Nomad_Soul - Fotolia
When an organization deploys an Active Directory Federation Services infrastructure for Office 365 sign-in, the ADFS infrastructure becomes a critical component of the overall Office 365 implementation. As a result, monitoring this ADFS infrastructure for its overall health becomes a critical task.
Azure AD Connect Health doesn't just monitor the overall health of the ADFS infrastructure; it offers insights into performance and usage statistics, key configuration information and alerts related to areas such as missing hot fixes.
Install, configure AD Connect Health
Microsoft offers Azure AD Connect Health in the Azure portal Marketplace. Once the application is added to the Azure portal and launched, explore Quick Start, which you can launch from the main window or "blades" as they are known in the Azure portal.
The Quick Start button reveals a new blade that allows you to download the Azure AD Connect Health agent for ADFS. Select the agent link option from the Quick Start blade to begin the agent executable file download. It can then install onto each ADFS server -- including the ADFS Proxy and Web Application Proxy server -- the IT organization needs to monitor. This is a small executable download, around 9 MB at the time of writing this article. The Quick Start blade also includes a link to tutorials and guides for using the service, as well as feedback about this service.
Also present is a "coming soon" link about downloading the Azure AD Connect Health Agent for Sync -- a future option – which will allow you to monitor Azure AD Connect Sync services.
Installing the agent on an ADFS server is straightforward: with a single click of the Install button and no further information.
After the installation completes, the Configure Now button pops up to commence the configuration of the agent via the Register-AzureADConnectHealthADFSAgent PowerShell command. This configuration also requires a sign-in to the Azure service, so have those credentials ready during this process.
A useful text log file is created in the working directory that invoked the agent installation executable. This log file assists with troubleshooting and indicates important configuration issues, such as when ADFS auditing is incorrectly enabled on the ADFS servers.
Information in Azure AD Connect Health
Once you successfully install and configure the AD Connect Health agent the Azure AD Connect Health blade in the Azure portal should reveal that data has been populated within the ADFS blade. This area of the blade shows:
- The total number of ADFS servers being monitored by an agent;
- The ADFS service name such as sts.fabrikam.com; and
- Any associated alerts, such as warnings, that may be in force on the monitored servers.
The ADFS blade displays an overall view of the different services being monitored, with key status information such as the number of active alerts for that service, the time it was last updated and the overall status. Should the status warrant further investigation, such as when it's unhealthy, you can then examine that specific service by clicking on its name. This action presents another blade with the detailed service information. You alternatively can reach this individual service blade by clicking the relevant service name in the ADFS area of the main Azure AD Connect Health blade.
The details blade of a federation service really dives into important information for admins, such as:
- The number of Federation Servers and Federation Server Proxy servers deployed;
- The number of active and resolved alerts;
- Monitoring statistics such as the number of token requests per second from the last 24 hours;
- Usage analytics such as top application visits from the past 24 hours; and
- Reports such as bad password attempts from the last 30 days.
Review these alerts -- they contain key health and deployment information.
Selecting any particular alert brings up a blade that contains supporting information, such as when it was first raised, when it was last detected and suggestions on how to fix the issue. Furthermore, it sends email notifications when there are new alerts.
A Properties button on the details blade presents key deployment and configuration information such as:
- The primary Windows Internal Database server in the ADFS farm;
- The name of the ADFS service account;
- If the AAD trust is configured;
- The version of the ADFS farm in use, for example, ADFS in Windows 2012 R2;
- If automatic certificate rollover is enabled; and
- Key certificate information, such as the token-signing and token-decrypting certificates.
This information is valuable to admins when troubleshooting issues with ADFS or reviewing configuration changes.
Manage end-user identities with Azure AD
What you need to know about Azure AD Connect
ADFS server manages Office 365 identities