario Scanner run
Scan for a report only to know your data Run the scanner in discovery mode only to create reports that check to see what happens when your files are labeled.
Run the scanner to find and discover files with sensitive information Run the scanner to discover files with sensitive information, without configuring labels that apply automatic classification.
Run and apply labels Run the scanner automatically to apply labels as configured.
Specific scan only a few files types Define a file types list to specify specific files to scan or to exclude.

Learn more

Install and configure the Azure Information Protection (AIP) unified labeling scanner