Microsoft recently announced the general availability of Azure AD Connect Health, a feature for monitoring the status of your synchronization or federation between on-premises Active Directory (AD) and the cloud-based Azure Active Directory (Azure AD).
The Value of a Healthy Azure AD Connection
Microsoft describes Azure AD Connect Health as a feature that:
… helps you monitor and gain insights into your on-premises identity infrastructure and the synchronization services
Azure AD is used by all of Microsoft’s enterprise cloud services, such as Azure and Office 365, to authenticate and authorize users — many people are unaware that they are using Azure AD’s free version when they deploy Office 365. We can synchronize identity and password hashes from the cloud to Azure AD to get single sign-on with Microsoft’s cloud services and with at least 2,800 third-party cloud services, too, including Microsoft competitors such as SAP, Google, and AWS. The means for enabling this are:
- Active Directory Federated Services (ADFS): A beast of a deployment for large enterprises. Azure AD connects to your domain/forest via ADFS to authenticate/authorize users.
- Azure AD Connect: A simple to deploy and free solution that is quite scalable. This solution synchronizes usernames and password hashes to the cloud.
With single sign-on via Azure AD deployed, the health of these solutions becomes critical to the business; therefore, Microsoft created Azure AD Connect Health.
Azure AD Connect Health
This Azure AD synchronization and federation health monitoring solution from Microsoft is a benefit that customers of Azure AD Premium can avail of.
There are two ways that you can connect your on-premises AD to Azure AD, and there are two ways two monitor the health of these connections.
Azure AD Connect Health for ADFS offers support for federated identity, based on ADFS 2.0 running on Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2. It also supports AD FS proxy or web application proxy servers for extranet services access. The features include:
- Alerts when ADFS and ADFS proxy servers are not healthy
- Email notifications for critical alerts
- Trends in performance data
- Usage analytics
- Reports for user activity
Azure AD Connect Health for sync, which is built into Azure AD Connect (you must be on a current version), will be used by anyone using Azure AD Connect to synchronize identity to the cloud, sometimes referred to as shared sign-on; this solution offers the following features:
- Monitoring and alerts to know if an Azure AD Connect server is not healthy
- Email alerts for critical alerts
- Sync operational insights
- Quick glance information about properties and recent jobs
- Information about object-level sync errors, which does not require Azure AD Premium
Azure AD Connect Health for Active Directory Domain Services Preview
Not only can it monitor the health of your connection to Azure AD, but Microsoft also added a preview for monitoring on-premises domain health using Azure AD Connect Health for Active Directory Domain Services (ADDS), a critical element to the functionality of the total identity solution, supporting:
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
Between OMS, Azure AD Connect Health, Azure AD Connect Health for ADDS, and System Center Operations Manager (SCOM), we will have an abundance of identity monitoring solutions from Microsoft.