Using Azure Information Protection Scanner to Classify and Protect Your Data

Company data breaches are becoming more common every day.  Social engineering is an age-old practice that malicious hackers use to exploit the weakest link in an organization:  human psychology.  Social engineering hacks are an organizations biggest fear and for good reason.  Using Azure Information Protection (AIP) organizations can employ a set of classification and protection standards for all of their data no matter where it lives.  AIP can help organizations implement the necessary security and classification policies which are forever tied to the data.  No matter where the data lives or who gets their hands on it, companies can be assured that their data is safe and compliant.

Azure AIP How.jpg

Azure Information Protection labeling

One of the biggest challenges with becoming data compliant is implementing a data classification and protection process that considers each individual piece of data’s sensitivity, storage and distribution needs.  With the amount of data exponentially growing every day this task feels like a huge uphill battle.  Discover, classify, label and protect your data with Azure Information Protection.  AIP is a cloud-based solution that can be used to classify, label and protect documents and emails.  AIP protects all file types whether it’s at rest, in use, or in-motion.  AIP has tight integration with Office files and PDFs and provides the best end-user experience.  AIP can also protect emails and data stored inside and outside of the Microsoft Cloud and with non-Microsoft cloud and SaaS apps.  Using labels AIP can be configured for two types of policies: protection and retention.  Labels are used to classify and protect your data across workloads no matter where the files are stored.  Additionally, retention policies can be configured for each label that is created to meet your organizations data compliance requirements. 

Azure Information Protection can help companies in their journey to GDPR compliance by discovering sensitive data within the organization.  AIP has the capability to automatically scan, classify and protect sensitive files that are discovered throughout the scanning process.  New files that are currently being used can be manually labeled but what about the large number of files that are sitting in SharePoint or on an on-premises file share?  This is where the AIP scanner tool comes to the rescue.  The AIP scanner is a tool that can be used to discover, label and protect many files at once automatically.

Let’s say for example you have a large file share in your on-premises environment.  This file share includes a plethora of different files and file types.  You can configure the AIP scanner to begin scanning this file share and labeling your data according to content that matches a pre-defined condition.  The AIP scanner will label and protect your files in an automated fashion.  Labels apply classification, and optionally, apply or remove protection.  These labels can be used by the AIP scanner tool to automatically classify sensitive data.  For example, if a file contains credit card numbers or employee social security numbers the scanner will recognize the sensitive data and apply protection and optionally a retention policy according to the AIP label that gets applied.  Sensitive information updates are being added all the time.  Just this week Microsoft added some additional types to help address classification needs around GDPR as you can read here:  New GDPR sensitive information types help you manage and protect personal data

AIP labels are a classification capability provided by the AIP service which can be used to identify and classify the different types of data that exists within your organization.  These labels are what the AIP scanner will use when applying them to discovered files.  Labels can be categorized by sensitivity levels that range from non-business to highly confidential.  Labels will define what type of protection and retention get applied to your files.

The labels can include visual markings such as a header, footer, or watermark. Metadata is added to files and email headers in clear text. The clear text ensures that other services, such as data loss prevention solutions, can identify the classification and take appropriate action.  This is great for companies that are moving to the cloud and want to make sure their data is classified and protected before the migration from on-premises.

AIP Scanner Overview

The AIP scanner runs as a service on a Windows Server that is a part of your on-premises network.  The scanner currently supports the following data stores for discovery:

  • Local folders on the Windows Server computer that runs the AIP scanner
  • UNC paths for network shares that use the Server Message Block (SMB) protocol
  • Sites and libraries for SharePoint Server 2016 and SharePoint Server 2013
  • Cloud repositories that use Cloud App Security

The AIP scanner is locally configured on the Windows member server and maintains a secure connection to your O365 tenancy.  The tool is constantly monitoring the automatic labeling requirements which are setup in the Azure Information Protection policies within the Azure portal.  The AIP scanner can inspect any file that Windows can index by using iFilters to open the different file types. 

The scanner uses the Office 365 built-in data loss prevention sensitivity information types and pattern detection.  This provides AIP with the ability to recognize the data inside of the file, label and protect it automatically.  Additionally, the AIP scanner can be run in discovery mode.  In this mode reports are created to provide a picture of the potential labeling changes that would be made to your data without actually applying the labels.  This mode is especially useful when you want to see the potential impact of applying different labels across your data.  The scanner will systematically crawl the data stores that have been configured.  The scanner can be configured to run on a schedule so as new files get added to the data stores these files will be labeled and protected automatically.  For the first scan cycle of the datastore the scanner will perform a full crawl of each file.  Subsequent scan cycles will only include new and modified files.

The following file types can be automatically labelled according to the pre-defined conditions:

  • Word:  docx, docm, dotm, dotx
  • Excel:  xls, xlt, xlsx, xltx, xltm, xlsm, xlsb
  • PowerPoint:  ppt, pps, pot, pptx, ppsx, pptm, ppsm, potx, potm
  • Project:  mmp, mpt
  • PDF:  pdf

There are many use cases where labeling all your files automatically is not the best approach.  Applying labels haphazardly will only cause confusion to end users who will undoubtedly complain and lose faith in AIP.  It is a best practice to use the AIP “recommendation classification” option to start when configuring your AIP labels.  This classification option will allow the user to accept or reject the recommended classification and protection from AIP.  Labels which are configured to be applied when certain conditions are met will trigger the AIP client to recommend a label to the user as shown below:

AIP Office Toolbar.png

If the user decides to dismiss this recommendation they will be prompted for justification of the change as shown here:

AIP Office Classification.png

Recommended classification applies to Word, Excel, and PowerPoint.  When the file is saved the user will be prompted as shown in the above screenshots.  Unfortunately, the recommendation classification feature does not currently work with Outlook.

AIP Scanner Licensing

The AIP scanner is an Azure Information Protection P2/EMS E5 feature.  The AIP P2/EMS E5 license is required to enable automatic labeling using custom labels that are pre-defined.  This license enables the use of custom labels that can be applied automatically by the AIP scanner.  This includes creating pre-defined conditions for sensitive data that will trigger AIP to apply a label and optionally protection.  With that said, currently AIP P1/EMS E3 licenses can use the AIP scanner tool which will only allow the use of one default policy.  The good news for organizations with a E3/AIP P1 license is that they can set the default label for each specific datastore (think folder in a file share or document library in SharePoint) to automatically classify their files.  Going back to the file share example above, let’s say there was an HR and Legal folder in the file share.  You can configure the AIP scanner to use a different default label (one for HR and another for Legal).  Yes, this process is going to be more manual then if you had a P2 license but it’s not a bad workaround if you ask me!

Hosting the AIP scanner configuration requires the use of a SQL Server instance.  Here are some of the key points when planning the SQL Server  

  • The AIP scanner installation requires a SQL Server instance to store the scanner configuration
  • SQL Server 2012 is the minimum supported version
  • The AIP scanner supports the use of a SQL Server Express license

There are two levels of AIP Premium licensing.  P1 & P2, the biggest difference between them is that P2 includes the automated and recommended data classification capabilities.  Here is a link to the official breakdown of each of the different AIP pricing plans:  here.  The AIP scanner can be downloaded and installed as a part of the Microsoft AIP client download found here.  Make sure that you download the full client in order to be able to install the AIP scanner.  Once the AIP client is downloaded and installed, the AIP scanner can be configured using PowerShell.


Azure Information Protection provides a cloud-based solution for classifying, labeling and protecting your data.  Organizations can leverage this solution to apply a consistent classification and protection policy to files throughout the lifecycle of their data.  The AIP scanner adds additional value by allowing organizations with large amounts of data to automate the labeling and protection of their data.  For organizations looking to not only classify their data but also protect it no matter where the content is stored or how it is moved, I would highly recommend looking into the Azure Information Protection product.      


Leverage Azure Information Protection

Azure Active Directory Premium Features – Why You Want It

Azure Active Directory provides a cloud-based solution for user account and identity management. While the free and basic editions may meet the requirements of organizations that only need Azure AD to maintain user accounts, most of the time, businesses need more from their account and identity management solution and as a result, turn to the Azure AD premium editions (known as Premium P1 and Premium P2).

There are a few features that both the premium and basic editions share that you can’t get with the free edition:

Service Level Agreement

The SLA guarantees a minimum amount of uptime and provides a framework for holding Microsoft accountable for any outages. It makes sense that this wouldn’t be available with the free service as you can’t refund a service cost if there isn’t one to start with. The SLA is calculated based on how many minutes of downtime occur and the number of users impacted.


The ability to use your organization’s branding on logon pages and access panels. This is a nice touch because it creates a more uniform and polished look across applications, and also provides an identifiable interface for your end users. It can be confusing as an end user seeing a generic logon page and wonder whether you are in the right place.

Password Self Service

One of the most useful (and heavily used features), is the self-service password reset for cloud accounts. This allows users to reset their password whenever they need to without having to contact their help desk or IT department. Depending on the business, password resets can be as much as a 50% drain on the helpdesk’s bandwidth. Adding this feature to the available offerings could immediately provide an ROI just through saved alone.

While the basic edition includes all of the features listed above and those are enough to satisfy the needs of most smaller organizations, they fall short of providing a truly seamless transition between all applications, both on-premises and cloud-based. This is because the free and basic editions limit the number of applications that have an SSO experience to 10 per user, whereas premium has no limit. Additionally, the two premium editions have the following features that provide a seamless user experience between on-premises and the cloud:

  • Self-service group and app management / Self-service application additions / Dynamic groups
  • Self-service password reset / change / unlock with write-back to the on-premises Active Directory
  • Device objects two-way synchronization between on-premises directories and Azure AD (Device write-back)
  • Multi-Factor Authentication (Cloud and on-premises (MFA Server))

With the premium editions, changes to accounts and groups only need to be made in one place because everything is automatically synchronized. For example, whether a user is trying to logon to their on-premises SharePoint environment or trying to login to their mail using, if the multifactor authentication feature is enabled, the user will be presented with the same prompt. To the user, it feels like a unified system.

Another premium feature that can be very useful is the availability of dynamic groups and conditional access based on group, location, and device state. An AD administrator can end up spending a lot of time managing group memberships. Most applications with complex security structures like SharePoint can have hundreds if not thousands of groups and usually a handful of Active Directory administrators are the only one who can add and remove users from these groups. This leads to the AD admins becoming inundated with requests to change the group memberships. With conditional access and dynamic groups, administrators only needs to setup rules based on user information. For example, all users from Germany will see “X” folder or all users in the Sales department can contribute to “Y” site. This saves the admins from having to update group membership altogether and can instead focus on making sure that users’ account attributes are up to date.

As security concerns keep mounting and data breaches keep occurring all too often, companies are struggling to do more to ensure all sensitive data stays protected. Multi-factor authentication, another premium feature, provides an extra layer of protection by requiring a secondary authentication method (such as a phone call, text message, or mobile app verification) when users attempt to login.

If you’re looking to take things a step further, then you will want to look at the identity protection features of the Premium P2 edition. With this edition, Azure AD uses machine learning to alert you to suspicious activities and detect events that are out of the ordinary and also provides reporting against its findings. Going even further, you can develop risk-based policies that will automatically respond when certain alerts have been triggered, ensuring that the system ‘always has your back’. These features go well above and beyond the capabilities of traditional AD running on your on-premises services. By leveraging the Microsoft Cloud’s AI and Machine Learning capabilities you have access to advanced threat protection.

While this article just scratches the surface of Azure AD and its features, Microsoft has put together the following table to help you understand all of the various features and differences between the different versions:

The Azure Active Directory feature offerings can be overwhelming and can be configured in several different ways depending on business requirements. If you’re considering Azure AD Premium, let B&R Business Solutions make sure all of the features that you are paying for and care about are fully leveraged and configured correctly the first time. Contact us today by completing our contact us form.


B&R can help you evaluate 

and plan for implementing Azure!

Getting More from Your Microsoft Cloud Hosting

Why Use a Microsoft Cloud Solution Provider (CSP) Such as B&R?

Using a Microsoft Cloud Solution Provider (CSP) can help you get the most out of your cloud hosting experience. More and more, Microsoft is making an effort to drive customers to partners that have the title of ‘Cloud Solution Provider’, or CSP for short. The CSP program is a relatively new (two years old) component of the overall Microsoft partner program that allows partners such as B&R Business Solutions to provide licenses and a variety of services to customers through one of two models:


The partner has a direct relationship with Microsoft and procures the licenses the customer needs directly from Microsoft and then acts as a trusted adviser for the customer. In this role, the partner provisions any services and licenses needed, bills the customer for the licenses (and any other services bundled with them), monitors the services the customer is using, and provides support for the customer.


The partner acts as a reseller and account management is handed off to a distributor who has the relationship with Microsoft. With this approach, the partner is able to leverage the resources of the distributor to provision the licenses and services, and the distributor bills the customer and provides the support and monitoring services.

When B&R became a CSP, we elected to go with the direct model. This means that customers that use B&R can be sure that B&R stays engaged and has the provisioning, support, and billing capabilities that are up to Microsoft standards in-house. Additionally, you can be sure that you are working directly with B&R employees, and not a distributor – ensuring that we build a relationship directly between our customers and our team members.

Let’s break down the benefits of using a Microsoft CSP a bit further:


If you are purchasing your Office 365 licenses or Azure subscription directly through the or web sites, you are paying the list to Microsoft for the services. With the CSP program, B&R is able to provide discounts on your licenses and consumption that are not available through the ‘web direct’ programs.

Better Terms

When you sign up with B&R for your licenses or Azure consumption, you can pay on NET terms. Additionally, there are no early termination fees for the removal or Office 365 licenses (unlike when you go web direct and you are charged a fee for removing a license prior to its renewal date).


While you may just decide to use B&R for your O365 & Azure subscriptions, if you use B&R for managed services or project-based consulting services, everything appears on one invoice. No more chasing down multiple vendors – you have one place to go for everything and

B&R has a variety of bundles that can further simplify things (and save you money) – check out


It can be frustrating trying to get the right individuals to support your organization during critical times. With the CSP program, B&R is your trusted partner – and your first line of support to help get you back up and running. The talented team at B&R will work with your on any issues you are experiencing and if needed, B&R has access to ‘Signature Cloud Support’ – which provides a higher level of support to Microsoft CSP partners – and in turn means quick time to resolution and access to excellent Microsoft resources.


B&R has been working with Office 365 along with the Azure platform & infrastructure services for many years, and has one of the most talented teams anywhere (the team includes 2 current MVPs and 2 former MVPs). If you want to implement Office 365 and Azure right – the first time – then it makes sense to partner with the best, and that’s exactly what you will get with the B&R Team.

As a CSP, B&R Business Solution is going to ensure that your organization gets the best possible support and works with some of the most experienced individuals in the industry – all while being rewarded with a simplified approach and cost savings.

Interested in the CSP program? Looking to save money? Want to provide your organization with a higher level of support? Then contact B&R Business Solutions today – we can start by taking a look at your current (or proposed) cloud spend and immediately let you know how the CSP program can save you money and make recommendations based on our experience. There’s no charge for this assessment, and we’re confident you will be glad you reached out!


Worry-free Managed Services with Predictable Pricing

Hybrid IT: A Journey Worth Exploring

In recent years, the cloud has emerged as the leading technology for delivering services across industries.  How have cloud technology-as-a-service solutions come to dominate the market so quickly?

  1. The internet continues to improve and is the backbone of delivering cloud solutions anywhere.
  2. Cost-effective, high-speed networks and broadband used by individuals, small businesses, and enterprises.
  3. Server virtualization has dramatically reduced the cost of powerful computing (possibly to a tipping point for #2)

Now, massive and extremely cost-effective datacenters around the world are hosting all the software that drives “as-a-service” apps. Businesses of all sizes and their employees can access these datacenters for services from around the world via reliable and affordable high-speed networks.

All cloud all the time? Not so fast…

Despite all the powerful advancements, we are living in a hybrid world where there is a mix of on-premises and cloud technologies. 

Though cloud computing is here, organizations and their Modern MSPs need to approach cloud computing as a journey from on-premises technology to cloud computing.

During the transition, a hybrid model is a great (and often recommended) next step to gain the flexibility, scalability, and affordability of cloud computing while getting the full life and utility from existing on-premises IT.

A Modern MSP with expertise in both traditional on-premises technology and cloud computing can help customers build an intelligent solution now that will help an organization transition in the future. The right partner will help to make every investment in the cloud an investment that addresses immediate needs as well as long-term goals.

How? It’s all about the business outcomes you have in mind.

Just as moving to the cloud is a journey, so are the long-term business outcomes you hope to achieve. Combine the two goals and you create a powerful feedback loop to drive your IT and your business forward.

We’re here to help you grow. We look forward to the opportunity to discuss your unique needs and see where the cloud fits into your IT and business planning.

'Cloud First' MSPs and How You Should Think About the Cloud

Why does the Modern MSP think ‘Cloud First’ for its customers?

Let’s be honest – say and think what you want, but the cloud is here to stay. It provides enormous benefits to organizations that have never been realized in the technology world before.

But, what is the cloud? Quite simply, cloud computing means that on-premises-based IT systems, applications and databases are hosted in one or more state-of-the-art datacenters managed by a cloud services provider. Examples include Microsoft Office 365 for email and collaboration, Microsoft Azure for Infrastructure-as-a-Service (IaaS) or Microsoft Dynamics for Software-as-a-Service (SaaS).

There are huge benefits to having a cloud-driven business

For many reasons - productivity, security, accessibility, costs, etc. - cloud services have become enormously popular for companies of all sizes from the SMB to large enterprises.  The cloud is universally believed to represent the future model for the delivery of almost all IT services. 

Through advanced virtualization technologies, an experienced technical support staff, and a major investment in hosting facilities, a cloud services provider can operate more efficiently and cost-effectively in delivering hosted IT services than a company which owns and manages their own dedicated, on-premises datacenter.

Cloud services come in many forms - sometimes as point solutions and sometimes as fully integrated applications and services that solve a range of business challenges.

Let’s explore a simple example: hosted email

By moving a company’s email service from an on-premises system into the cloud as a hosted service, many benefits are immediately realized by the customer.

First, the server itself is eliminated. No longer will a costly and complex device require floor space, electrical power, cooling, system upgrades, software patching, maintenance, and repair. Email service in the cloud removes this costly overhead and replaces it with a hosted service; heavy and unpredictable capital and operating expenses associated with an on-premises solution are replaced with a predictable monthly or annual service fee that dramatically reduces the Total Cost of Ownership (TCO).

Even better, the simplicity of a hosted solution and the reach of the internet enable untethered, universal access to the service for users located anywhere, using any device. The cloud is not only a cost saver, it’s an enabler of mobility, information access and device independence.  

Now imagine that all the benefits (and more!) associated with our simple email example are applied to any and every application or service that migrates to the cloud. Savings and organizational benefits are greatly multiplied.

Customers today have an extremely broad range of cloud services available to them. Think of them as a collection of building blocks that you can use to solve problems and enable business objectives. The Modern MSP must have a “cloud first” mentality to de-mystify the cloud and help customers reap the rewards.

Want to learn more about what’s available to you in the cloud? Contact us today!