Monitor your Hybrid Identity /w Azure Active Directory Connect Health
With Azure AD Connect Health Microsoft provides the ability to monitor your hybrid identity as this is becoming more and more a key component providing single sign-on (SSO) authentication to Azure, Office 365, Microsoft Intune and many more Microsoft Online services and on-premise directory services.
This will help you to be proactive before potential issues impact your end-users, gather statistics related to the authentication process, monitor your Azure Active Directory and federation systems. This feature of Azure Active Directory Premium (which is currently in public preview) helps you monitor and gain insight into health, performance and login activity of your on-premises Active Directory infrastructure. While this release supports Active Directory Federation Services (ADFS), Microsoft is working on to add support for sync servers in the future.
Set up Azure AD Connect Health
The first step is to install the agent on each of your ADFS and ADFS proxy/Web Application proxy servers.
- Login into the Azure Preview Portal with your Azure AD global administrator account. This account must also be licensed for Azure AD premium.
Click on the Marketplace tile. Under Identity you will find the Azure AD Connect health extension or use the search function. Click on it to enable the service and gain access to Azure AD Connect Health within the portal.
- Click on the Quick Start tile and download the agent onto your ADFS and proxy servers. This applies to all your servers which
Install the agent that you just downloaded.
In order for the Usage Analytics feature to gather data and analyze the Azure AD Connect Health agent needs the information in the AD FS Audit Logs. These logs are not enabled by default. This only applies to AD FS federation servers. You do not need to enable auditing on AD FS Proxy servers or Web Application Proxy servers. Use the following procedures to enable AD FS auditing and to locate the AD FS audit logs.
- Open Local Security Policy by opening Server Manager on the Start screen, or Server Manager in the taskbar on the desktop, then click Tools/Local Security Policy.
- Navigate to the Security Settings\Local Policies\User Rights Assignment folder, and then double-click Generate security audits.
- On the Local Security Setting tab, verify that the AD FS service account is listed. If it is not present, click Add User or Group and add it to the list, and then click OK.
- Open a command prompt with elevated privileges and run the following command to enable auditing:
auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable.
- Close Local Security Policy, and then open the AD FS Management snap-in (in Server Manager, click Tools, and then select AD FS Management).
- In the Actions pane, click Edit Federation Service Properties.
- In the Federation Service Properties dialog box, click the Events tab.
- Select the Success audits and Failure audits check boxes and then click OK.
Fire up a PowerShell window. Use the Register-ADHealthAgent commandlet to configure and register the health agent to securely connect to the Azure AD Connect Health service. You will need admin credentials.
Note! Make sure that you’ve internet connectivity. Azure AD Connect Health agent requires TCP 443 outbound. The installation process of the agent requires the ability to connect to the Azure AD Connect Health service end points listed below. If you block out bound connectivity make sure that the following are added to the allow list:
The following websites need to be allowed if IE Enhanced Security is enabled on the server that is going to have the agent installed.
- The federation server for your organization trusted by Azure Active Directory For example: https://sts.contoso.com
Using the Portal to view the health and usage of ADFS
The portal is comprised of three key views. Let’s dive into some of the details.
The Azure AD Connect Health Alerts section shows you the list of active alerts requiring administrator attention, which are based on ADFS service events, performance counters and configuration information. These could be issues with certificates, connectivity to domain controllers or as simple as detecting that the ADFS service is not running. They can also warn of potential issues or missing hotfixes/updates.
Selecting an alert reveals more detailed information, as well as resolution steps and links to relevant documentation. You can also view historical data on previously resolved alerts.
Usage analytics provide insight to login activity based on security audits that each of the ADFS servers generates and sends to the Azure AD Connect Health for analysis.
Currently we support two views:
- Successful logins can be viewed by application (relying party trust), network location, authentication method or server. The application pivot is tremendously useful for understanding usage patterns of applications.
- Unique user count shows the number of unique users accessing applications and can be viewed by application (relying party trust).
New views will be added in near future that show the count and type of issuance failures, such as username/password failures, occurring in the system.
This is a simple, aggregated view of key performance counters collected from your ADFS and proxy servers, including token requests, CPU, memory and latency. It can also help you detect potential balancing issues within your environment.
Using the Filter option at the top of the blade, you view an individual server’s metrics. To change metrics, simply right-click on the monitoring chart under the monitoring blade and select Edit Chart. You can then select additional metrics and specify a time range for viewing the performance data.
What’s coming next?
We are actively working on adding the following capabilities to the service:
- Email notification of alerts
- Support for monitoring and reporting on sync servers
- Failure trending and reports for the ADFS service
- Health and reporting of Azure AD services such as SaaS applications, MFA and password reset
Monitoring your Hybrid Identity by System Center 2012 R2 Operations Manager
Off course you’re also able to monitor your hybrid identity solution with System Center 2012 R2 Operations Manager. In this case you must download and install management packs for both ADFS and WAP servers. The management pack for monitoring your Active Directory Federation Services (ADFS) can be downloaded here and Web Application Proxy (WAP) here.