In addition to gathering and reporting information for your on-premises AD and synchronization services, Azure AD Connect Health also supports AD FS.
To get the most out of Azure AD Connect Health for AD FS, you’ll need to enable auditing, which involves three steps:
1.Ensure the AD FS farm service account has been granted the Generate security audits right in the security policy (Local Policies | User Rights Assignment | Generate security audits).
2. From an elevated command prompt, run the following command: auditpol.exe /set / subcategory:{0CCE9222-69AE-11D9-BED3-505054503030} /failure:enable /success:enable.
3. On the AD FS primary farm server, open an elevated PowerShell prompt and run the following command: Set-AdfsProperties -AuditLevel Verbose.
Then, you can deploy the agents to your servers.
After deploying the agents to your federation and proxy servers, you will see information reported in the Azure AD Connect Health portal by selecting AD FS services under the Active Directory Federation Services section, as shown in Figure 4.21:
Figure 4.21 – Azure AD Connect Health for AD FS
In addition to diagnostic information, the health services for AD FS can also provide usage analytics and performance monitoring, as well as failed logins and information regarding risky sign-ins. See Figure 4.22:
Figure 4.22 – Azure AD Connect Health for AD FS overview
Azure AD Connect Health is a valuable premium service that can help you keep on top of the health and performance aspects of your hybrid identity deployment.
Troubleshooting Azure AD Connect Synchronization
While things normally operate smoothly, there may be times when objects become misconfigured, or services go offline unexpectedly. You can troubleshoot common issues with Azure AD Connect’s built-in troubleshooting tool.
To launch the troubleshooting tool, follow these steps:
1.Launch the Azure AD Connect configuration tool on the desktop of the server where Azure AD Connect is installed.
2. Click Configure.
3. On the Additional tasks page, select Troubleshoot and then click Next.
4. On the Welcome to AADConnect Troubleshooting page, select Launch, as shown in Figure 4.23:
Figure 4.23 – Launching the AADConnect Troubleshooting tool
5. Select the appropriate troubleshooting option from the menu shown in Figure 4.24:
Figure 4.24 – AADConnect Troubleshooting menu
The AADConnect Troubleshooting tool provides several specific troubleshooters, such as diagnosing attribute or group membership synchronization, password hash synchronization, as well as service account permissions.
Most object or attribute troubleshooting routines will require the errored object’s distinguished name to continue.
Further Reading
For more information on the tests that can be performed by the AADConnect Troubleshooting tool, see https://learn.microsoft.com/en-us/azure/active-directory/ hybrid/tshoot-connect-objectsync.
Configuring and Managing Directory Synchronization by Using Azure AD Connect Cloud Sync
Azure AD Connect Cloud Sync (rebranded as Microsoft Entra Cloud Sync) is a new synchronization platform that allows you to manage directory synchronization from the Azure portal. Depending on your organization’s goals and environments, Azure AD Connect Cloud Sync can be a lightweight, flexible option that allows you to begin directory synchronization quickly.
Exam Tip
To perform the installation, you’ll need either Domain Admin or Enterprise Admin credentials to the on-premises Active Directory forest so that the installer can create the group Managed Service Account (gMSA). You’ll also need an account that has either the Global Administratoror Hybrid Identity Administrator roles in Azure AD.
Microsoft recommends configuring a unique identity in Azure AD with the Hybrid Identity Administrator role for Azure AD Connect Cloud Sync.