On-Premises File Servers – Implementing Microsoft Purview data loss prevention (DLP)

Despite the high rate of adoption for cloud services and infrastructure, many organizations still have

a lot of data stored in on-premises repositories such as SharePoint Server or Windows-based file servers. While cloud-based solutions are great for content stored in the cloud, what options are there for applying those same protections to data that hasn’t been migrated?

The answer is easy: Microsoft Purview Data Loss Prevention!

AIP Scanner
Originally branded as the Azure Information Protection scanner in 2018 to help identify sensitive information on-premises, the software has continuously been upgraded with more features. The newest iteration can help support your information protection goals.

Protecting on-premises repositories requires the following tasks to be completed:

• Configuring service accounts
• Deploying the AIP Unified Labeling (UL) client to an on-premises server
• Configuring the scanner settings
• Creating content scan jobs
• Creating an Azure app registration
• Deploying the AIP scanner to an on-premises server
• Configuring a DLP policy that includes on-premises repositories

As you can see, there are several pieces involved. Figure 11.9 shows the components in the on-premises DLP deployment:

Figure 11.9 – On-premises DLP architecture

The DLP architecture utilizes one or more on -premises servers configured with the AIP UL client and the AIP scanner. These servers query the DLP policies from the Microsoft Purview compliance portal, store service information in an on -premises SQL database, and are used to discover content in on-premises file shares and SharePoint sites.

Note
For production deployments, Microsoft recommends using a full version of SQL Server. For lab environments, you can use SQL Express. To download SQL Express, see https://www. microsoft.com/en-us/Download/details.aspx?id=101064.

Configuring a Service Account
For the scanner deployment, you’ll need two accounts—an on-premises account that has access to the file shares and SharePoint document libraries containing content to protect, and either a synchronized or cloud identity that will be used to access the Microsoft 365 service. They can be the same account (this may even make it easier from a deployment perspective). The AIP service does not currently support using a Managed Service Account (MSA) or group Managed Service Account (gMSA).

Deploying the AIP UL client
The first step in deploying the Microsoft Purview compliance solution on-premises is to ensure the server(s) you’ll be using have the most recent AIP UL client. Follow these steps to deploy the client:

  1. On the server(s) where you will configure the Microsoft Purview Information Protection Scanner cluster, navigate to https://aka.ms/aipclient to download the client. Either the .msi or .exe download is suitable.
  2. Once it has downloaded, launch the installer.
  3. Select I agree to proceed with the installation. Setup begins, as shown in Figure 11.10.

Figure 11.10 – AIP UL client installation

  1. Click Close to exit the installer.

Next, it’s time to move on to the scanner cluster installation.

Leave a Reply

Your email address will not be published. Required fields are marked *