Monitor your Hybrid Identity scenario’s using Azure AD Connect Health

Microsoft released some new public preview features including Azure AD Connect Health. This preview release is focused on hybrid identity scenarios and mainly on the product Active Directory Federation Services. Azure AD Connect Health enables customers and users to have detailed insights in how their Active Directory Federation Services is performing including the number of authentication attempts, usage et cetera. This blog will go into more detail on what this feature brings and how you can enable it in your environment.

In the last couple of months Microsoft is working hard to bring up more monitoring services into their cloud platform Microsoft Azure. Application Insights and Operational Insights are their main services at this moment. Although, this last one is still in public preview. These tools give a good status overview of the infrastructure and the applications running on it, however it does not provide any monitoring capabilities for the identity platform. This is where Azure AD comes in. Azure AD does provide reporting functionalities about for example password resets, suspicious login activities, application usage et cetera. These are really cool features if you are using Azure AD as the Identity Provider for your environment and your applications are connected to the Azure AD directly in the form of SaaS applications, published apps using Application Proxy or organizational apps. But at this point in time the most common scenario is a hybrid identity platform where the Active Directory Federation Services has an important role. In my opinion this is the main reason why Connect Health is introduced. Another important reason is the key role the Active Directory Federation Services does have in some environments. An outage of the Active Directory Federation Services may lead to the loss of access to some or even all applications which in some cases are business critical. This brings a lot of responsibility to an IT organization in particular because they do not have the extra tooling to get extra information about the performance or usage of their identity environment. Azure AD Connect Health will provide these insights to give you more control.

Azure AD Connect Health does provide the following capabilities:

  • Alerts based on events.
  • Login activity and usage per application.
  • Performance of the servers.

To make use of the Azure AD Connect Health feature you must have an Azure AD Premium license activated or for test purposes you can easily make use of the 90 day trial.

Now let’s start by configuring Azure AD Connect Health into our test environment. To start this wizard, I assume you have an Active Directory Federation Services and Active Directory Federation Services Proxy / Web Application Proxy in place.

First of all login in to the new Azure portal on https://portal.azure.com. In this new portal you can now select the Azure Marketplace, where you can find various services related to the Azure platform. In this case we search for the Azure AD Connect Health service and add this to the environment.

9-3-2015 16-48-59

 

Now you can open up the Azure AD Connect Health overview page where you can Quick Start the configuration. In the Quick Start menu the download link is available (Get Tools) to download the agent.

9-3-2015 16-55-14

 

Now install the agent on both servers by running the installer.

9-3-2015 16-56-26

When installation has been completed successfully, you need to do some extra steps on the Active Directory Federation Services server. I ran into some registration errors myself, before I realized I had to do this extra configuration to make it work. These extra steps are described later on this blog and these do not apply to the proxy server. First we complete the registration of the proxy server by running the Register-ADHealthAgent cmdlet in a Powershell window.

9-3-2015 17-54-53
When you run the cmdlet, a login window does pop up where you should login using an Azure AD Global Admin account.

9-3-2015 17-55-07
When the authentication is successful, the registration of the agent will finish just after a few seconds.

9-3-2015 17-55-50

 

For the Active Directory Federation Services server you need to enable the ADFS audit logs. These logs are not enabled by default so you need to go through some extra steps:

  1. Open Local Security Policy by opening Server Manager on the Start screen, or Server Manager in the taskbar on the desktop, then click Tools/Local Security Policy.
  2. Navigate to the Security Settings\Local Policies\User Rights Assignment folder, and then double-click Generate security audits.
  3. On the Local Security Setting tab, verify that the AD FS service account is listed. If it is not present, click Add User or Group and add it to the list, and then click OK. (in the example my service account is broek\svc-adfs$)

1-12-2014 20-01-17

  1. Open a command prompt with elevated privileges and run the following command to enable auditing: auditpol.exe /set /subcategory:”Application Generated” /failure:enable /success:enable.
  2. Close Local Security Policy, and then open the AD FS Management snap-in (in Server Manager, click Tools, and then select AD FS Management).
  3. In the Actions pane, click Edit Federation Service Properties.
  4. In the Federation Service Properties dialog box, click the Events tab.
  5. Select the Success audits and Failure audits check boxes and then click OK.

10-3-2015 07-58-43

When you have completed these extra steps, you can run the Register-ADHealthAgent Powershell cmdlet to complete the registration of the Active Directory Federation Services server.

Now you have configured the Active Directory Federation Services server and proxy server agent and it can now be monitored by the Azure AD Connect Health service. You can now go back to your overview page in the portal, where you can find the various graphs and logs about your Active Directory Federation Services environment.

One of the key advantages of this service is that we now have a general overview of all the certificates used within the environment. In this single overview you can check the properties of all used certificates and when then will expire.

9-3-2015 19-26-22

 

Looking at the alert overview, you directly find all your warnings and errors related to specific instances:

9-3-2015 16-37-03

 

You can also get a quick overview on what updates are installed and which are missing:

9-3-2015 19-23-32

 

Also when looking at the monitoring graph you can see your login and usage activity per application:

9-3-2015 16-41-15

In my case this does not contain that much data but in a production environment this will give you a good overview on what applications are heavily used and which are not.

In my opinion this service brings a lot of control to your Hybrid Identity scenario’s by providing just the extra monitoring capabilities you need, on top of the already existing services on the Azure platform.

That is it for now. Stay tuned for another blog!