Enterprise Mobility and Security Blog

RSS

Hey y’all, Mark Morowczynski here with another Friday mailbag. After our Azure AD Connect Health blog post we thought it might be a good time and re-visit some questions you may have around Azure AD Connect Health for ADFS. If you give it a try let us know in the comments what you think we’d love to get your feedback. As always if you have topics and areas you’d like us to cover feel free to reach out Twitter @AzureAD, @MarkMorow and @Alex_A_Simons. Question time!

Question: I’m trying to install Azure AD Connect Health for ADFS with my MSA account and I keep getting an error similar to “AuthorizationFailed”,”message”:”The client ‘live.com#XXX@XXX.XX’ with object id ” does not have authorization to perform action ‘Microsoft.ADHybridHealthService/services/action’ over scope ‘/providers/Microsoft.ADHybridHealthService’.” What permissions do I need?

Answer: You can’t use a Microsoft Account (e.g user@hotmail.com). You have to install Azure AD Connect Health with an organizational account (user@domain.com or user@domain.onmicrosoft.com) that is a Global Admin or has Owner or Contributor privileges configured by the Global Admin using Role Based Access Control within Connect Health.

Question: Does the account used to configure Connect Health agent for ADFS used after configuration? What if the password for that account expires?

Answer: The account used to configure Connect Health agents is only used to bootstrap the agent and is not used after that. The health agent will continue to work without that account.

Question: Do I need to configure the auditing settings listed here on all of my ADFS servers or just one?

Answer: You would need to configure the auditing settings for all of the ADFS servers in the farm. Connect Health usage analytics and reports use this data stream to present the information.

Question: Do I need to configure the auditing settings on for the WAP and ADFS servers or just the ADFS servers?

Answer: You only need to enable the auditing on the ADFS servers. You should install the agent on both the WAP and the ADFS.

Question: How often does the AAD Connect Health Agent report back to Azure AD?

Answer: Every 15 mins for auditing events, every 30 mins for everything else.

Question: In the Monitoring section for the ADFS service there is Token Requests /sec for the last 24 hours. Are there any other charts and how do I access them?

Answer: Yes, there is a wealth of information available to you. When you click on the monitoring chart it will open up a new blade. You can then RIGHT CLICK on the chart and select “Edit Chart”. There you’ll be able to select different metrics and change the time range. This also applies to the Usage Analytics chart as well to give you a few more choices of data. See AD FS Usage Analytics and Performance Monitoring sections for more details.

clip_image002

clip_image004

Question: I see the alert that says “Health service data is not up to date.” What should do?

Answer: This alert is generated when the health service does not receive required data to assess the health of your identity services. You need to ensure that the enlisted servers are able to communicate with the service. This could happen because of multiple reasons including outbound firewall restrictions, network connectivity issues, proxy configuration issues etc.

The agent installs a utility to test connectivity with the service which can be invoked by the following PowerShell command which takes Role as a parameter.

Test-AzureADConnectHealthConnectivity -Role Adfs

More information about this utility can be found here.

We hope you’ve found this post and this series to be helpful. For any questions you can reach us at AskAzureADBlog@microsoft.com, the Microsoft Forums and on Twitter @AzureAD, @MarkMorow and @Alex_A_Simons

-Mark Morowczynski and Varun Karandikar