Information Protection Scanner: Resolve Issues with Information Protection Scanner Deployment

By Ashwin Venugopal -

 







About

If you are experiencing problems with the Microsoft Purview Information Protection scanner, check the health of your deployment by utilizing the Start-ScannerDiagnosticsPowerShell cmdlet to start the scanner diagnostic tool. The diagnostics tool checks the following details and then creates a log files with the results:
  1. Whether the database is up to date.
  2. Whether network URLs are accessible.
  3. Whether there's a valid authentication token and policy can be acquired.
  4. Whether the profile is defined in the Azure portal.
  5. Whether offline/online configuration exists and can be acquired.
  6. Whether the rules configured are valid. 

The Start-ScannerDiagnostics command does not perform a comprehensive check of prerequisites. If you encounter problems with the scanner, you need to verify that your system meets the scanner's requirements, and that your scanner's configuration and installation are finished. 

Verify Scanning Details Per Scanner Node and Repository

  • Run the Get-ScanStatus PowerShell cmdlet to get details about the current scan status and the list of nodes in your scanner cluster.

  • Use the NodesInfo variable with the Get-ScanStatus cmdlet to get further details about each node in the cluster.

  • To drill down further into each node, use the NodesInfo variable again, with the node integer starting with 0. 

  • Use the Verbose parameter with the Get-ScanStatus cmdlet to get the data about a current scan. 

  • Use the RepostoriesStatus or the CurrentScanSummary variables to drill down further for more details about the status of the repositories. 

Authentication Token Not Accepted

Error message-

Microsoft.InformationProtection.Exceptions.AccessDeniedException: The service didn't accept the auth token.

Description-

The Set-Authentication command has failed. 

Resolution-

Verify that the appropriate permissions are defined correctly in the Azure portal.

Authentication Token Missing

Error message-
  • NoAuthTokenException: Client application failed to provide authentication token for HTTP request.

  • Failed to acquire a token using windows integrated authentication (No SSO)

  • From the Azure portal, on the Nodes page: Policy does not include any automatic labeling condition

Description-

These authentication errors occur when the scanner runs non-interactively.

Resolution-

You must authenticate by using a token via Set-Authentication cmdlet. When you run this cmdlet, ensure the use of token parameter on behalf of the service account that's used to run the scanner service.

Policy Missing

Error message-

Policy is missing

Description-

The scanner is unable to find your sensitivity label policy file.

Resolution-

To verify that your policy file exists as expected, check in the following location:
%localappdata%\Microsoft\MSIP\mip\MSIP.Scanner.exe\mip\mip.policies.sqlite3.  

Policy Doesn't Include Automatic Labeling Conditions

Error message-

Policy is missing labeling conditions

Description-

The labeling policy is missing automatic labeling conditions. 

Resolution-

Configure Content scan job settings and Labeling policy settings. If the settings are already defined as expected, the policy file itself may be missing or inaccessible, such as when there is a timeout from the Microsoft Purview compliance portal. To verify your policy file, check that the following file exists:
%localappdata%\Microsoft\MSIP\mip\MSIP.Scanner.exe\mip\mip.policies.sqlite

Database Errors

Error message-

DB error

Description-

The scanner is not able to connect to database.

Resolution-

Check the network connectivity between the scanner computer and the database. Additionally, make sure that the service account being used to run scanner processes has all the permissions required to access the database. 

Mismatched or Outdated Schema

Error message-

One of the following:
  1. SchemaMismatchException
  2. In the Azure portal, on the Nodes page:
          DB schema is not up to date. Run Update-ScannerDatabase command to update the DB schema
          Error- DB schema is not up to date

Description-

The database schema is not up to date.

Resolution

Run the Update-ScannerDatabase cmdlet to resynchronize your schema and ensure that it's up to date with any recent changes. 

Missing Content Scan Job or Profile

Error message-

In the Azure portal, on the Nodes page:
No content scan job found

Description-

This error occurs when the content scan job or profile can't be found.

Resolution

Check your scanner configuration in the Azure portal. 

Note- A profile is a legacy scanner term that has been replaced by the scanner cluster and content scan job in newer versions of the scanner. 

No Repositories Configured

Error message-

In the admin portal, on the Nodes page:
No repositories are configured

Description-

You may have a content scan job with no repositories configured. 

Resolution-

Check your content scan job settings and add at least one repository. 

No Cluster Found

Error message- 

In the admin portal, on the Nodes page:
No cluster found

Description-

No actual match found for one of the scanner clusters you've defined.

Resolution-

Verify your cluster configuration and check it against your own system details for typos and errors. 

Conclusion

All the above issues related to information protection scanner deployment are resolved. 






















































Comments

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different...
Read more

Deployment (Part 1)

By Ashwin Venugopal -
Image
  To read part 2, please click  here To read part 3, please click  here Azure Resources Microsoft Sentinel needs following resources to be created: Subscription (if a dedicated subscription(s) will be used) Resource group(s) Log Analytics workspace(s) Automation rules/playbook Alert rules Workbooks Microsoft Sentinel offers hundreds of alert rules, workbooks, and automation playbook templates along with hunting scripts. The templates can be used to activate/deploy schedule alerts, create customized dashboards, create automation playbooks and perform threat-hunting activities. Generally, once deployed, the resources created have to be adjusted to match the existing environment, configure local credentials, etc. Methods of deployment: Manual- Administrator can manually configures the Microsoft Sentinel resources with the help of Azure portal. Any manual process has the inherent risks of human operator error, lack of compliance with potential change control procedures, and u...
Read more

Design Planning (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Complex Organizational Structures SIEM can be an expensive security control, hence, it is common multiple businesses to contribute to the overall expense. Various organizational units may require a level of access to specific dashboards or sets of data. Microsoft Sentinel offers the ability to assign table-level permissions and limit the level of access to the minimum required to perform requisite job functions.  Role-based Access Control (RBAC) Requirements Microsoft Sentinel offers an extensive list of Azure built-in roles that can be used to provide granular access according to the job requirements and permitted level of access. Some of them are various Microsoft Sentinel dedicated roles: Microsoft Sentinel Contributor- Can perform all engineering-related configuration, such as creating alert rules, configuring data connectors, and additional similar tasks.  Microsoft Sentinel Reader- Can...
Read more