Azure Active Directory Connect Health operations - Microsoft Entra (2023)

  • Article
  • 7 minutes to read

This topic describes the various operations you can perform by using Azure Active Directory (Azure AD) Connect Health.

Enable email notifications

You can configure the Azure AD Connect Health service to send email notifications when alerts indicate that your identity infrastructure is not healthy. This occurs when an alert is generated, and when it is resolved.

Azure Active Directory Connect Health operations - Microsoft Entra (1)

Note

(Video) Azure Active Directory: How to gain insights using Azure AD Connect-Health and ADFS Activity Report

Email notifications are enabled by default.

To enable Azure AD Connect Health email notifications

  1. In the Azure Portal, search for Azure AD Connect Health
  2. Select Sync errors
  3. Select Notification Settings.
  4. At the email notification switch, select ON.
  5. Select the check box if you want all Hybrid Identity Administrators to receive email notifications.
  6. If you want to receive email notifications at any other email addresses, specify them in the Additional Email Recipients box. To remove an email address from this list, right-click the entry and select Delete.
  7. To finalize the changes, click Save. Changes take effect only after you save.

Note

When there are issues processing synchronization requests in our backend service, this service sends a notification email with the details of the error to the administrative contact email address(es) of your tenant. We heard feedback from customers that in certain cases the volume of these messages is prohibitively large so we are changing the way we send these messages.

Instead of sending a message for every sync error every time it occurs we will send out a daily digest of all errors the backend service has returned. This enables customers to process these errors in a more efficient manner and reduces the number of duplicate error messages.

Delete a server or service instance

Note

(Video) 47. Install and Configure Azure AD Connect Health Agent for AD DS

Azure AD premium license is required for the deletion steps.

In some instances, you might want to remove a server from being monitored. Here's what you need to know to remove a server from the Azure AD Connect Health service.

When you're deleting a server, be aware of the following:

  • This action stops collecting any further data from that server. This server is removed from the monitoring service. After this action, you are not able to view new alerts, monitoring, or usage analytics data for this server.
  • This action does not uninstall the Health Agent from your server. If you have not uninstalled the Health Agent before performing this step, you might see errors related to the Health Agent on the server.
  • This action does not delete the data already collected from this server. That data is deleted in accordance with the Azure data retention policy.
  • After performing this action, if you want to start monitoring the same server again, you must uninstall and reinstall the Health Agent on this server.

Delete a server from the Azure AD Connect Health service

Azure AD Connect Health for Active Directory Federation Services (AD FS) and Azure AD Connect (Sync):

(Video) Microsoft Entra Identity & Access Management

  1. Open the Server blade from the Server List blade by selecting the server name to be removed.
  2. On the Server blade, from the action bar, click Delete.Azure Active Directory Connect Health operations - Microsoft Entra (2)
  3. Confirm by typing the server name in the confirmation box.
  4. Click Delete.

Azure AD Connect Health for Azure Active Directory Domain Services:

  1. Open the Domain Controllers dashboard.
  2. Select the domain controller to be removed.
  3. From the action bar, click Delete Selected.
  4. Confirm the action to delete the server.
  5. Click Delete.

Delete a service instance from Azure AD Connect Health service

In some instances, you might want to remove a service instance. Here's what you need to know to remove a service instance from the Azure AD Connect Health service.

When you're deleting a service instance, be aware of the following:

  • This action removes the current service instance from the monitoring service.
  • This action does not uninstall or remove the Health Agent from any of the servers that were monitored as part of this service instance. If you have not uninstalled the Health Agent before performing this step, you might see errors related to the Health Agent on the servers.
  • All data from this service instance is deleted in accordance with the Azure data retention policy.
  • After performing this action, if you want to start monitoring the service, uninstall and reinstall the Health Agent on all the servers. After performing this action, if you want to start monitoring the same server again, uninstall, reinstall, and register the Health Agent on that server.

To delete a service instance from the Azure AD Connect Health service

  1. Open the Service blade from the Service List blade by selecting the service identifier (farm name) that you want to remove.
  2. On the Service blade, from the action bar, click Delete.Azure Active Directory Connect Health operations - Microsoft Entra (3)
  3. Confirm by typing the service name in the confirmation box (for example: sts.contoso.com).
  4. Click Delete.

Manage access with Azure RBAC

Azure role-based access control (Azure RBAC) for Azure AD Connect Health provides access to users and groups other than Hybrid Identity Administrators. Azure RBAC assigns roles to the intended users and groups, and provides a mechanism to limit the Hybrid Identity Administrators within your directory.

Roles

Azure AD Connect Health supports the following built-in roles:

RolePermissions
OwnerOwners can manage access (for example, assign a role to a user or group), view all information (for example, view alerts) from the portal, and change settings (for example, email notifications) within Azure AD Connect Health.
By default, Azure AD Hybrid Identity Administrators are assigned this role, and this cannot be changed.
ContributorContributors can view all information (for example, view alerts) from the portal, and change settings (for example, email notifications) within Azure AD Connect Health.
ReaderReaders can view all information (for example, view alerts) from the portal within Azure AD Connect Health.

All other roles (such as User Access Administrators or DevTest Labs Users) have no impact to access within Azure AD Connect Health, even if the roles are available in the portal experience.

Access scope

Azure AD Connect Health supports managing access at two levels:

(Video) Azure AD - #2 - AzureAD Connect

  • All service instances: This is the recommended path in most cases. It controls access for all service instances (for example, an AD FS farm) across all role types that are being monitored by Azure AD Connect Health.
  • Service instance: In some cases, you might need to segregate access based on role types or by a service instance. In this case, you can manage access at the service instance level.

Permission is granted if an end user has access either at the directory or service instance level.

Allow users or groups access to Azure AD Connect Health

The following steps show how to allow access.

Step 1: Select the appropriate access scope

To allow a user access at the all service instances level within Azure AD Connect Health, open the main blade in Azure AD Connect Health.

Step 2: Add users and groups, and assign roles

  1. From the Configure section, click Users.
    Azure Active Directory Connect Health operations - Microsoft Entra (4)
  2. Select Add.
  3. In the Select a role pane, select a role (for example, Owner).
    Azure Active Directory Connect Health operations - Microsoft Entra (5)
  4. Type the name or identifier of the targeted user or group. You can select one or more users or groups at the same time. Click Select.Azure Active Directory Connect Health operations - Microsoft Entra (6)
  5. Select OK.
  6. After the role assignment is complete, the users and groups appear in the list.
    Azure Active Directory Connect Health operations - Microsoft Entra (7)

Now the listed users and groups have access, according to their assigned roles.

Note

  • Global administrators always have full access to all the operations, but global administrator accounts are not present in the preceding list.
  • The Invite Users feature is not supported within Azure AD Connect Health.
  1. After you assign permissions, a user can access Azure AD Connect Health by going here.
  2. On the blade, the user can pin the blade, or different parts of it, to the dashboard. Simply click the Pin to dashboard icon.
    Azure Active Directory Connect Health operations - Microsoft Entra (8)

Note

A user with the Reader role assigned is not able to get Azure AD Connect Health extension from the Azure Marketplace. The user cannot perform the necessary "create" operation to do so. The user can still get to the blade by going to the preceding link. For subsequent usage, the user can pin the blade to the dashboard.

(Video) How to troubleshoot Azure AD Connect | Identity | Microsoft

Remove users or groups

You can remove a user or a group added to Azure AD Connect Health and Azure RBAC. Simply right-click the user or group, and select Remove.
Azure Active Directory Connect Health operations - Microsoft Entra (9)

Next steps

  • Azure AD Connect Health
  • Azure AD Connect Health Agent installation
  • Using Azure AD Connect Health with AD FS
  • Using Azure AD Connect Health for sync
  • Using Azure AD Connect Health with AD DS
  • Azure AD Connect Health FAQ
  • Azure AD Connect Health version history

FAQs

Which components are included with Microsoft Azure Active Directory connect health all the options Active Directory Federation Services AD FS sync? ›

The correct answer is 3 - All of the options.

Which components are included with Microsoft Azure Active Directory connect health? ›

Azure Active Directory Connect is comprised of three primary components: synchronisation services, the optional Active Directory Federation Services component, and the Azure AD Connect Health monitoring component. Synchronization is in charge of the creation of users, groups, and other objects.

What is Azure Active Directory Connect health? ›

Azure Active Directory (Azure AD) Connect Health provides robust monitoring of your on-premises identity infrastructure. It enables you to maintain a reliable connection to Microsoft 365 and Microsoft Online Services. This reliability is achieved by providing monitoring capabilities for your key identity components.

What are the three primary components of Azure Active Directory AD connect? ›

Azure Active Directory Connect is made up of three primary components: the synchronization services, the optional Active Directory Federation Services component, and the monitoring component named Azure AD Connect Health.

What are the 3 important services offered by Azure? ›

This gives users the flexibility to use their preferred tools and technologies. In addition, Azure offers four different forms of cloud computing: infrastructure as a service (IaaS), platform as a service (PaaS), software as a service (SaaS) and serverless functions.

Which actions can you perform with Microsoft Azure Active Directory Connect? ›

Microsoft AAD Connect can connect to multiple on-premises forests and can exchange organizations and synchronized the customer defined attributes but cannot use Forefront Identity Management synchronization rules.

What is Azure Active Directory and why is it used? ›

Azure Active Directory (Azure AD) is a cloud-based identity and access management service. This service helps your employees access external resources, such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.

Does Azure AD Connect need a VPN? ›

Azure AD authentication is supported only for OpenVPN® protocol connections and requires the Azure VPN Client.

How many instances of Azure AD Connect are needed? ›

For each Azure AD directory, you need one Azure AD Connect sync server installation. The Azure AD directory instances are by design isolated and users in one cannot see users in the other directory.

What are the two basic users types in Azure AD? ›

Guest account - A guest account can only be a Microsoft account or an Azure AD user that can be used to share administration responsibilities such as managing a tenant. Consumer account - A consumer account is used by a user of the applications you've registered with Azure AD B2C.

What are the three 3 Active Directory container objects? ›

AD has three main tiers: domains, trees and forests. A domain is a group of related users, computers and other AD objects, such as all the AD objects for your company's head office. Multiple domains can be combined into a tree, and multiple trees can be grouped into a forest.

What are the two basic types of Active Directory objects? ›

Once defined, data is stored within the active directory as individual objects. Every object must be unique and represent a single thing, such as a user, computer, or a unique group of things (e.g. user group). The two primary types of objects are resources and security principals.

What are the 4 service categories provided by Microsoft Azure? ›

A public cloud computing platform, Microsoft Azure offers infrastructure as a service (IaaS), software as a service (SaaS), platform as a service (PaaS), and a serverless model.

How many types of Azure functions are there? ›

There are currently four durable function types in Azure Functions: activity, orchestrator, entity, and client. The rest of this section goes into more details about the types of functions involved in an orchestration.

What's one of the primary functions of Azure Active Directory? ›

Azure Active Directory (Azure AD), part of Microsoft Entra, is an enterprise identity service that provides single sign-on, multifactor authentication, and conditional access to guard against 99.9 percent of cybersecurity attacks.

What is difference between Active Directory and Azure Active Directory? ›

Azure AD provides managed identities to run other workloads in the cloud. The lifecycle of these identities is managed by Azure AD and is tied to the resource provider and it can't be used for other purposes to gain backdoor access. Active Directory doesn't natively support mobile devices without third-party solutions.

Which actions can you perform with Microsoft Azure Active Directory Connect but not with the Microsoft Azure Active Directory Sync? ›

Answer: correct answer is B. -Connect to multiple on-premises Exchange organizations and synchronized the customer defined attributes.

Which of the following options is the requirement of Azure AD Connect? ›

The minimum requirements for computers running AD FS or Web Application Proxy servers are: CPU: Dual core 1.6 GHz or higher. Memory: 2 GB or higher. Azure VM: A2 configuration or higher.

Does Azure AD Connect need to be on a domain controller? ›

"Azure AD Connect must be installed on Windows Server 2008 or later. This server may be a domain controller or a member server when using express settings. If you use custom settings, then the server can also be stand-alone and does not have to be joined to a domain."

How do I connect to Microsoft Active Directory? ›

Open Settings, and then select Accounts. Select Access work or school, and then select Connect. On the Set up a work or school account screen, select Join this device to Azure Active Directory.

What is the main use of Active Directory? ›

Active Directory stores information about objects on the network and makes this information easy for administrators and users to find and use. Active Directory uses a structured data store as the basis for a logical, hierarchical organization of directory information.

What are the main functions of Active Directory? ›

The main function of Active Directory is to enable administrators to manage permissions and control access to network resources. In Active Directory, data is stored as objects, which include users, groups, applications, and devices, and these objects are categorized according to their name and attributes.

Why should we use Active Directory? ›

The purpose of Active Directory is to enable organizations to keep their network secure and organized without having to use up excessive IT resources. For example, with AD, network administrators don't have to manually update every change to the hierarchy or objects on every computer on the network.

Can you have two AD Connect servers? ›

Having multiple Azure AD Connect sync servers connected to the same Azure AD tenant is not supported, except for a staging server. It's unsupported even if these servers are configured to synchronize with a mutually exclusive set of objects.

Does Azure AD Connect require a license? ›

No licensing is needed to install AAD Connect and get all your AD users and groups syncing with AAD.

Does Ad connect require trust? ›

AD trust is not a requirement for AAD Connect unless you are using PTA for auth. If using PTA you will need a forest trust. If not using PTA then check if the permissions\firewalls are all in place for password sync.

What are the 4 parts of an Active Directory? ›

The key components include domain, tree, forest, organizational unit, and site. As you read through each structural component description, consider that domains, trees, forest, and sites are not only integral with Active Directory but also integral with DNS.

What are the two main components of Active Directory? ›

The Active Directory structure is comprised of three main components: domains, trees, and forests.

What is Azure Active Directory for Dummies? ›

Azure Active Directory (Azure AD) is a cloud-based identity and access management service. This service helps your employees access external resources, such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.

Why is Azure Active Directory used? ›

Help protect your users and data

Azure Active Directory (Azure AD), part of Microsoft Entra, is an enterprise identity service that provides single sign-on, multifactor authentication, and conditional access to guard against 99.9 percent of cybersecurity attacks.

What are the two features that Azure AD provides? ›

Azure Active Directory (Azure AD), part of Microsoft Entra, is an enterprise identity service that provides single sign-on, multifactor authentication, and conditional access to guard against 99.9 percent of cybersecurity attacks.

Videos

1. How To Install and Configure Azure AD Connect
(Azure Training Series)
2. Azure AD Connect Sync and Cloud Sync, What’s the Difference?
(Travis Roberts)
3. Azure Active Directory (AD, AAD) Tutorial | Identity and Access Management Service
(Adam Marczak - Azure for Everyone)
4. Upgrade to Azure AD Connect v2
(Ilia Rud's Technical videos)
5. Introducing Microsoft Entra
(Microsoft Security)
6. The Line Between AD and Azure AD!
(John Savill's Technical Training)
Top Articles
Latest Posts
Article information

Author: Dr. Pierre Goyette

Last Updated: 02/08/2023

Views: 6200

Rating: 5 / 5 (50 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: Dr. Pierre Goyette

Birthday: 1998-01-29

Address: Apt. 611 3357 Yong Plain, West Audra, IL 70053

Phone: +5819954278378

Job: Construction Director

Hobby: Embroidery, Creative writing, Shopping, Driving, Stand-up comedy, Coffee roasting, Scrapbooking

Introduction: My name is Dr. Pierre Goyette, I am a enchanting, powerful, jolly, rich, graceful, colorful, zany person who loves writing and wants to share my knowledge and understanding with you.