More Fun with the AIP Scanner (EMS E3/AIP P1 Capabilities)

The Scenario:

So you recently read my post about configuring the Azure Information Protection Scanner and love the capabilities, but alas, you only have EMS E3/AIP P1 licensing so you can't use the AIP Scanner since Automatic Labeling is an EMS E5/AIP P2 feature, right? Well, almost.  It has recently been brought to my attention that there is one Automatic label that is available to EMS E3/AIP P1, and that is the Default Label.  A default label is used to make it easier to start classifying all of your data and is typically set to a non-protected (unencrypted) label such as General so as not to upset standard business processes.

However, the designers of the AIP Scanner are AWESOME and decided that you could assign a different default label for each AIP Repository!  This means that if you want to use your Confidential (or HR Only, Legal Only....) label as the default label for a specific repository, you can do just that!  So, you can stand up an AIP Scanner instance and use it to apply a label to an entire folder on a file share or specific on prem SharePoint document list/library and everything unlabeled in that folder/library will be classified and, if specified, protected with that default label.

The Solution: do we make this amazing functionality happen?? Simple! First, make sure you have the AIP Scanner fully deployed up to the point where you are ready to add repositories (see my previous blog if you need help here) and then use the PowerShell command below to add your repository (using fake values for the repository and label details, change the red items).

PS C:\> Add-AIPScannerRepository -Path \\NAS\HR -SetDefaultLabel On -DefaultLabelId f018e9e7-0cfc-4c69-b27a-ac3cb7df43cc -DefaultOwner ""

Note that we are also assigning a default owner that will have full control of the documents.  This command is actually stolen from fully documented at and as always, if that page is updated it is authoritative over any content here.

One caveat to this feature is that a default label, by design, will only label items that have never been classified before.  The AIP scanner -OverrideLabel switch is only used to override labels if they match automatic conditions (E5/P2 feature). So if you are using default labels throughout your organization, those files will be skipped by the scan.

If you are using default labels, you can still have this same functionality but you would need to script the use of the Set-AIPFileLabel cmdlet on the repository to be able to provide justification for the changing of the labels and set up a scheduled task to run the commands on a regular basis.  While this is not elegant, it does provide similar functionality with only the E3/P1 license.  A sample of that command is shown below.

PS C:\> Set-AIPFileLabel -Path \\Finance\Projects\ -LabelId d9f23ae3-4321-4321-4321-f515f824c57b -JustificationMessage 'The previous label no longer applies' -Owner "" -PreserveFileDetails

And that is it!  Now you can start using the AIP Scanner (or PowerShell) to classify and protect entire file shares and on prem SharePoint libraries with only an EMS E3/AIP P1 license!


But wait, there's more! I recently documented additional discovery features that can be done with an E3/P1 license at  This gives even more flexibility with finding your sensitive data so that you can move it to a secure repository (or protect it where it is if you decide to move to E5/P2 for auto-classification capabilities).

Please leave comments below and rate to let me know if you enjoy my posts.

The rest of my content can be found at