From 3141bd781bdc8776866970de37c3c082de5df1e4 Mon Sep 17 00:00:00 2001
From: brandonwest-netwrix <brandon.west@netwrix.com>
Date: Thu, 8 Jan 2026 09:38:57 -0500
Subject: [PATCH 1/2] update permission configuration procedure

Updated configuration procedure. Adjusted formatting for clarity and consistency.
---
 .../filesystems/azureinformationprotection.md | 281 +++++++-----------
 1 file changed, 113 insertions(+), 168 deletions(-)

diff --git a/docs/accessanalyzer/11.6/requirements/filesystem/filesystems/azureinformationprotection.md b/docs/accessanalyzer/11.6/requirements/filesystem/filesystems/azureinformationprotection.md
index a4e25ce623..92b6b4a022 100644
--- a/docs/accessanalyzer/11.6/requirements/filesystem/filesystems/azureinformationprotection.md
+++ b/docs/accessanalyzer/11.6/requirements/filesystem/filesystems/azureinformationprotection.md
@@ -4,248 +4,193 @@ description: "Azure Information Protection Target Requirements"
 sidebar_position: 10
 ---
 
-# Azure Information Protection Target Requirements
+# **Azure Information Protection Target Requirements**
 
-Microsoft® Azure is a cloud-based computing platform that provides a range of services, such as
-file storage. Azure uses Azure Information Protection (AIP) labels, a Microsoft tool used to
-classify and protect stored files. Enterprise Auditor employs the File System Solution to execute
-Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans in order to find AIP
-Protection labels and scan protected (i.e. encrypted) files for sensitive data.
+Microsoft® Azure is a cloud-based computing platform that provides a range of services, such as file storage. Azure uses Azure Information Protection (AIP) labels, a Microsoft tool used to classify and protect stored files. Access Analyzer employs the File System Solution to execute Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans in order to find AIP Protection labels and scan protected (i.e. encrypted) files for sensitive data.
 
-This document provides information needed to properly configure access required by Enterprise
-Auditor to successfully scan for Azure Information Protection labels in a targeted environment.
+This document provides information needed to properly configure access required by Access Analyzer to successfully scan for Azure Information Protection labels in a targeted environment.
 
-:::note
-Enterprise Auditor does not scan for AIP Marking labels, only Protection labels.
-:::
 
+:::info
+**NOTE**
 
-## Workflow for Scanning AIP Labels
+Access Analyzer does not scan for AIP Marking labels, only Protection labels.
 
-Before the Enterprise Auditor File System solution can scan for Azure Information Protection (AIP)
-labels, certain prerequisites are required both in Enterprise Auditor and Azure environments.
+:::
 
-1. [Rights Management Service Client Installation](#rights-management-service-client-installation)
-2. [Create a Service Principal Account using PowerShell](#create-a-service-principal-account-using-powershell)
-3. [Enable the Account as an AIP Super User using PowerShell](#enable-the-account-as-an-aip-super-user-using-powershell)
-4. [Add User to the AIP Role in Microsoft® Azure](#add-user-to-the-aip-role-in-microsoft-azure)
-5. [Enterprise Auditor Configurations](#enterprise-auditor-configurations)
-6. Enable settings in FSAA Data Collector in Enterprise Auditor.
+## Workflow for Scanning AIP Labels
 
-    - See the FileSystemAccess Data Collector section in the
-      [File System Solution](/docs/accessanalyzer/11.6/solutions/filesystem/overview.md)
-      topic for additional information
+Before the Access Analyzer File System solution can scan for Azure Information Protection (AIP) labels, certain prerequisites are required both in Access Analyzer and Azure environments.
 
-## Prerequisites
 
-Ensure the following prerequisites are met before configuring AIP scanning:
+1. [Rights Management Service Client Installation](https://docs.netwrix.com/docs/accessanalyzer/12_0/requirements/filesystem/filesystems/azureinformationprotection#rights-management-service-client-installation)
+2. [Create a Service Principal Account](https://docs.netwrix.com/docs/accessanalyzer/12_0/requirements/filesystem/filesystems/azureinformationprotection#create-a-service-principal-account-using-powershell)
+3. [Enable the Account as an AIP Super User using PowerShell](https://docs.netwrix.com/docs/accessanalyzer/12_0/requirements/filesystem/filesystems/azureinformationprotection#enable-the-account-as-an-aip-super-user-using-powershell)
+4. [Add User to the AIP Role in Microsoft® Azure](https://docs.netwrix.com/docs/accessanalyzer/12_0/requirements/filesystem/filesystems/azureinformationprotection#add-user-to-the-aip-role-in-microsoft-azure)
+5. Azure Information Protection Target Requirements
+6. Enable settings in FSAA Data Collector in Access Analyzer.
+   * See the FileSystemAccess Data Collector section in the [File System Solution](https://docs.netwrix.com/docs/accessanalyzer/12_0/solutions/filesystem/overview) topic for additional information
 
-- Microsoft Entra ID Admin credentials
-- The PowerShell `Install-Module` command requires:
-
-    - PowerShell 5.0 (Run as Administrator)
-    - Windows Server 2016and later
+## Prerequisites
 
-- Active Directory Rights Management Services Client 2.1 installed on the server where the FSAA
-  applet or proxy is being run
+Ensure the following prerequisites are met before configuring AIP scanning:
 
-## Rights Management Service Client Installation
+* Microsoft Entra ID Admin credentials
+* The PowerShell `Install-Module` command requires:
+  * PowerShell 5.0 (Run as Administrator)
+  * Windows Server 2016and later
+* Active Directory Rights Management Services Client 2.1 installed on the server where the FSAA applet or proxy is being run
 
-The Rights Management Service Client must be installed on the applet servers where FSAA is running.
-This may be the local Enterprise Auditor server, a Proxy server, or a File Server running in applet
-mode.
+### Rights Management Service Client Installation
 
-- To install the Rights Management Service Client 2.1 on the server where the scan is taking place,
-  go to the Microsoft download center:
+The Rights Management Service Client must be installed on the applet servers where FSAA is running. This may be the local Access Analyzer server, a Proxy server, or a File Server running in applet mode.
 
-    [https://www.microsoft.com/en-us/download/details.aspx?id=38396](https://www.microsoft.com/en-us/download/details.aspx?id=38396)
+* To install the Rights Management Service Client 2.1 on the server where the scan is taking place, go to the Microsoft download center:
 
-:::info
-Read the System Requirements and Install Instructions provided by Microsoft to
-complete the installation.
-:::
+  <https://www.microsoft.com/en-us/download/details.aspx?id=38396>
 
 
-## Create a Service Principal Account using PowerShell
+:::info
+**info**
 
-Follow the steps to create a service principal account with a symmetric key to connect to AIP:
+Read the System Requirements and Install Instructions provided by Microsoft to complete the installation.
 
-:::note
-All PowerShell commands should be run in order through PowerShell as an Admin.
 :::
 
+## Create a Service Principal Account
 
-**Step 1 –** Open up PowerShell (Administrator).
-
-**Step 2 –** Install and import MsOnline module:
 
-```
-Install-Module MsOnline
-Import-Module MsOnline
-```
+1. Open the Azure Portal and sign in with an administrator account
 
-**Step 3 –** Connect to Azure with the `Connect-MsolService` command. Enter the Azure credentials in
-the **Sign in to your account** window that displays from Microsoft.
+   
+   1. <https://portal.azure.com/>
+2. Create a new app registration
 
-**Step 4 –** Once successfully connected to Azure, create a service principal with the following
-command:
+   
+   1. Navigate to Microsoft Entra ID → App registrations → New registration
+   2. Give the new application a distinguishable name
+3. Create a client secret
 
-```
-New-MsolServicePrincipal
-```
-
-> Enter the **DisplayName** of the new service principal name. (For example, AIP_EnterpriseAuditor)
-
-**Step 5 –** Take note and save the **Symmetric Key** and **AppPrincipalID** to be used in later
-steps.
+   
+   1. Open **Certificates & secrets** → Client secrets
+   2. Click **New client secret**
+   3. Provide a brief description & expiration date
+   4. Click **Add**
+   5. Record the **Secret Value** immediately
 
+      
 :::warning
-Do not lose the symmetric key. It is not retrievable again once the PowerShell window
-is closed.
-:::
+      This will disappear once you leave the page!
 
+      :::
+4. Add API permissions
 
-The service principal account with the proper key has been created.
+   
+   1. Open **API Permissions**
+   2. Click “Add a permission”
+   3. Select the **Microsoft Graph API** permission set > Application permissions
+   4. Add the “InformationProtectionPolicy.Read.All” permission
+5. After adding the required API permission, select “Grant admin consent”
+6. Record the AppID (from the Overview Page) and the tenantID with the secret value
 
-## Enable the Account as an AIP Super User using PowerShell
+## **Enable the Account as an AIP Super User using PowerShell**
 
 Follow the steps to enable the Service Principal Account in AIP as a Super User:
 
-:::note
+
+:::info
+**NOTE**
+
 All PowerShell commands should be run in order through PowerShell as an Admin.
-:::
 
+:::
 
-**Step 1 –** In PowerShell, install Microsoft Azure Active Directory Rights Manager (AIPService)
-module:
 
-```
-Install-Module AIPService
-Import-Module AIPService
-```
+1. In PowerShell, install Microsoft Azure Active Directory Rights Manager (AIPService) module:
 
-**Step 2 –** Connect to Azure using the `Connect-AIPService` command and supply Azure credentials in
-the **Sign in to your account** window that displays from Microsoft.
+`Install-Module AIPService`
+`Import-Module AIPService`
 
-**Step 3 –** Add the service principal to the Azure AD Rights Management service super users, using
-the AppPrincipalID saved from the steps in the
-[Create a Service Principal Account using PowerShell](#create-a-service-principal-account-using-powershell)
-section:
 
-```
-Add-AipServiceSuperUser-ServicePrincipalID <AppPrincipalID>
-```
+2. Connect to Azure using the `Connect-AIPService` command and supply Azure credentials in the **Sign in to your account** window that displays from Microsoft.
+3. Add the service principal to the Azure AD Rights Management service super users, using the AppID saved from the steps in the [Create a Service Principal Account](https://docs.netwrix.com/docs/accessanalyzer/12_0/requirements/filesystem/filesystems/azureinformationprotection#create-a-service-principal-account-using-powershell) section:
 
-**Step 4 –** Enable the DisplayName account using the following command:
+`Add-AipServiceSuperUser-ServicePrincipalID <AppID>`
 
-```
-Enable-AIPServiceSuperUserFeature
-```
 
-The Service Principal Account is now added to the Rights Management service as a Super User, and the
-Super User feature is enabled.
+4. Enable the DisplayName account using the following command:
 
-## Add User to the AIP Role in Microsoft® Azure
+`Enable-AIPServiceSuperUserFeature`
 
-In Microsoft Azure, add the Account to the Azure Information Protection Administrator Role.
+The Service Principal Account is now added to the Rights Management service as a Super User, and the Super User feature is enabled.
 
-**Step 1 –** Log into **http://portal.azure.com** with Azure credentials and select **Microsoft
-Entra ID** from the list of resources on the left-hand pane.
+## Add App Registration to the AIP Role in Microsoft® Azure
 
-**Step 2 –** Navigate to **Roles and Administrators**. On the Administrative Roles page, select the
-**Azure Information Protection Administrator** role.
+In Microsoft Azure, add the Account to the Azure Information Protection Administrator Role.
 
-**Step 3 –** Use the **Add Assignment** button to display the Add assignments pane. Search for the
-name of the new service principal account (the **DisplayName** entered in PowerShell) and add it to
-the list of assignments.
 
-The Service Principal Account is now successfully added to the Azure Information Protection
-Administrator role.
+1. Log into **[http://portal.azure.com](http://portal.azure.com/)** with Azure credentials and select **Microsoft Entra ID** from the list of resources on the left-hand pane.
+2. Navigate to **Roles and Administrators**. On the Administrative Roles page, select the **Azure Information Protection Administrator** role.
+3. Use the **Add Assignment** button to display the Add assignments pane. Search for the name of the new service principal account (the **DisplayName** entered in PowerShell) and add it to the list of assignments.
 
-## Enterprise Auditor Configurations
+The Service Principal Account is now successfully added to the Azure Information Protection Administrator role.
 
-Before Enterprise Auditor can scan for AIP labels, two configurations must be done prior to the
-initial scan.
+## **Access Analyzer Configurations**
 
-- [Azure Connection Profile ](#azure-connection-profile)
-- [Configure FSAA Data Collector](#configure-fsaa-data-collector)
+Before Access Analyzer can scan for AIP labels, two configurations must be done prior to the initial scan.
 
-### Azure Connection Profile
+* [Azure Connection Profile](https://docs.netwrix.com/docs/accessanalyzer/12_0/requirements/filesystem/filesystems/azureinformationprotection#azure-connection-profile)
+* [Configure FSAA Data Collector](https://docs.netwrix.com/docs/accessanalyzer/12_0/requirements/filesystem/filesystems/azureinformationprotection#configure-fsaa-data-collector)
 
-To collect tags for files protected with Azure Information Protection, an Azure connection profile
-must be configured in Enterprise Auditor before an FSAA scan runs. See the
-[Global Settings](/docs/accessanalyzer/11.6/admin/settings/overview.md)
-topic for additional information on how to set up a connection profile at the global level.
+### **Azure Connection Profile**
 
-**Step 1 –** In Enterprise Auditor, add a credential for an Azure Active Directory account type to
-the existing Connection Profile used for File System scanning. Supply the Client ID field with the
-**AppPrincipalID** and the Key field with the **Symmetric key** created upon creation of the new
-service principal.
+To collect tags for files protected with Azure Information Protection, an Azure connection profile must be configured in Access Analyzer before an FSAA scan runs. See the [Global Settings](https://docs.netwrix.com/docs/accessanalyzer/12_0/admin/settings/overview) topic for additional information on how to set up a connection profile at the global level.
 
-**Step 2 –** At the job level, apply the connection profile that contains both the Microsoft Entra
-ID credential and credentials required for File System scanning under the **Jobs** > [__Job__] >
-**Settings** > **Connection** node.
 
-**Step 3 –** Ensure that the job is configured correctly before running a scan. See the
-[Configure FSAA Data Collector](#configure-fsaa-data-collector) topic for additional information.
+1. In Access Analyzer, add a credential for an Azure Active Directory account type to the existing Connection Profile used for File System scanning. Supply the Client ID field with the **AppID** and the Key field with the **Secret Value** created upon creation of the new service principal.
+2. At the job level, apply the connection profile that contains both the Microsoft Entra ID credential and credentials required for File System scanning under the **Jobs** > \[**Job**\] > **Settings** > **Connection** node.
+3. Ensure that the job is configured correctly before running a scan. See the [Configure FSAA Data Collector](https://docs.netwrix.com/docs/accessanalyzer/12_0/requirements/filesystem/filesystems/azureinformationprotection#configure-fsaa-data-collector) topic for additional information.
 
 An Azure Connection Profile has now been successfully created for an FSAA scan.
 
-### Configure FSAA Data Collector
+### **Configure FSAA Data Collector**
 
-In Enterprise Auditor, configure the FSAA Data Collector wizard pages to scan files protected by
-Azure Information Protection. This can be done for both FSAA System Scans and SEEK System Scans. In
-the FSAA Data Collector Wizard, configure the following menus to scan for AIP protection labels:
+In Access Analyzer, configure the FSAA Data Collector wizard pages to scan files protected by Azure Information Protection. This can be done for both FSAA System Scans and SEEK System Scans. In the FSAA Data Collector Wizard, configure the following menus to scan for AIP protection labels:
 
 For FSAA System Scans:
 
-- Scan Server Selection – Choose the server that scanning is executed on. Target the server that has
-  the Rights Management Service Client 2.1 installed where the applet is running.
+* Scan Server Selection – Choose the server that scanning is executed on. Target the server that has the Rights Management Service Client 2.1 installed where the applet is running.
+  * This may be a proxy server, file server (applet mode), or the local Access Analyzer console depending on scan configuration
+* Scan Settings – Select the **Enable scanning of files protected by Azure Information Protection** checkbox to add AIP files to the scan criteria
+* Azure Tenant Mapping page – Add the **AppID** and the **Domain Name** or **Tenant ID**
 
-    - This may be a proxy server, file server (applet mode), or the local Enterprise Auditor console
-      depending on scan configuration
+  
+:::tip
+  **TIP**
 
-- Scan Settings – Select the **Enable scanning of files protected by Azure Information Protection**
-  checkbox to add AIP files to the scan criteria
-- Azure Tenant Mapping page – Add the **AppPrincipalID** (App ID) and the **Domain Name** or
-  **Tenant ID**
+  Remember, the Azure Tenant Mapping page is only visible when the **Enable scanning of files protected by Azure Information Protection** checkbox is selected on the Scan Settings page.
 
-    :::tip
-        Remember, the Azure Tenant Mapping page is only visible when the **Enable scanning of files
-    protected by Azure Information Protection** checkbox is selected on the Scan Settings page.
-    :::
-
-
-- Default Scoping Options
-
-    - File Details tab – **Include files protected by Azure Information Protection (AIP)**
-    - File Properties (Folder Summary) – **Include AIP Protected Files**
-
-- Scoping Options – if needed, scope to a specific subset of resources on a selected host
+  :::
+* Default Scoping Options
+  * File Details tab – **Include files protected by Azure Information Protection (AIP)**
+  * File Properties (Folder Summary) – **Include AIP Protected Files**
+* Scoping Options – if needed, scope to a specific subset of resources on a selected host
 
 For SEEK System Scans:
 
-- Scan Server Selection – Choose the server that scanning is executed on. Target the server that has
-  the Rights Management Service Client 2.1 installed where the applet is running.
-
-    - This may be a proxy server, file server (applet mode), or the local Enterprise Auditor console
-      depending on scan configuration
-
-- Scan Settings – Select the **Enable scanning of files protected by Azure Information Protection**
-  checkbox to add AIP files to the scan criteria
-- Azure Tenant Mapping page – Add the **AppPrincipalID** (App ID) and the **Domain Name** or
-  **Tenant ID**
+* Scan Server Selection – Choose the server that scanning is executed on. Target the server that has the Rights Management Service Client 2.1 installed where the applet is running.
+  * This may be a proxy server, file server (applet mode), or the local Access Analyzer console depending on scan configuration
+* Scan Settings – Select the **Enable scanning of files protected by Azure Information Protection** checkbox to add AIP files to the scan criteria
+* Azure Tenant Mapping page – Add the **AppID** and the **Domain Name** or **Tenant ID**
 
-    :::tip
-        Remember, the Azure Tenant Mapping page is only visible when the **Enable scanning of files
-    protected by Azure Information Protection** checkbox is selected on the Scan Settings page.
-    :::
+  
+:::tip
+  **TIP**
 
+  Remember, the Azure Tenant Mapping page is only visible when the **Enable scanning of files protected by Azure Information Protection** checkbox is selected on the Scan Settings page.
 
-- Scoping Options – if needed, scope to a specific subset of resources on a selected host
-- Sensitive Data Settings – Select **Decrypt Files Protected by Azure Information Protection**. This
-  page only applies for SEEK scans.
+  :::
+* Scoping Options – if needed, scope to a specific subset of resources on a selected host
+* Sensitive Data Settings – Select **Decrypt Files Protected by Azure Information Protection**. This page only applies for SEEK scans.
 
-See the FileSystemAccess Data Collector section in the
-[File System Solution](/docs/accessanalyzer/11.6/solutions/filesystem/overview.md)
-topic for additional information on these scoping options.
+See the FileSystemAccess Data Collector section in the [File System Solution](https://docs.netwrix.com/docs/accessanalyzer/12_0/solutions/filesystem/overview) topic for additional information on these scoping options.

From e05ec0dd1267a6e1e3e210262ede706d0cb32abd Mon Sep 17 00:00:00 2001
From: brandonwest-netwrix <brandon.west@netwrix.com>
Date: Thu, 8 Jan 2026 09:39:48 -0500
Subject: [PATCH 2/2] Refactor Azure Information Protection documentation

Updated formatting and improved clarity in the Azure Information Protection Target Requirements document. Added links for better navigation and ensured consistent use of headings.
---
 .../filesystems/azureinformationprotection.md | 275 +++++++-----------
 1 file changed, 110 insertions(+), 165 deletions(-)

diff --git a/docs/accessanalyzer/12.0/requirements/filesystem/filesystems/azureinformationprotection.md b/docs/accessanalyzer/12.0/requirements/filesystem/filesystems/azureinformationprotection.md
index 6e18e88120..17e6aebc6b 100644
--- a/docs/accessanalyzer/12.0/requirements/filesystem/filesystems/azureinformationprotection.md
+++ b/docs/accessanalyzer/12.0/requirements/filesystem/filesystems/azureinformationprotection.md
@@ -4,248 +4,193 @@ description: "Azure Information Protection Target Requirements"
 sidebar_position: 20
 ---
 
-# Azure Information Protection Target Requirements
+# **Azure Information Protection Target Requirements**
 
-Microsoft® Azure is a cloud-based computing platform that provides a range of services, such as
-file storage. Azure uses Azure Information Protection (AIP) labels, a Microsoft tool used to
-classify and protect stored files. Access Analyzer employs the File System Solution to execute
-Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans in order to find AIP
-Protection labels and scan protected (i.e. encrypted) files for sensitive data.
+Microsoft® Azure is a cloud-based computing platform that provides a range of services, such as file storage. Azure uses Azure Information Protection (AIP) labels, a Microsoft tool used to classify and protect stored files. Access Analyzer employs the File System Solution to execute Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans in order to find AIP Protection labels and scan protected (i.e. encrypted) files for sensitive data.
 
-This document provides information needed to properly configure access required by Access Analyzer
-to successfully scan for Azure Information Protection labels in a targeted environment.
+This document provides information needed to properly configure access required by Access Analyzer to successfully scan for Azure Information Protection labels in a targeted environment.
+
+
+:::info
+**NOTE**
 
-:::note
 Access Analyzer does not scan for AIP Marking labels, only Protection labels.
+
 :::
 
+## Workflow for Scanning AIP Labels
 
-## Workflow for Scanning AIP Labels
+Before the Access Analyzer File System solution can scan for Azure Information Protection (AIP) labels, certain prerequisites are required both in Access Analyzer and Azure environments.
 
-Before the Access Analyzer File System solution can scan for Azure Information Protection (AIP)
-labels, certain prerequisites are required both in Access Analyzer and Azure environments.
 
-1. [Rights Management Service Client Installation](#rights-management-service-client-installation)
-2. [Create a Service Principal Account using PowerShell](#create-a-service-principal-account-using-powershell)
-3. [Enable the Account as an AIP Super User using PowerShell](#enable-the-account-as-an-aip-super-user-using-powershell)
-4. [Add User to the AIP Role in Microsoft® Azure](#add-user-to-the-aip-role-in-microsoft-azure)
+1. [Rights Management Service Client Installation](https://docs.netwrix.com/docs/accessanalyzer/12_0/requirements/filesystem/filesystems/azureinformationprotection#rights-management-service-client-installation)
+2. [Create a Service Principal Account](https://docs.netwrix.com/docs/accessanalyzer/12_0/requirements/filesystem/filesystems/azureinformationprotection#create-a-service-principal-account-using-powershell)
+3. [Enable the Account as an AIP Super User using PowerShell](https://docs.netwrix.com/docs/accessanalyzer/12_0/requirements/filesystem/filesystems/azureinformationprotection#enable-the-account-as-an-aip-super-user-using-powershell)
+4. [Add User to the AIP Role in Microsoft® Azure](https://docs.netwrix.com/docs/accessanalyzer/12_0/requirements/filesystem/filesystems/azureinformationprotection#add-user-to-the-aip-role-in-microsoft-azure)
 5. Azure Information Protection Target Requirements
 6. Enable settings in FSAA Data Collector in Access Analyzer.
-
-    - See the FileSystemAccess Data Collector section in the
-      [File System Solution](/docs/accessanalyzer/12.0/solutions/filesystem/overview.md) topic for additional
-      information
+   * See the FileSystemAccess Data Collector section in the [File System Solution](https://docs.netwrix.com/docs/accessanalyzer/12_0/solutions/filesystem/overview) topic for additional information
 
 ## Prerequisites
 
-Ensure the following prerequisites are met before configuring AIP scanning:
-
-- Microsoft Entra ID Admin credentials
-- The PowerShell `Install-Module` command requires:
+Ensure the following prerequisites are met before configuring AIP scanning:
 
-    - PowerShell 5.0 (Run as Administrator)
-    - Windows Server 2016and later
+* Microsoft Entra ID Admin credentials
+* The PowerShell `Install-Module` command requires:
+  * PowerShell 5.0 (Run as Administrator)
+  * Windows Server 2016and later
+* Active Directory Rights Management Services Client 2.1 installed on the server where the FSAA applet or proxy is being run
 
-- Active Directory Rights Management Services Client 2.1 installed on the server where the FSAA
-  applet or proxy is being run
+### Rights Management Service Client Installation
 
-## Rights Management Service Client Installation
+The Rights Management Service Client must be installed on the applet servers where FSAA is running. This may be the local Access Analyzer server, a Proxy server, or a File Server running in applet mode.
 
-The Rights Management Service Client must be installed on the applet servers where FSAA is running.
-This may be the local Access Analyzer server, a Proxy server, or a File Server running in applet
-mode.
+* To install the Rights Management Service Client 2.1 on the server where the scan is taking place, go to the Microsoft download center:
 
-- To install the Rights Management Service Client 2.1 on the server where the scan is taking place,
-  go to the Microsoft download center:
+  <https://www.microsoft.com/en-us/download/details.aspx?id=38396>
 
-    [https://www.microsoft.com/en-us/download/details.aspx?id=38396](https://www.microsoft.com/en-us/download/details.aspx?id=38396)
 
 :::info
-Read the System Requirements and Install Instructions provided by Microsoft to
-complete the installation.
-:::
+**info**
 
+Read the System Requirements and Install Instructions provided by Microsoft to complete the installation.
 
-## Create a Service Principal Account using PowerShell
-
-Follow the steps to create a service principal account with a symmetric key to connect to AIP:
-
-:::note
-All PowerShell commands should be run in order through PowerShell as an Admin.
 :::
 
+## Create a Service Principal Account
 
-**Step 1 –** Open up PowerShell (Administrator).
-
-**Step 2 –** Install and import MsOnline module:
 
-```
-Install-Module MsOnline
-Import-Module MsOnline
-```
+1. Open the Azure Portal and sign in with an administrator account
 
-**Step 3 –** Connect to Azure with the `Connect-MsolService` command. Enter the Azure credentials in
-the **Sign in to your account** window that displays from Microsoft.
+   
+   1. <https://portal.azure.com/>
+2. Create a new app registration
 
-**Step 4 –** Once successfully connected to Azure, create a service principal with the following
-command:
+   
+   1. Navigate to Microsoft Entra ID → App registrations → New registration
+   2. Give the new application a distinguishable name
+3. Create a client secret
 
-```
-New-MsolServicePrincipal
-```
-
-> Enter the **DisplayName** of the new service principal name. (For example, AIP_EnterpriseAuditor)
-
-**Step 5 –** Take note and save the **Symmetric Key** and **AppPrincipalID** to be used in later
-steps.
+   
+   1. Open **Certificates & secrets** → Client secrets
+   2. Click **New client secret**
+   3. Provide a brief description & expiration date
+   4. Click **Add**
+   5. Record the **Secret Value** immediately
 
+      
 :::warning
-Do not lose the symmetric key. It is not retrievable again once the PowerShell window
-is closed.
-:::
+      This will disappear once you leave the page!
 
+      :::
+4. Add API permissions
 
-The service principal account with the proper key has been created.
+   
+   1. Open **API Permissions**
+   2. Click “Add a permission”
+   3. Select the **Microsoft Graph API** permission set > Application permissions
+   4. Add the “InformationProtectionPolicy.Read.All” permission
+5. After adding the required API permission, select “Grant admin consent”
+6. Record the AppID (from the Overview Page) and the tenantID with the secret value
 
-## Enable the Account as an AIP Super User using PowerShell
+## **Enable the Account as an AIP Super User using PowerShell**
 
 Follow the steps to enable the Service Principal Account in AIP as a Super User:
 
-:::note
+
+:::info
+**NOTE**
+
 All PowerShell commands should be run in order through PowerShell as an Admin.
-:::
 
+:::
 
-**Step 1 –** In PowerShell, install Microsoft Azure Active Directory Rights Manager (AIPService)
-module:
 
-```
-Install-Module AIPService
-Import-Module AIPService
-```
+1. In PowerShell, install Microsoft Azure Active Directory Rights Manager (AIPService) module:
 
-**Step 2 –** Connect to Azure using the `Connect-AIPService` command and supply Azure credentials in
-the **Sign in to your account** window that displays from Microsoft.
+`Install-Module AIPService`
+`Import-Module AIPService`
 
-**Step 3 –** Add the service principal to the Azure AD Rights Management service super users, using
-the AppPrincipalID saved from the steps in the
-[Create a Service Principal Account using PowerShell](#create-a-service-principal-account-using-powershell)
-section:
 
-```
-Add-AipServiceSuperUser-ServicePrincipalID <AppPrincipalID>
-```
+2. Connect to Azure using the `Connect-AIPService` command and supply Azure credentials in the **Sign in to your account** window that displays from Microsoft.
+3. Add the service principal to the Azure AD Rights Management service super users, using the AppID saved from the steps in the [Create a Service Principal Account](https://docs.netwrix.com/docs/accessanalyzer/12_0/requirements/filesystem/filesystems/azureinformationprotection#create-a-service-principal-account-using-powershell) section:
 
-**Step 4 –** Enable the DisplayName account using the following command:
+`Add-AipServiceSuperUser-ServicePrincipalID <AppID>`
 
-```
-Enable-AIPServiceSuperUserFeature
-```
 
-The Service Principal Account is now added to the Rights Management service as a Super User, and the
-Super User feature is enabled.
+4. Enable the DisplayName account using the following command:
 
-## Add User to the AIP Role in Microsoft® Azure
+`Enable-AIPServiceSuperUserFeature`
 
-In Microsoft Azure, add the Account to the Azure Information Protection Administrator Role.
+The Service Principal Account is now added to the Rights Management service as a Super User, and the Super User feature is enabled.
 
-**Step 1 –** Log into **http://portal.azure.com** with Azure credentials and select **Microsoft
-Entra ID** from the list of resources on the left-hand pane.
+## Add App Registration to the AIP Role in Microsoft® Azure
 
-**Step 2 –** Navigate to **Roles and Administrators**. On the Administrative Roles page, select the
-**Azure Information Protection Administrator** role.
+In Microsoft Azure, add the Account to the Azure Information Protection Administrator Role.
 
-**Step 3 –** Use the **Add Assignment** button to display the Add assignments pane. Search for the
-name of the new service principal account (the **DisplayName** entered in PowerShell) and add it to
-the list of assignments.
 
-The Service Principal Account is now successfully added to the Azure Information Protection
-Administrator role.
+1. Log into **[http://portal.azure.com](http://portal.azure.com/)** with Azure credentials and select **Microsoft Entra ID** from the list of resources on the left-hand pane.
+2. Navigate to **Roles and Administrators**. On the Administrative Roles page, select the **Azure Information Protection Administrator** role.
+3. Use the **Add Assignment** button to display the Add assignments pane. Search for the name of the new service principal account (the **DisplayName** entered in PowerShell) and add it to the list of assignments.
 
-## Access Analyzer Configurations
+The Service Principal Account is now successfully added to the Azure Information Protection Administrator role.
 
-Before Access Analyzer can scan for AIP labels, two configurations must be done prior to the initial
-scan.
+## **Access Analyzer Configurations**
 
-- [Azure Connection Profile ](#azure-connection-profile)
-- [Configure FSAA Data Collector](#configure-fsaa-data-collector)
+Before Access Analyzer can scan for AIP labels, two configurations must be done prior to the initial scan.
 
-### Azure Connection Profile
+* [Azure Connection Profile](https://docs.netwrix.com/docs/accessanalyzer/12_0/requirements/filesystem/filesystems/azureinformationprotection#azure-connection-profile)
+* [Configure FSAA Data Collector](https://docs.netwrix.com/docs/accessanalyzer/12_0/requirements/filesystem/filesystems/azureinformationprotection#configure-fsaa-data-collector)
 
-To collect tags for files protected with Azure Information Protection, an Azure connection profile
-must be configured in Access Analyzer before an FSAA scan runs. See the
-[Global Settings](/docs/accessanalyzer/12.0/admin/settings/overview.md) topic for additional information on how to
-set up a connection profile at the global level.
+### **Azure Connection Profile**
 
-**Step 1 –** In Access Analyzer, add a credential for an Azure Active Directory account type to the
-existing Connection Profile used for File System scanning. Supply the Client ID field with the
-**AppPrincipalID** and the Key field with the **Symmetric key** created upon creation of the new
-service principal.
+To collect tags for files protected with Azure Information Protection, an Azure connection profile must be configured in Access Analyzer before an FSAA scan runs. See the [Global Settings](https://docs.netwrix.com/docs/accessanalyzer/12_0/admin/settings/overview) topic for additional information on how to set up a connection profile at the global level.
 
-**Step 2 –** At the job level, apply the connection profile that contains both the Microsoft Entra
-ID credential and credentials required for File System scanning under the **Jobs** > [__Job__] >
-**Settings** > **Connection** node.
 
-**Step 3 –** Ensure that the job is configured correctly before running a scan. See the
-[Configure FSAA Data Collector](#configure-fsaa-data-collector) topic for additional information.
+1. In Access Analyzer, add a credential for an Azure Active Directory account type to the existing Connection Profile used for File System scanning. Supply the Client ID field with the **AppID** and the Key field with the **Secret Value** created upon creation of the new service principal.
+2. At the job level, apply the connection profile that contains both the Microsoft Entra ID credential and credentials required for File System scanning under the **Jobs** > \[**Job**\] > **Settings** > **Connection** node.
+3. Ensure that the job is configured correctly before running a scan. See the [Configure FSAA Data Collector](https://docs.netwrix.com/docs/accessanalyzer/12_0/requirements/filesystem/filesystems/azureinformationprotection#configure-fsaa-data-collector) topic for additional information.
 
 An Azure Connection Profile has now been successfully created for an FSAA scan.
 
-### Configure FSAA Data Collector
+### **Configure FSAA Data Collector**
 
-In Access Analyzer, configure the FSAA Data Collector wizard pages to scan files protected by Azure
-Information Protection. This can be done for both FSAA System Scans and SEEK System Scans. In the
-FSAA Data Collector Wizard, configure the following menus to scan for AIP protection labels:
+In Access Analyzer, configure the FSAA Data Collector wizard pages to scan files protected by Azure Information Protection. This can be done for both FSAA System Scans and SEEK System Scans. In the FSAA Data Collector Wizard, configure the following menus to scan for AIP protection labels:
 
 For FSAA System Scans:
 
-- Scan Server Selection – Choose the server that scanning is executed on. Target the server that has
-  the Rights Management Service Client 2.1 installed where the applet is running.
+* Scan Server Selection – Choose the server that scanning is executed on. Target the server that has the Rights Management Service Client 2.1 installed where the applet is running.
+  * This may be a proxy server, file server (applet mode), or the local Access Analyzer console depending on scan configuration
+* Scan Settings – Select the **Enable scanning of files protected by Azure Information Protection** checkbox to add AIP files to the scan criteria
+* Azure Tenant Mapping page – Add the **AppID** and the **Domain Name** or **Tenant ID**
 
-    - This may be a proxy server, file server (applet mode), or the local Access Analyzer console
-      depending on scan configuration
+  
+:::tip
+  **TIP**
 
-- Scan Settings – Select the **Enable scanning of files protected by Azure Information Protection**
-  checkbox to add AIP files to the scan criteria
-- Azure Tenant Mapping page – Add the **AppPrincipalID** (App ID) and the **Domain Name** or
-  **Tenant ID**
+  Remember, the Azure Tenant Mapping page is only visible when the **Enable scanning of files protected by Azure Information Protection** checkbox is selected on the Scan Settings page.
 
-    :::tip
-        Remember, the Azure Tenant Mapping page is only visible when the **Enable scanning of files
-    protected by Azure Information Protection** checkbox is selected on the Scan Settings page.
-    :::
-
-
-- Default Scoping Options
-
-    - File Details tab – **Include files protected by Azure Information Protection (AIP)**
-    - File Properties (Folder Summary) – **Include AIP Protected Files**
-
-- Scoping Options – if needed, scope to a specific subset of resources on a selected host
+  :::
+* Default Scoping Options
+  * File Details tab – **Include files protected by Azure Information Protection (AIP)**
+  * File Properties (Folder Summary) – **Include AIP Protected Files**
+* Scoping Options – if needed, scope to a specific subset of resources on a selected host
 
 For SEEK System Scans:
 
-- Scan Server Selection – Choose the server that scanning is executed on. Target the server that has
-  the Rights Management Service Client 2.1 installed where the applet is running.
-
-    - This may be a proxy server, file server (applet mode), or the local Access Analyzer console
-      depending on scan configuration
-
-- Scan Settings – Select the **Enable scanning of files protected by Azure Information Protection**
-  checkbox to add AIP files to the scan criteria
-- Azure Tenant Mapping page – Add the **AppPrincipalID** (App ID) and the **Domain Name** or
-  **Tenant ID**
+* Scan Server Selection – Choose the server that scanning is executed on. Target the server that has the Rights Management Service Client 2.1 installed where the applet is running.
+  * This may be a proxy server, file server (applet mode), or the local Access Analyzer console depending on scan configuration
+* Scan Settings – Select the **Enable scanning of files protected by Azure Information Protection** checkbox to add AIP files to the scan criteria
+* Azure Tenant Mapping page – Add the **AppID** and the **Domain Name** or **Tenant ID**
 
-    :::tip
-        Remember, the Azure Tenant Mapping page is only visible when the **Enable scanning of files
-    protected by Azure Information Protection** checkbox is selected on the Scan Settings page.
-    :::
+  
+:::tip
+  **TIP**
 
+  Remember, the Azure Tenant Mapping page is only visible when the **Enable scanning of files protected by Azure Information Protection** checkbox is selected on the Scan Settings page.
 
-- Scoping Options – if needed, scope to a specific subset of resources on a selected host
-- Sensitive Data Settings – Select **Decrypt Files Protected by Azure Information Protection**. This
-  page only applies for SEEK scans.
+  :::
+* Scoping Options – if needed, scope to a specific subset of resources on a selected host
+* Sensitive Data Settings – Select **Decrypt Files Protected by Azure Information Protection**. This page only applies for SEEK scans.
 
-See the FileSystemAccess Data Collector section in the
-[File System Solution](/docs/accessanalyzer/12.0/solutions/filesystem/overview.md) topic for additional information
-on these scoping options.
+See the FileSystemAccess Data Collector section in the [File System Solution](https://docs.netwrix.com/docs/accessanalyzer/12_0/solutions/filesystem/overview) topic for additional information on these scoping options.