February 3, 2020

Rights management solutions revolves around protection for encrypting and decrypting the content. Each document which is being protected will be issued with a unique content key (private key) and each Organization will be issued with a tenant key(public key) and authorization of the appropriate recipients happens with these keys.  There will be certain scenarios where authorized account(s) have to be given privileges to decrypt any content  for below said reasons

  1. Owner of the protected content leaves the organization
  2. Integration with other Data Protection technologies like DLP ( content analysis ) and Exchange ( Email searches ) to decrypt any protected content
  3. Bulk decryption as a part of Legal and compliance reasons
  4. Decrypting the content during Exit plan

Considering these scenarios, Azure Information Protection (AIP) gives an option to configure an account, superuser, which will have complete access to any protected content.

Steps to configure Super user role in AIP:

Create a user account and add to Global admin group


Create a sample spreadsheet and restrict access only to the owner

Spreadsheet protected rights

Send the spreadsheet to super user

Sending email to superuser

As the super user role is not configured in AIP, the spreadsheet is restricted to view and open

Not able to open the file attachment

Configure Super user role 

Connect to AIP Service using below commandlet.  This will take to organization sign in page for authentication



Configure super user role

Add-aipservicesuperuser -Emailaddress “Email address of the super user account”

Powershell to configure Super user role in AIP

Enable Super user role by executing Enable-AIPServicesuperuserrolefeature

Check if the super user role is enabled



Now, check the access to the restricted spreadsheet which was shared earlier. As we can see, super user account is now able to open the spreadsheet which is restricted only to the owner.

Super user able to open the restricted spreadsheet
super user pening the spreadsheet

Additional permissions mapped to super user:

These additional permissions will give the options to remove/change permissions to the restricted documents, thus unlocking them for further use and sharing

Additional permissions to super user

Analytics in Azure Information Protection

When we are managing cloud based solutions, it is important to have visibility to anything that can impact availability, performance and compliance. Analytics in Azure Information protection (AIP) gives deeper insights on usage reports, Activity logs, Data discovery and recommendation

This analytics service in AIP gives the organization complete visibility and control of the user activity and device activity with respect to documents/emails which are getting classified and protected.

Few examples of metrics being collected for AIP

Usage report:

  • Labels being applied to a document/email
  • Number of documents/emails classified/protected
  • Count of users and devices labeling the documents/emails

Activity report:

  • Labeling actions performed by a user/device
  • Which users have accessed a specific document
  • which labeling actions were performed by a specific application

These reports make use of Azure monitor service to store the data in Log Analytics workspace the organization owns which provides single source for monitoring Azure sources.


  • Azure subscription that includes log analytics with Azure Monitor. For pricing, refer here 
  • Windows-10 client machine which is installed with AIP agent.

Steps to enable Analytics in AIP:

login to Azure portal  https://portal.azure.com


Navigate to Azure Information protection pane



Enable Analytics for Azure tenant 




Create  a new Log Analytics workspace


Create sample AIP Labels 


login to a client machine which is installed with AIP client

AIP client can be downloaded from here

Classify few sample documents and emails 6


Navigate to Analytics section and validate the user activity with respect to labeling




Hence, these analytics will help us to get the granular details of the user and device activity for classification and protection













Document Protection with Azure Information Protection Ad-hoc permissions

Document protection is a key step in achieving the security standards and policies in an Organization. We can achieve this with AIP by defining policies globally or by giving custom permissions to the document owners.

User Defined Permissions with the label :

Steps to configure in AIP

Navigate to Azure Portal

Search for Azure Information Protection Service and select the label in which we want to configure the user defined permission.

In this case, I selected the ‘Restricted’ label and under protection settings, select the protection action type as ‘set user-defined permissions’. Save the policy after the configuration changes.



Test the functionality:

Open any office application and select the label ‘Restricted’. We see the below prompt for user-defined permissions


Similarly, open a new email in Outlook and select the label ‘Restricted’. The moment you select the label, Do Not Forward protection is applied to the email.


Global Policies in AIP for Document Protection:

unlike the custom permissions, we can configure global policies which are mapped to the labels defined as per the taxonomy. These configurations, gives different protection settings with the option of different user roles for different Groups/Domains

This way, we can impose rights restrictions, based on the recipients domain. In this scenario, I am configuring protection settings in such a way that co-owner role will be assigned to my domain and viewer role will be assigned to external domains like Gmail and yahoo. That way, if I send any attachment which is labelled as ‘Restricted’ , all members within my Organization can read/write/edit, authenticated users  (in O365) can review it  and users in Gmail and Yahoo can only just view


Test the Functionality:

Label a word document to ‘Restricted’.


Attaching to an Email: We see that recommendation to classify an email too as ‘Restricted’

I am sending it to an user within my domain and to an user in Gmail and we can see the prompt from the policy.







Creating Classification Labels and Policies in Azure Information Protection

Information Rights Management is a subset of Digital Rights Management technologies which prevents sensitive information from the risk of accidental, unauthorized modification, deletion and misuse

Azure Information Protection ( AIP ) is a Service offered by Microsoft which gives the features and functionalities of Information Rights Management. With AIP, an organization can classify, label  and protect the sensitive information, which enables them to  have visibility over the different types of Sensitive data across the locations

Steps to Configure Policies in Azure Portal

Before we configure the Global polices, it is always recommended to get the Taxonomy crisp and clear. Do not create too many labels and sub-labels

Here in this example, I am keeping the taxonomy straight forward

Restricted – For highly sensitive content

Confidential – For Sensitive content

Internal – For the content within the Organization

Public – For all other content

Steps to configure Labels and Policies in Azure Portal 

Login to Azure Portal 

Search for Azure Information Protection



Add new label 


Give a name to the label and add description. Navigate to Protect and add the users/members for consuming the permissions

Protection Settings: Select Azure Key/HYOK  as per the organization structure, give file expiration settings and add permissions based on the AD group or individual recipient addresses. Set the permissions(co-owner, co-author, reviewer, viewer etc.) as appropriate



I created four labels as Internal, Public, Confidential & Restricted



Create a policy to map this label

Select the policies under classifications and hit on ‘ Add a new Policy’


Give a name to the policy and select the label from the drop down list to which this policy to be applied.


Now, as we created labels and polices in Azure portal, let us verify if these are getting reflected in the clients machines.

Prerequisites for installing AIP Agent in Clients:

  1. Azure Active Directory : Make sure the on-premise identities are in sync with Azure identities. Azure AD Connect is used to sync the identities. If the users are in O365, they can directly download the office apps from portal.office.com
  2. Supported client platforms: Windows 7 (SP1), Windows 8, Windows8.1, Windows10 with .Net Framework 4.6.2
  3. Office Applications: Office 365 Pro plus, Office Professional Plus  2019/2016/2013(SP1)/2010(SP2)
  4. Connectivity to Azure Services over internet: Make sure that the URL’s are allowed and necessary ports are open as per Network Prerequisites
  5. Download AIP client from here


Installing AIP client





Sign into Office apps with the Organization account which is enabled with AIP License and as you open them, you see the labels appearing in the apps






Now, the labels when selected, the policies configured for each label will be applied to the content and the sender of the email or author of the document will have visibility on the content life cycle











Load Balancing SCOM sdk service with Microsoft NLB Cluster

In SCOM, High Availability can be achieved at Management Server, Gateway Server and Agent level. If we drill down further more, we can even find ways to configure HA for SCOM console for uninterrupted monitoring

The sdk clients which connect to SCOM console can be made continuously available with Network Load Balancing. So, even in case of Management Server failure, the SCOM console will be operational

The SCOM Operations Console connections can be Highly available with Microsoft Network Load Balancing ( NLB ) , or using hardware Load Balancers or DNS aliases.

In this demo, I have chosen to use Microsoft Network Load Balancing



  1. Assign Static IP address instead of DHCP  to the SCOM Management Servers
  2. Microsoft Network Load Balancing feature to be enabled in the Management Servers
  3. Create NLB Cluster
  4. Add Nodes to the  Cluster
  5. Add cluster DNS-record to DNS zone


Primary Management Server: Server1.kartik.com

Secondary Management Server: Node2.kartik.com

Enable Microsoft Network Load Balancing Feature in both the Management Servers






After successful installation of NLB feature, open Network Load Balancing Manager from Administrative Tools and create NLB Cluster


Add Primary Management Server as Host



Give Cluster IP address


Give a Name to the Cluster




Connect Host to Cluster

Add Secondary Management Server to the Cluster





Add Cluster DNS records to DNS-Zone in DNS Server

Login to the DNS Server

Create “A” record for the Cluster





Access SCOM Console with NLB Name SCOMConsole.kartik.com



Now, we see that SCOM Console is operational with the NLB Cluster Name


Test the Functionality:

To test this functionality, I have stopped the Data Access Service in Secondary Management Server. This SDK Service is the core for accessing the SCOM console

SCOM console is connected to SCOMConsole.kartik.com


Let us stop the SDK Service



We can see that the SCOM Console is still operational





Installing Root Certificate Authority and Creating SCOM Template

System Center Operations Manager can manage the domain joined servers/machines using the default Kerberos protocol when the port 5723 is open. The machines which are not joined to the domain ( workgroup computers ) or the ones which are in a domain which doesn’t trust  Ops Manager can be managed by importing certificates in both Gateway/Management Server and the client machine

This blog features the configuration of Certificate Authority role and creating Certificate Template

CA Server : AD.kartik.com

Login to the Active Directory Server as a domain Admin and configure the CA role

Navigate to Server manager and select add roles and features

Select Active Directory Certificate Services role


Select Certificate Authority, Certificate Enrollment Web Service, Certification Authority Web Enrollment.


Specify credentials to configure AD CS Role




Select Enterprise CA


Specify the CA type as Root CA



Select the option create a new private key



Select the default options for Cryptiographic provider and Key Length and select SHA256 as hash algorithm


Specify the name to the Certificate Authority


Specify the validity period as per the Company Policy


Choose the  default database locations


verify the selected options




Configure the additional role services


Specify credentials to configure role services




Select the authentication type as windows integrated authentication


Specify the service account for CES




Select Certificate Authority from the Tools menu in Server Manager


Click on Certificate Templates and select Manage


Select the template Ipsec Offline request and select duplicate template


Leave the compatibility tab to default

Give the appropriate Template Name under general Tab

Select the validity period as per the Security Policy


Under Request Handling, check Allow Private Key to be exported


Under Cryptography Select as Providers Microsoft RSA SChannel Cryptographic Provider and Microsoft Enhanced Cryptographic Provider v 1.0



Navigate to Extensions tab and select Application Policies , click edit and select


Select Client Authentication and Server Authentication


Navigate to security tab, select Authenticated users and click on Add


Select Object types as computers


Search for  SCOM Management Servers


Grant Read and Enroll permissions to the Management Servers


Go back to the Certificate Authority Console, Select Certificate Template, Click on New Certificate Template to Issue


Select the Template which was created before


Launch https://ad/certsrv (https://adservername/Certsrv) from Management Server and select advanced certificate request


The certificate Template should be visible here







System Center Operations Manager 2016 High Availability – Configuration

High Availability is an important service for any application and it is highly recommended for a monitoring application. HA solution for a monitoring solution makes sure that the monitoring is always on and the service is available with out interruptions.

From System Center 2012, HA is made easier with the concept of Resource pool, where each member of the pool will synchronize the SQL data and make themselves available during a failure and the same principle applies in System Center 2016 too

Scenarios of HA in System Center Operations Manager

  1. Agent Server fail over to a Management Server from  Resource Pool
  2. Gateway Server Failover to Management Server
  3. Gateway Agent ( domain joined ) Failover
  4. Gateway Agent ( Work-group ) Failover

In order to test this fail-over functionality, I have configured the below servers in my Lab

  • Domain: Kartik.com
  • SCOM Primary Management Server : SCOM2016.kartik.com
  • SCOM Secondary Management Server: SCOM2.kartik.com
  • Gateway Server 1 : Server1.Kartik.com
  • Gateway Server 2 : Node2.kartik.com
  • Domain joined Client Server : Client2.kartik.com
  • Workgroup Computer : Client
  1. Agent Server fail-over to Management Server from a Resource Pool

In this scenario, the agent servers will be reporting to Management Server Resource pool and when one  Management server goes down, the agents reporting to that will fail-over to the other Management Server available in the pool

Test Fail-over


Primary Management Server: SCOM2.kartik.com

Failover Management Server : SCOM2016.kartik.com

Client Server: Client2.kartik.com





Shutdown the Management Server SCOM2.kartik.com to test the agent failover


SCOM2 showing grey in SCOM console



Event Logs from SCOM2016.kartik.com4


Logs from SCOM2016.kartik.com


Logs from SCOM2016.kartik.com


Logs from Client2.kartik.com

Here, we see that the server successfully failed over to SCOM2016.kartik.com


Client2.kartik.com showing healthy in SCOM console



2. Gateway Server Fail-over

Gateway Server: Server1.kartik.com

Primary Management Server: SCOM2.kartik.com

Failover Management Server: SCOM2016.kartik.com



  • Powershell Commands to configure Gateway Server failover


$primaryMS = Get-SCOMManagementServer –Name “SCOM2.kartik.com”

$failoverMS = Get-SCOMManagementServer –Name “SCOM2016.kartik.com”

$gatewayMS = Get-SCOMGatewayManagementServer –Name “Server1.kartik.com”

Set-SCOMParentManagementServer –Gateway $gatewayMS –PrimaryServer $primaryMS

Set-SCOMParentManagementServer –Gateway $gatewayMS –FailoverServer $failoverMS


Powershell Commands to verify Gateway Server Fail-over 

$GWs = Get-SCOMManagementServer | where {$_.IsGateway -eq $true}

$GWs | sort | foreach {

       Write-Host “”;

       “Gateway MS    :: ” + $_.Name;

       “–Primary MS  :: ” + ($_.GetPrimaryManagementServer()).ComputerName;

       $failoverServers = $_.getFailoverManagementServers();

       foreach ($managementServer in $failoverServers) {

              “–Failover MS :: ” + ($managementServer.ComputerName);



Write-Host “”;


Verify Gateway Server Fail-Over

Shutdown the primary management Server SCOM2.kartik.com

Logs from SCOM2016.kartik.com


Event generated in SCOM console for SCOM2.kartik.com


Logs from Server1.kartik.com saying that it is successfully failed over to SCOM2016.kartik.com


Server1.kartik.com showing healthy in SCOM console



3. Gateway Agent ( domain-joined ) failover

Client: Client2.kartik.com

Primary Gateway Management Server: Server1.kartik.com

Failover Gateway Management Server: Node2.kartik.com 20

Client2.kartik.com reporting to Gateway Server1.kartik.com



Powershell commands to configure Gateway Agent failover

$primaryMS = Get-SCOMManagementServer | where {$_.Name –eq ‘server1.kartik.com’} 
$failoverMS = Get-SCOMManagementServer | where {$_.Name –eq ‘Node2.kartik.com’} 
$agent = Get-SCOMAgent | where {$_.PrimaryManagementServerName -eq ‘Server1.kartik.com’} 
Set-SCOMParentManagementServer -Agent: $agent -PrimaryServer: $primaryMS 
Set-SCOMParentManagementServer -Agent: $agent -FailoverServer: $failoverMS


Powershell commands to verify Gateway Agent failover


$Agents = Get-SCOMAgent | where {$_.PrimaryManagementServerName -eq ‘Server1.Kartik.COM’} 
$Agents | sort | foreach { 
Write-Host “”; 
“Agent :: ” + $_.Name; 
“–Primary MS :: ” + ($_.GetPrimaryManagementServer()).ComputerName; 
$failoverServers = $_.getFailoverManagementServers(); 
foreach ($managementServer in $failoverServers) { 
“–Failover MS :: ” + ($managementServer.ComputerName); 

Write-Host “”;


Shutdown Server1.kartik.com

Event generated in SCOM console for Server1.kartik.com


Event Log from Management Server SCOM2016.kartik.com


Client2.kartik.com successfully failed over to other gateway server Node2.kartik.com

Event log generated in Client2.kartik.com


Client2.kartik.com showing healthy in scom console


4. Gateway Agent ( workgroup ) failover

Workgroup computer: Client.kartik.com

Primary Gateway Management Server: Server1.kartik.com

Failover Gateway Management Server: Node2.kartik.com


Note: For the workgroup computer to failover , the certificate used for client authentication should be imported into personal store of failover Gateway Management Server too

Workgroup client reporting to the gateway Server1.kartik.com


Certificates imported in personal store of both the Gateway Servers Server1.kartik.com and Node2.kartik.com


Powershell commands to verify Gateway Agent failover


Shutdown Server1.kartik.com


Event logs generated from Management Server SCOM2016.kartik.com


Event Log generated in workgroup computer for successful failover






Powershell Script to clear cache in SCOM Agents

$path = “C:\GreyAgents.txt”

$srvlist = Get-Content “$path”

$serviceName = “HealthService”

Foreach ($srv in $srvlist)
Write-host “Greyagents” : “$srv”

Invoke-Command -ComputerName $srv -Scriptblock{ Stop-Service -ServiceName ‘HealthService’}

Invoke-Command -ComputerName $srv -Scriptblock{ Remove-item -path “C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State” -Recurse}

Start-sleep -Seconds 10

Invoke-Command -ComputerName $srv -Scriptblock{ Start-Service -ServiceName ‘HealthService’}

Write-host “Cleared Cache Successfully”


Powershell Script to schedule Maintenance Mode in SCOM


$path = “C:\SCOMMaintenanceMode.txt”
$domain = “kartik.com”


$MyFile = Get-content “$path”
foreach($srv in $MyFile)
Write-host “ServerName : $srv”

$startTime = [DateTime]::Now
$endTime = $startTime.AddMinutes(20)

$srv += “.$domain”

$Class = get-SCOMclass | where-object {$_.Name -eq “Microsoft.Windows.Computer”};
$Instance = Get-SCOMClassInstance -Class $Class | Where-Object {$_.Displayname -eq “$srv”};
Start-SCOMMaintenanceMode -Instance $Instance -Reason “PlannedOther” -EndTime $endTime -Comment “Scheduled SCOM Maintenance Window”



Powershell Script to recycle HealthService on all GreyAgents in SCOM

$path = “C:\GreyAgents.txt”

$srvlist = Get-Content “$path”

$serviceName = “HealthService”

Foreach ($srv in $srvlist)
Write-host “Greyagents” : “$srv”


Invoke-Command -ComputerName $srv -Scriptblock{ Stop-Service -ServiceName ‘HealthService’}


Start-sleep -Seconds 10


Invoke-Command -ComputerName $srv -Scriptblock{ Start-Service -ServiceName ‘HealthService’}

Write-host “Health Service ReStarted Successfully”