The AIP for on-prem environment works with the AIP Scanner (that works on the Azure Information Protection client) that installed on a server on the on-prem environment.
The scanner works with DLP policies on the configured repositories (that configured in the Purview portal (Microsoft Compliance portal).
This service/feature requires Microsoft E5 license, a trial license (25 units for 1 month) is available.
Enabling AIP for on-prem will give the organization the ability to discover, classify and protect files in the organization on-prem environment that located in the following locations:
- UNC path (Network share) that use SMB or NFS protocols.
- SharePoint document libraries and folder (SharePoint server 2013-2019)
Then, the scanner can label the files using the sensitivity label that configured on the Purview portal, by using the sensitivity label (and the auto label policy) – you can protect your files.
Keep in mind, the AIP scanner does not run and assign labels in real time, “it systematically crawls through files on data stores that you specify”.
The Scanner also supports clustering with multiple scan servers to enhance the scanning process.
Since AIP Scanner uses the DLP policies the organization configure in the Purview portal – this means you can have all the abilities of DLP and labeling in the on-prem environment, enforce restriction like prevent forwarding, prevent printing., prevent sharing, encryption and content markings etc.
The AIP Scanner runs as a service on the server (By the way – according to Microsoft article – the AIP Scanner can be installed on Windows 10/11 for POC and testing.
AIP Scanner (DLP) detects file in the configured repositories (On-prem) by looking for:
- sensitive information types
- sensitivity labels
- file extension
- custom document properties on Office files only
When the DLP detect a file the violate the compliance policy or in a risk of leaked, the policy can be configured for the following action:
- Block people from accessing file stored in on-premises scanner – Block everyone.
- Block only people who have access to your on-premises network and users in your organization who weren’t granted explicit access to the files from accessing file.
- Set permissions on the file (permissions will be inherited from the parent folder)
- Remove the file from improper location.
For details regarding those actions click here.
For AIP Scanner on-prem to be available and running – you must create in the Purview portal the Content scan job (including the repositories location of the server that host the files you want DLP to evaluate) and configure the cluster.
Policy Tips are not available in the on-prem environment.
All the DLP data in the Microsoft Purview compliance portal activity explorer.
In a nutt shell
– AIP Scanner will allow you to have the 365 DLP abilities to the on-prem Environment with
Activity log
Auto-labeling
Policies enforcement on the scanned files
Restrict
Block
Monitor the files and the data your employee share and store (“at rest”)
Alert the relevant SOC in data leak and compliance violation.
References
https://learn.microsoft.com/en-us/microsoft-365/compliance/deploy-scanner?view=o365-worldwide