This document will walk you through installing and configuring the Azure AD Connect Health Agent for AD FS and sync.
[AZURE.NOTE]Remember that before you see any AD FS data in your instance of Azure AD Connect Health, you will need to install the Azure AD Connect Health Agent on your targeted servers. Be sure to complete the requirements here prior to installing the agent. You can download the agent here.
To start the agent installation, double-click on the .exe file that you downloaded. On the first screen, click Install.
Once the installation is finished, click Configure Now.
This will launch a command prompt followed by some PowerShell that will execute Register-AzureADConnectHealthADFSAgent. You will be prompted to sign in to Azure. Go ahead and sign in.
After signing in, PowerShell will continue. Once it completes you can close PowerShell and the configuration is complete.
At this point, the services should be started automatically and the agent will be now monitoring and gathering data. Be aware that you will see warnings in the PowerShell window if you have not met all of the pre-requisites that were outlined in the previous sections. Be sure to complete the requirements here prior to installing the agent. The following screenshot below is an example of these errors.
To verify the agent has been installed, open services and look for the following. These services should be running if you completed the configuration. Otherwise, they will not start until the configuration is complete.
- Azure AD Connect Health AD FS Diagnostics Service
- Azure AD Connect Health AD FS Insights Service
- Azure AD Connect Health AD FS Monitoring Service
For Windows Server 2008 R2 servers do the following:
- Ensure that the server is running at Service Pack 1 or higher.
- Turn off IE ESC for agent installation:
- Install Windows PowerShell 4.0 on each of the servers prior to installing the AD Health agent. To install Windows PowerShell 4.0:
- Install Microsoft .NET Framework 4.5 using the following link to download the offline installer.
- Install PowerShell ISE (From Windows Features)
- Install the Windows Management Framework 4.0.
- Install Internet Explorer version 10 or above on the server. This is required by the Health Service to authenticate you using your Azure Admin credentials.
- For additional information on installing Windows PowerShell 4.0 on Windows Server 2008 R2 see the wiki article here.
In order for the Usage Analytics feature to gather and analyze data, the Azure AD Connect Health agent needs the information in the AD FS Audit Logs. These logs are not enabled by default. This only applies to AD FS federation servers. You do not need to enable auditing on AD FS Proxy servers or Web Application Proxy servers. Use the following procedures to enable AD FS auditing and to locate the AD FS audit logs.
- Click Start, point to Programs, point to Administrative Tools, and then click Local Security Policy.
- Navigate to the Security Settings\Local Policies\User Rights Management folder, and then double-click Generate security audits.
- On the Local Security Setting tab, verify that the AD FS 2.0 service account is listed. If it is not present, click Add User or Group and add it to the list, and then click OK.
- Open a command prompt with elevated privileges and run the following command to enable auditing.
auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable - Close Local Security Policy, and then open the Management snap-in. To open the Management snap-in, click Start, point to Programs, point to Administrative Tools, and then click AD FS 2.0 Management.
- In the Actions pane, click Edit Federation Service Properties.
- In the Federation Service Properties dialog box, click the Events tab.
- Select the Success audits and Failure audits check boxes.
- Click OK.
- Open Local Security Policy by opening Server Manager on the Start screen, or Server Manager in the taskbar on the desktop, then click Tools/Local Security Policy.
- Navigate to the Security Settings\Local Policies\User Rights Assignment folder, and then double-click Generate security audits.
- On the Local Security Setting tab, verify that the AD FS service account is listed. If it is not present, click Add User or Group and add it to the list, and then click OK.
- Open a command prompt with elevated privileges and run the following command to enable auditing:
auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable. - Close Local Security Policy, and then open the AD FS Management snap-in (in Server Manager, click Tools, and then select AD FS Management).
- In the Actions pane, click Edit Federation Service Properties.
- In the Federation Service Properties dialog box, click the Events tab.
- Select the Success audits and Failure audits check boxes and then click OK.
- Open Event Viewer.
- Go to Windows Logs and select Security.
- On the right, click Filter Current Logs.
- Under Event Source, select AD FS Auditing.
[AZURE.WARNING] If you have a group policy that is disabling AD FS auditing then the Azure AD Connect Health Agent will not be able to collect information. Ensure that you don’t have a group policy that may be disabling auditing.
The Azure AD Connect Health agent for sync is installed automatically in the latest build of Azure AD Connect. To use Azure AD Connect for sync you will need to download the latest version of Azure AD Connect and install it. You can download the latest version here.
To verify the agent has been installed, open services and look for the following. These services should be running if you completed the configuration. Otherwise, they will not start until the configuration is complete.
- Azure AD Connect Health AadSync Insights Service
- Azure AD Connect Health AadSync Monitoring Service
[Azure.NOTE] Remember that using Azure AD Connect Health requires Azure AD Premium. If you do not have Azure AD Premium you will not be able to complete the configuration in the Azure portal. For more information see the requirements here.
You can configure Azure AD Connect Health Agents to work with an HTTP Proxy.
[AZURE.NOTE]
- Using “Netsh WinHttp set ProxyServerAddress” will not work as the agent uses System.Net to make web requests instead of Microsoft Windows HTTP Services.
- The configured Http Proxy address will be used to pass-through encrypted Https messages.
- Authenticated proxies (using HTTPBasic) are not supported.
You have the following options to configure Azure AD Connect Health Agent to use an HTTP Proxy.
[AZURE.NOTE] You must restart all Azure AD Connect Health Agent services for the proxy settings to be updated. Run the following command:
Restart-Service AdHealth*
You can import your Internet Explorer HTTP proxy settings and use them for Azure AD Connect Health Agents by executing the following PowerShell command on each server running the Health Agent.
Set-AzureAdConnectHealthProxySettings -ImportFromInternetSettings
You can import you WinHTTP proxy settings by executing the following PowerShell command on each server running the Health Agent.
Set-AzureAdConnectHealthProxySettings -ImportFromWinHttp
You can specify a proxy server manually by executing the following PowerShell command on each server running the Health Agent.
Set-AzureAdConnectHealthProxySettings -HttpsProxyAddress address:port
Example: Set-AzureAdConnectHealthProxySettings -HttpsProxyAddress myproxyserver:443
- "address" can be a DNS resolvable server name or an IPv4 address
- "port" can be omitted. If omitted then 443 is chosen as default port.
You can clear the existing proxy configuration by running the following command.
Set-AzureAdConnectHealthProxySettings -NoProxy
You can use the following command to read the currently configured proxy settings.
Get-AzureAdConnectHealthProxySettings