First experience with Azure AD Connect Health Agent

In this blog post I’d like to share my first experience with the recently Microsoft released public preview of the Azure AD Connect Health Agent. The new Azure Cloud service that can be used to monitor the health of you local Active Directory Federation Services Farm and the trust relation with Microsoft Online.

As many organization exists of a Hybrid configuration most of them are relying on a ADFS / AAD Sync configuration in order to authenticate and provisioning local Active Directory identities to the Microsoft Online services. In real life ADFS can be quite challenging for IT organizations in order to achieve a reliable sign-in service. When ADFS or the federation with Microsoft Online is not working correctly it most likely affects the whole organization which results in loss of productivity and financial loss. To help address these challenges, Microsoft has released the preview of Azure Active Directory Connect Health in the Azure Preview Portal. This feature of Azure Active Directory Premium helps you monitor and gain insight into health, performance and login activity of your on-premises Active Directory infrastructure. Microsoft has also announced to add support for the sync servers in future releases.

Here you find some links to usefull Azure AD Health Agent resources:

As with most previews there is not many information available regarding potential issues that may come up during installation. I must say that Microsoft, in this case, already provides good documentation installing the AD Health Agent. Personally I have installed it using an ADFS 3.0 / WAP configuration and came up to some points of attentions that I’d like to share with you:

Logfile location

During installation and configuration two log file locations are used:

  • The Agent Setup installation log file is located in the users Temp folder;
  • The Register-ADHealthAgent PowerShell command log file is located in System32 folder.

Audit Error during configuration

The following warnings are displayed when executing the Register-ADHealthAgent PowerShell command:

Detected audit inclusion setting: No Auditing
WARNING: AD FS auditing is not enabled correctly, please verify AD FS configuration and Machine Audit security policy.

In order to correct this you have to reevaluate the Audit requirements in the provided documentation: Azure AD Connect Health Requirements. It is not sufficient to have audithing in place in the ADFS MMC, also make sure that you also have configured the Local/Group policy settings.

No Roles Installed Warning (or error in matter of fact) during configuration:

The following warnings are displayed when executing the Register-ADHealthAgent PowerShell command:

WARNING: Failed detecting or registering AdFederationService service, operation skipped.

WARNING: No role was registered.

WARNING: Agent registration completed with warning(s).

WARNING: Log file AdHealthAgentConfiguration.2015-02-05_12-40-11.log contains more information regarding the

warning(s).

And the related log file contains the following warnings:

WARNING: Failed detecting or registering AdFederationService service, operation skipped.

System.Net.WebException: The remote server returned an error: (401) Unauthorized.

at System.Net.HttpWebRequest.GetResponse()

at Microsoft.Identity.Health.Common.RestRequest.SendJsonData(HttpMethod httpMethod, String uri, String accessToken, Object content)

at Microsoft.Identity.Health.PowerShell.ConfigurationModule.RegisterADHealthAgent.RegisterServiceIfNotExist(String serviceTypeName, String serviceSignature)

at Microsoft.Identity.Health.PowerShell.ConfigurationModule.RegisterADHealthAgent.ProcessRecord()

WARNING: No role was registered.

WARNING: Agent registration completed with warning(s).

WARNING: Log file AdHealthAgentConfiguration.2015-02-04_21-23-24.log contains more information regarding the warning(s).

This occurs when you did not assign an Azure AD Premium license to the used identity during the installation. The error is not very clear about that, it states that a Azure AD Premium License is needed, but not that is must be assigned to the user used during installation. So please make sure that you are using a Azure AD Global Admin account that is assigned with a Azure AD Premium License.

After the configuration is completed successfully you can see the the health of your configuration in the new Azure preview Portal

This concludes this post on the Azure AD Connect Health installation and configuration.

 

leave your comment