Aug 15, 2023
Azure AD Connect Health for AD FS– Implementing and Managing Identity Synchronization with Azure AD
In addition to gathering and reporting information for your on-premises Active Directory and synchronization services, Azure AD Connect Health also supports AD FS.
To get the most out of Azure AD Connect Health for AD FS, you’ll need to enable auditing, which involves three steps:
- Ensure that the AD FS farm service account has been granted the Generate security audits right in the security policy (Local Policies | User Rights Assignment | Generate security audits).
- From an elevated command prompt, run the following command: auditpol.exe /set /subcategory:{0CCE9222-69AE-11D9-BED3-505054503030} /failure:enable /success:enable.
- On the AD FS primary farm server, open an elevated PowerShell prompt and run the following command: Set-AdfsProperties -AuditLevel Verbose.
Then, you can deploy the agents to your servers.
After deploying the agents to your federation and proxy servers, you will see information reported in the Azure AD Connect Health portal under Active Directory Federation Services, as shown in Figure 4.21:
Figure 4.21 – Azure AD Connect Health for AD FS
In addition to diagnostic information, the health services for AD FS can also provide usage analytics and performance monitoring, as well as failed logins and information regarding risky sign-ins.
Figure 4.22 – Azure AD Connect Health for AD FS
Azure AD Connect Health is a valuable premium service that can help keep you on top of the health and performance aspects of your hybrid identity deployment.
Troubleshooting Azure AD Connect synchronization
While things normally operate smoothly, there may be times when objects become misconfigured or services go offline unexpectedly. You can troubleshoot common issues with Azure AD Connect’s built-in troubleshooting tools.
To launch the troubleshooting tool, follow these steps:
- Launch the Azure AD Connect configuration tool on the desktop of the server where Azure AD Connect is installed.
- Click Configure.
- On the Additional tasks page, select Troubleshoot and then click Next.
- On the Welcome to AADConnect Troubleshooting page, select Launch.
Figure 4.23 – Launching the AADConnect Troubleshooting tool
- Select the appropriate troubleshooting options from the menu shown in Figure 4.24:
Figure 4.24 – The AADConnect Troubleshooting menu
The AADConnect Troubleshooting tool provides several specific troubleshooters, such as diagnosing attribute or group membership synchronization, password hash synchronization, as well as service account permissions.
Most object or attribute troubleshooting routines will require the object’s DN to continue.
FURTHER READING
For more information on the tests that can be performed by the AADConnect Troubleshooting tool, see https://learn.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-objectsync.
Configuring and managing directory synchronization by using Azure AD Connect cloud sync
Azure AD Connect cloud sync is a new synchronization platform that allows you to manage directory synchronization from the Azure portal. Depending on your organization’s goals and environments, Azure AD Connect cloud sync can be a lightweight, flexible option that allows you to begin directory synchronization quickly.
EXAM TIP
To perform the installation, you’ll need either a Domain Administrator or Enterprise Administrator credential to the on-premises Active Directory forest so that the installer can create the group Managed Service Account (gMSA). You’ll also need an account that has either the Global Administrator or Hybrid Identity Administrator role in Azure AD.
Microsoft recommends configuring a unique identity in Azure AD with the Hybrid Identity Administrator role for Azure AD Connect cloud sync.