Share via


Install-MIPNetworkDiscovery

Installs the Network Discovery service.

Syntax

Install-MIPNetworkDiscovery
       [-ServiceUserCredentials] <PSCredential>
       [[-StandardDomainsUserAccount] <PSCredential>]
       [[-ShareAdminUserAccount] <PSCredential>]
       [-SqlServerInstance] <String>
       -Cluster <String>
       [-WhatIf]
       [-Confirm]
       [<CommonParameters>]

Description

Relevant for: AIP unified labeling client only

The Install-MIPNetworkDiscovery cmdlet installs the Network Discovery service, which enables AIP administrators to scan a specified IP address or range for possibly risky repositories, using a network scan job.

Use network scan job results to identify additional repositories in your network to further scan using a content scan job. For more information, see Create a network scan job.

Important

You must run this cmdlet before you run any other cmdlet for the Network Discovery service.

After you have run this command, use the Azure portal to configure the settings in the scanner's network scan jobs. Before you run the scanner, you must run the Set-MIPNetworkDiscoveryConfiguration cmdlet one time to sign in to Azure AD for authentication and authorization.

Note

The Azure Information Protection (AIP) network discovery feature uses AIP analytics (public preview). As of March 18, 2022, we are sunsetting network discovery together with the AIP analytics and audit logs public preview. Moving forward, we'll be using the Microsoft 365 auditing solution. Full retirement for network discovery, AIP analytics, and audit logs is scheduled for September 30, 2022.

For more information, see Removed and retired services.

Examples

Example 1: Install the Network Discovery service by using a SQL Server instance

PS C:\> $serviceacct= Get-Credential -UserName domain\scannersvc -Message ScannerAccount
PS C:\> $shareadminacct= Get-Credential -UserName domain\adminacct -Message ShareAdminAccount
PS C:\> $publicaccount= Get-Credential -UserName domain\publicuser -Message PublicUser
PS C:\> Install-MIPNetworkDiscovery -SqlServerInstance SQLSERVER1\AIPSCANNER -Cluster EU -ServiceUserCredentials $serviceacct  -ShareAdminUserAccount $shareadminacct -StandardDomainsUserAccount $publicaccount

This command installs the Network Discovery service by using a SQL Server instance named AIPSCANNER, which runs on the server named SQLSERVER1.

  • You are prompted to provide the Active Directory account details for the scanner service account.
  • If an existing database named AIPScannerUL_EU isn't found on the specified SQL Server instance, a new database with this name is created to store the scanner configuration.
  • The command displays the installation progress, where the install log is located, and the creation of the new Windows Application event log, named Azure Information Protection Scanner.
  • At the end of the output, you see The transacted install has completed.

Accounts used in this example

The following table lists the accounts used in this example for activity:

Activity Account description
Running the service The service is run using the domain\scannersvc account.
Checking permissions The service checks the permissions of the discovered shares using the domain\adminacct account.

This account should be the admin account on your shares.
Checking public exposure The service will check the share's public exposure using the domain\publicuser account.

This user should be a standard Domain user, and a member of the Domain Users group only.

Example 2: Install the Network Discovery service by using the SQL Server default instance

PS C:\> $serviceacct= Get-Credential -UserName domain\scannersvc -Message ScannerAccount
PS C:\> $shareadminacct= Get-Credential -UserName domain\adminacct -Message ShareAdminAccount
PS C:\> $publicaccount= Get-Credential -UserName domain\publicuser -Message PublicUser
PS C:\> Install-MIPNetworkDiscovery -SqlServerInstance SQLSERVER1 -Cluster EU -ServiceUserCredentials $serviceacct  -ShareAdminUserAccount $shareadminacct -StandardDomainsUserAccount $publicaccount

This command installs the Network Discovery service by using the SQL Server default instance that runs on the server, named SQLSERVER1.

As with the previous example, you are prompted for credentials, and then the command displays the progress, where the install log is located, and the creation of the new Windows Application event log.

Example 3: Install the Network Discovery service by using SQL Server Express

PS C:\> $serviceacct= Get-Credential -UserName domain\scannersvc -Message ScannerAccount
PS C:\> $shareadminacct= Get-Credential -UserName domain\adminacct -Message ShareAdminAccount
PS C:\> $publicaccount= Get-Credential -UserName domain\publicuser -Message PublicUser
PS C:\> Install-MIPNetworkDiscovery -SqlServerInstance SQLSERVER1\SQLEXPRESS -Cluster EU -ServiceUserCredentials $serviceacct  -ShareAdminUserAccount $shareadminacct -StandardDomainsUserAccount $publicaccount

This command installs the Network Discovery service by using SQL Server Express that runs on the server named SQLSERVER1.

As with the previous examples, you are prompted for credentials, and then the command displays the progress, where the install log is located, and the creation of the new Windows Application event log.

Parameters

-Cluster

The name of your scanner instance, as defined by your scanner cluster name.

Type:String
Aliases:Profile
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-Confirm

Prompts you for confirmation before running the cmdlet.

Type:SwitchParameter
Aliases:cf
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-ServiceUserCredentials

Specifies the account credentials used to run the Azure Information Protection service.

  • The credentials used must be an Active Directory account.

  • Set the value of this parameter using the following syntax: Domain\Username.

    For example: contoso\scanneraccount

  • If you do not specify this parameter, you are prompted for the username and password.

For more information, see Prerequisites for the Azure Information Protection scanner.

Tip

Use a PSCredential object by using the Get-Credential cmdlet. In this case, you are prompted for the password only.

For more information, type Get-Help Get-Cmdlet.

Type:PSCredential
Position:0
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-ShareAdminUserAccount

Specifies the credentials for a strong account in an on-premises network, used to get a full list of file share and NTFS permissions.

  • The credentials used must be an Active Directory account with Administrator/FC rights on your network shares. This will usually be a Server Admin or Domain Admin.

  • Set the value of this parameter using the following syntax: Domain\Username

    For example: contoso\admin

  • If you do not specify this parameter, you are prompted for both the username and password.

Tip

Use a PSCredential object by using the Get-Credential cmdlet. In this case, you are prompted for the password only.

For more information, type Get-Help Get-Cmdlet.

Type:PSCredential
Position:0
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-SqlServerInstance

Specifies the SQL Server instance on which to create a database for the Network Discovery service.

For information about the SQL Server requirements, see Prerequisites for the Azure Information Protection scanner.

  • For the default instance, specify the server name. For example: SQLSERVER1.
  • For a named instance, specify the server name and instance name. For example: SQLSERVER1\AIPSCANNER.
  • For SQL Server Express, specify the server name and SQLEXPRESS. For example: SQLSERVER1\SQLEXPRESS.
Type:String
Position:2
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-StandardDomainsUserAccount

Specifies the credentials for a weak account in an on-premises network, used to check access for weak users on the network and expose discovered network shares.

  • The credentials used must be an Active Directory account, and a user of the Domain Users group only.

  • Set the value of this parameter using the following syntax: Domain\Username

    For example: contoso\stduser

  • If you do not specify this parameter, you are prompted for both the username and password.

Tip

Use a PSCredential object by using the Get-Credential cmdlet. In this case, you are prompted for the password only.

For more information, type Get-Help Get-Cmdlet.

Type:PSCredential
Position:0
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

Inputs

None

Outputs

System.Object