Azure ad connect health agent

Azure ad connect health agent DEFAULT

Azure AD Connect Health is very useful monitoring tool which provides monitoring capabilities for Azure AD Connect sync engine, Active Directory Federation Services (ADFS) and Active Directory Domain Services (ADDS).

When implemented, Azure AD Connect Health agent sends monitoring data from on-premises to the cloud and the data is visible from Azure AD Connect Health blade. In practical, in hybrid identity architecture most of the critical components health state can be viewed from single blade (slightly depends on scenario).

There are various reasons why AAD Connect Health monitoring agent doesn&#;t work anymore. Potential reasons are:

  • Server has been deleted
  • Server has been marked as inactive in AAD Connect Data Retention Policy

Remediation

There are two options to fix this problem

  • Install newest version of monitoring agent
  • Re-register monitoring agent

In my example I&#;ll use the latter one, re-register monitoring agents with Powershell. In my environment I have AAD Connect Sync and Domain Services monitored and commands are

  • Register-AzureADConnectHealthADDSAgent
  • Register-AzureADConnectHealthSyncAgent

Voila! After re-registration, the monitoring data from my environment is visible in Azure AD Health blade again.

Hope this helps! Until next time 🙂

Like this:

LikeLoading

Sours: https://samilamppu.com//04/15/how-to-fix-unmonitored-azure-ad-connect-health-status/

What is Azure AD Connect?

Azure AD Connect is the Microsoft tool designed to meet and accomplish your hybrid identity goals. It provides the following features:

  • Password hash synchronization - A sign-in method that synchronizes a hash of a users on-premises AD password with Azure AD.
  • Pass-through authentication - A sign-in method that allows users to use the same password on-premises and in the cloud, but doesn't require the additional infrastructure of a federated environment.
  • Federation integration - Federation is an optional part of Azure AD Connect and can be used to configure a hybrid environment using an on-premises AD FS infrastructure. It also provides AD FS management capabilities such as certificate renewal and additional AD FS server deployments.
  • Synchronization - Responsible for creating users, groups, and other objects. As well as, making sure identity information for your on-premises users and groups is matching the cloud. This synchronization also includes password hashes.
  • Health Monitoring - Azure AD Connect Health can provide robust monitoring and provide a central location in the Azure portal to view this activity.

What is Azure AD Connect

What is Azure AD Connect Health?

Azure Active Directory (Azure AD) Connect Health provides robust monitoring of your on-premises identity infrastructure. It enables you to maintain a reliable connection to Microsoft and Microsoft Online Services. This reliability is achieved by providing monitoring capabilities for your key identity components. Also, it makes the key data points about these components easily accessible.

The information is presented in the Azure AD Connect Health portal. Use the Azure AD Connect Health portal to view alerts, performance monitoring, usage analytics, and other information. Azure AD Connect Health enables the single lens of health for your key identity components in one place.

What is Azure AD Connect Health

Why use Azure AD Connect?

Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. Users and organizations can take advantage of:

  • Users can use a single identity to access on-premises applications and cloud services such as Microsoft
  • Single tool to provide an easy deployment experience for synchronization and sign-in.
  • Provides the newest capabilities for your scenarios. Azure AD Connect replaces older versions of identity integration tools such as DirSync and Azure AD Sync. For more information, see Hybrid Identity directory integration tools comparison.

Why use Azure AD Connect Health?

When authenticating with Azure AD, your users are more productive because there's a common identity to access both cloud and on-premises resources. Ensuring the environment is reliable, so that users can access these resources, becomes a challenge. Azure AD Connect Health helps monitor and gain insights into your on-premises identity infrastructure thus ensuring the reliability of this environment. It is as simple as installing an agent on each of your on-premises identity servers.

Azure AD Connect Health for AD FS supports AD FS on Windows Server R2, Windows Server , Windows Server R2 and Windows Server It also supports monitoring the AD FS proxy or web application proxy servers that provide authentication support for extranet access. With an easy and quick installation of the Health Agent, Azure AD Connect Health for AD FS provides you a set of key capabilities.

Key benefits and best practices:

License requirements for using Azure AD Connect

Using this feature is free and included in your Azure subscription.

License requirements for using Azure AD Connect Health

Using this feature requires an Azure AD Premium P1 license. To find the right license for your requirements, see Comparing generally available features of the Free, Basic, and Premium editions.

Next steps

Sours: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-azure-ad-connect
  1. Arm covers for chairs
  2. Wayfair black dining room sets
  3. Hmh into reading 4th grade

Azure AD Connect Health: Version Release History

The Azure Active Directory team regularly updates Azure AD Connect Health with new features and functionality. This article lists the versions and features that have been released.

Note

Connect Health agents are updated automatically when new version is released. Please ensure the auto-upgrade settings is enabled from Azure portal.

Azure AD Connect Health for Sync is integrated with Azure AD Connect installation. Read more about Azure AD Connect release history For feature feedback, vote at Connect Health User Voice channel

September

Agent Update

  • Azure AD Connect Health agent for AD FS (version )
    • Fix to extract device information such as device compliance and managed status, device OS, and device OS version from AD FS audits in certain device based authentication scenarios.
    • Fix to populate OAuth Application info in failure cases and categorizing OAuth failures with more specific error codes
    • Fix for alerts on broken WMI calls on the customer machine. Now such calls the result/status would be set to "notRun".

May

Agent Update

  • Azure AD Connect Health agent for AD FS (version )
    • Fix for low unique user count value in AD FS application activity report
    • Fix for sign-ins with empty or default GUID CorrelationId

March

Agent Update

  • Azure AD Connect Health agent for AD FS (version )

    • Fix to resolve NT4 formatted username to a UPN during sign-in events.
    • Fix to identify incorrect application identifier scenarios with a dedicated error code.
    • Changes to add a new property for OAuth client identifier.
    • Fix to display correct values in the Protocol and Authentication Type fields in Azure AD Sign-In Report for certain sign-in scenarios.
    • Fix to display IP addresses in Azure AD Sign-In Report's IP chain field in order of the request.
    • Changes to introduce a new field to differentiate if secondary authentication was requested during a sign-in.
    • Fix for AD FS application identifier property to display in Azure AD Sign-In Report.

April

Agent Update

  • Azure AD Connect Health agent for AD FS (version )

    • Bug fix for “Invalid Service Principal Name (SPN) for AD FS service” alert, for which the alert was reporting incorrectly.

July

Agent Update

  • Azure AD Connect Health agent for AD FS (version )

    1. Text change in TestWindowsTransport
    2. Changes for AD FS RP upload
  • Azure AD Connect Health agent for AD FS (version )

    1. Add TestWindowsTransport test and remove WsTrust endpoints checks in CheckOfficeEndpoints test
    2. Log OS and .NET information
    3. Increase RP configuration message upload size to 1MB.
    4. Bug fixes
  • Azure AD Connect Health agent for AD DS (version )

    1. Log OS and .NET information
    2. Bug fixes

May

Agent Update:

  • Azure AD Connect Health agent for AD FS (version )
    1. Bug fix to distinguish between multiple sign ins that share the same client-request-id.
    2. Bug fix to parse bad username/password errors on language localized servers.

April

Agent Update:

  • Azure AD Connect Health agent for AD FS (version )
    1. Fix Check Duplicate SPN alert process for ADFS

March

Agent Update:

  • Azure AD Connect Health agent for AD DS (version )

    1. .NET version collection
    2. Improvement of performance counter collection when missing certain categories
    3. Bug fix on preventing spawning of multiple Monitoring Agent instances
  • Azure AD Connect Health agent for AD FS (version )

    1. Integrate and upgrade of AD FS test scripts using ADFSToolBox
    2. Implement .NET version collection
    3. Improvement of performance counter collection when missing certain categories
    4. Bug fix on preventing spawning of multiple Monitoring Agent instances

November

New GA features:

  • Azure AD Connect Health for Sync - Diagnose and remediate duplicated attribute sync errors from the portal

Agent Update:

  • Azure AD Connect Health agent for AD DS (version )

    1. Transport Layer Security (TLS) protocol version compliance and enforcement
    2. Reduce Global Catalog alert noise
    3. Health agent registration bug fixes
  • Azure AD Connect Health agent for AD FS (version )

    1. Transport Layer Security (TLS) protocol version compliance and enforcement
    2. Support of Test-ADFSRequestToken for localized operating system
    3. Solved diagnostic agent EventHandler locking issue
    4. Health agent registration bug fixes

August

June

New preview features:

  • Azure AD Connect Health for Sync - Diagnose and remediate duplicated attribute sync errors from the portal

Agent Update:

May

Agent Update:

  • Azure AD Connect Health agent for AD DS (version )

    1. Agent privacy improvement
    2. Bug fixes and general improvements
  • Azure AD Connect Health agent for AD FS (version )

    1. Agent Diagnostics Service and related PowerShell module improvements
    2. Agent privacy improvement
    3. Bug fixes and general improvements
  • Azure AD Connect Health agent for Sync (version ) released with Azure AD Connect version

    1. Agent privacy improvement
    2. Bug fixes and general improvements

March

New preview features:

  • Azure AD Connect Health for AD FS - Risky IP report and alert.

Agent Update:

  • Azure AD Connect Health agent for AD DS (version )
    1. Agent availability improvements
    2. Bug fixes and general improvements
  • Azure AD Connect Health agent for AD FS (version )
    1. Agent availability improvements
    2. Bug fixes and general improvements
  • Azure AD Connect Health agent for Sync (version ) released with Azure AD Connect version
    1. Agent availability improvements
    2. Bug fixes and general improvements

December

Agent Update:

  • Azure AD Connect Health agent for AD DS (version )
    1. Agent availability improvements
    2. Added new agent troubleshooting commands
    3. Bug fixes and general improvements
  • Azure AD Connect Health agent for AD FS (version )
    1. Added new agent troubleshooting commands
    2. Agent availability improvements
    3. Bug fixes and general improvements

October

Agent Update:

  • Azure AD Connect Health agent for Sync (version ) released with Azure AD Connect version

    Fixed a version compatibility issue between Azure AD Connect and Azure AD Connect Health Agent for Sync. This issue affects customers who are performing Azure AD Connect in-place upgrade to version , but currently has Health Agent version After the upgrade, the Health Agent can no longer send health data about Azure AD Connect Synchronization Service to Azure AD Health Service. With this fix, Health Agent version is installed during Azure AD Connect in-place upgrade. Health Agent version does not have compatibility issue with Azure AD Connect version

July

Agent Update:

  • Azure AD Connect Health agent for AD DS (version )
    1. Bug fixes and general improvements
    2. Sovereign cloud support
  • Azure AD Connect Health agent for AD FS (version )
    1. Bug fixes and general improvements
    2. Sovereign cloud support
  • Azure AD Connect Health agent for Sync (version ) released with Azure AD Connect version
    1. Support for Microsoft Azure Government Cloud and Microsoft Cloud Germany

April

Agent Update:

  • Azure AD Connect Health agent for AD FS (version )
    1. Bug fixes and general improvements
  • Azure AD Connect Health agent for AD DS (version )
    1. Performance counters upload improvements
    2. Bug fixes and general improvements

October

Agent Update:

  • Azure AD Connect Health agent for AD FS (version )
  • Improvements in detecting client IP addresses in authentication requests
  • Bug Fixes related to Alerts
  • Azure AD Connect Health agent for AD DS (version )
  • Bug fixes related to Alerts.
  • Azure AD Connect Health agent for Sync (version ) released with Azure AD Connect version
  • Provide the required data for the Synchronization Error Reports
  • Bug fixes related to Alerts

New preview features:

  • Synchronization Error Reports for Azure AD Connect

New features:

  • Azure AD Connect Health for AD FS - IP address field is available in the report about top 50 users with bad username/password.

July

New preview features:

January

Agent Update:

  • Azure AD Connect Health agent for AD FS (version )

New features:

November

New features:

New preview features:

Fixed issues:

  • Bug fixes for errors seen during agent registrations.

September

New features:

  • Wrong Username password report for AD FS
  • Support to configure Unauthenticated HTTP Proxy
  • Support to configure agent on Server core
  • Improvements to Alerts for AD FS
  • Improvements in Azure AD Connect Health Agent for AD FS for connectivity and data upload.

Fixed issues:

  • Bug fixes in Usage Insights for AD FS Error types.

June

Initial release of Azure AD Connect Health for AD FS and AD FS Proxy.

New features:

  • Alerts for monitoring AD FS and AD FS Proxy servers with email notifications.
  • Easy access to AD FS topology and patterns in AD FS Performance Counters.
  • Trend in successful token requests on AD FS servers grouped by Applications, Authentication Methods, Request Network Location etc.
  • Trends in failed request on AD FS servers grouped by Applications, Error Types etc.
  • Simpler Agent Deployment using Azure AD Global Admin credentials.

Next steps

Learn more about Monitor your on-premises identity infrastructure and synchronization services in the cloud.

Feedback

View all page feedback

Sours: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-health-version-history
AZ-303 Exam // EP 13 // Azure AD Connect Health // AZ303 FREE Certification Training

Using Azure AD Connect Health with AD DS

The following documentation is specific to monitoring Active Directory Domain Services with Azure AD Connect Health. The supported versions of AD DS are: Windows Server R2, Windows Server , Windows Server R2, and Windows Server

For more information on monitoring AD FS with Azure AD Connect Health, see Using Azure AD Connect Health with AD FS. Additionally, for information on monitoring Azure AD Connect (Sync) with Azure AD Connect Health see Using Azure AD Connect Health for Sync.

Azure AD Connect Health for AD DS

Alerts for Azure AD Connect Health for AD DS

The Alerts section within Azure AD Connect Health for AD DS, provides you a list of active and resolved alerts, related to your domain controllers. Selecting an active or resolved alert opens a new blade with additional information, along with resolution steps, and links to supporting documentation. Each alert type can have one or more instances, which correspond to each of the domain controllers affected by that particular alert. Near the bottom of the alert blade, you can double-click an affected domain controller to open an additional blade with more details about that alert instance.

Within this blade, you can enable email notifications for alerts and change the time range in view. Expanding the time range allows you to see prior resolved alerts.

Azure AD Connect sync error

Domain Controllers Dashboard

This dashboard provides a topological view of your environment, along with key operational metrics and health status of each of your monitored domain controllers. The presented metrics help to quickly identify, any domain controllers that might require further investigation. By default, only a subset of the columns is displayed. However, you can find the entire set of available columns, by double-clicking the columns command. Selecting the columns that you most care about, turns this dashboard into a single and easy place to view the health of your AD DS environment.

Domain Controllers

Domain controllers can be grouped by their respective domain or site, which is helpful for understanding the environment topology. Lastly, if you double-click the blade header, the dashboard maximizes to utilize the available screen real-estate. This larger view is helpful when multiple columns are displayed.

Replication Status Dashboard

This dashboard provides a view of the replication status and replication topology of your monitored domain controllers. The status of the most recent replication attempt is listed, along with helpful documentation for any error that is found. You can double-click a domain controller with an error, to open a new blade with information such as: details about the error, recommended resolution steps, and links to troubleshooting documentation.

Replication Status

Monitoring

This feature provides graphical trends of different performance counters, which are continuously collected from each of the monitored domain controllers. Performance of a domain controller can easily be compared across all other monitored domain controllers in your forest. Additionally, you can see various performance counters side by side, which is helpful when troubleshooting issues in your environment.

Monitoring

By default, we have preselected four performance counters; however, you can include others by clicking the filter command and selecting or deselecting any desired performance counters. Additionally, you can double-click a performance counter graph to open a new blade, which includes data points for each of the monitored domain controllers.

Related links

Sours: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-health-adds

Health agent ad connect azure

Azure Active Directory Connect Health operations

This topic describes the various operations you can perform by using Azure Active Directory (Azure AD) Connect Health.

Enable email notifications

You can configure the Azure AD Connect Health service to send email notifications when alerts indicate that your identity infrastructure is not healthy. This occurs when an alert is generated, and when it is resolved.

Screenshot of Azure AD Connect Health email notification settings

Note

Email notifications are enabled by default.

To enable Azure AD Connect Health email notifications

  1. In the Azure Portal, search for Azure AD Connect Health
  2. Select Sync errors
  3. Select Notification Settings.
  4. At the email notification switch, select ON.
  5. Select the check box if you want all global administrators to receive email notifications.
  6. If you want to receive email notifications at any other email addresses, specify them in the Additional Email Recipients box. To remove an email address from this list, right-click the entry and select Delete.
  7. To finalize the changes, click Save. Changes take effect only after you save.

Note

When there are issues processing synchronization requests in our backend service, this service sends a notification email with the details of the error to the administrative contact email address(es) of your tenant. We heard feedback from customers that in certain cases the volume of these messages is prohibitively large so we are changing the way we send these messages.

Instead of sending a message for every sync error every time it occurs we will send out a daily digest of all errors the backend service has returned. This enables customers to process these errors in a more efficient manner and reduces the number of duplicate error messages.

Delete a server or service instance

Note

Azure AD premium license is required for the deletion steps.

In some instances, you might want to remove a server from being monitored. Here's what you need to know to remove a server from the Azure AD Connect Health service.

When you're deleting a server, be aware of the following:

  • This action stops collecting any further data from that server. This server is removed from the monitoring service. After this action, you are not able to view new alerts, monitoring, or usage analytics data for this server.
  • This action does not uninstall the Health Agent from your server. If you have not uninstalled the Health Agent before performing this step, you might see errors related to the Health Agent on the server.
  • This action does not delete the data already collected from this server. That data is deleted in accordance with the Azure data retention policy.
  • After performing this action, if you want to start monitoring the same server again, you must uninstall and reinstall the Health Agent on this server.

Delete a server from the Azure AD Connect Health service

Note

Azure AD premium license is required for the deletion steps.

Azure AD Connect Health for Active Directory Federation Services (AD FS) and Azure AD Connect (Sync):

  1. Open the Server blade from the Server List blade by selecting the server name to be removed.
  2. On the Server blade, from the action bar, click Delete. Screenshot of Azure AD Connect Health delete server
  3. Confirm by typing the server name in the confirmation box.
  4. Click Delete.

Azure AD Connect Health for Azure Active Directory Domain Services:

  1. Open the Domain Controllers dashboard.
  2. Select the domain controller to be removed.
  3. From the action bar, click Delete Selected.
  4. Confirm the action to delete the server.
  5. Click Delete.

Delete a service instance from Azure AD Connect Health service

In some instances, you might want to remove a service instance. Here's what you need to know to remove a service instance from the Azure AD Connect Health service.

When you're deleting a service instance, be aware of the following:

  • This action removes the current service instance from the monitoring service.
  • This action does not uninstall or remove the Health Agent from any of the servers that were monitored as part of this service instance. If you have not uninstalled the Health Agent before performing this step, you might see errors related to the Health Agent on the servers.
  • All data from this service instance is deleted in accordance with the Azure data retention policy.
  • After performing this action, if you want to start monitoring the service, uninstall and reinstall the Health Agent on all the servers. After performing this action, if you want to start monitoring the same server again, uninstall, reinstall, and register the Health Agent on that server.

To delete a service instance from the Azure AD Connect Health service

  1. Open the Service blade from the Service List blade by selecting the service identifier (farm name) that you want to remove.
  2. On the Service blade, from the action bar, click Delete. Screenshot of Azure AD Connect Health delete service
  3. Confirm by typing the service name in the confirmation box (for example: sts.contoso.com).
  4. Click Delete.

Manage access with Azure RBAC

Azure role-based access control (Azure RBAC) for Azure AD Connect Health provides access to users and groups other than global administrators. Azure RBAC assigns roles to the intended users and groups, and provides a mechanism to limit the global administrators within your directory.

Roles

Azure AD Connect Health supports the following built-in roles:

RolePermissions
OwnerOwners can manage access (for example, assign a role to a user or group), view all information (for example, view alerts) from the portal, and change settings (for example, email notifications) within Azure AD Connect Health.
By default, Azure AD global administrators are assigned this role, and this cannot be changed.
ContributorContributors can view all information (for example, view alerts) from the portal, and change settings (for example, email notifications) within Azure AD Connect Health.
ReaderReaders can view all information (for example, view alerts) from the portal within Azure AD Connect Health.

All other roles (such as User Access Administrators or DevTest Labs Users) have no impact to access within Azure AD Connect Health, even if the roles are available in the portal experience.

Access scope

Azure AD Connect Health supports managing access at two levels:

  • All service instances: This is the recommended path in most cases. It controls access for all service instances (for example, an AD FS farm) across all role types that are being monitored by Azure AD Connect Health.
  • Service instance: In some cases, you might need to segregate access based on role types or by a service instance. In this case, you can manage access at the service instance level.

Permission is granted if an end user has access either at the directory or service instance level.

Allow users or groups access to Azure AD Connect Health

The following steps show how to allow access.

Step 1: Select the appropriate access scope

To allow a user access at the all service instances level within Azure AD Connect Health, open the main blade in Azure AD Connect Health.

Step 2: Add users and groups, and assign roles

  1. From the Configure section, click Users.
    Screenshot of Azure AD Connect Health resource sidebar
  2. Select Add.
  3. In the Select a role pane, select a role (for example, Owner).
    Screenshot of Azure AD Connect Health and Azure RBAC configure menu
  4. Type the name or identifier of the targeted user or group. You can select one or more users or groups at the same time. Click Select. Screenshot of Azure AD Connect Health and Azure role list
  5. Select OK.
  6. After the role assignment is complete, the users and groups appear in the list.
    Screenshot of Azure AD Connect Health and Azure RBAC and new users highlighted

Now the listed users and groups have access, according to their assigned roles.

Note

  • Global administrators always have full access to all the operations, but global administrator accounts are not present in the preceding list.
  • The Invite Users feature is not supported within Azure AD Connect Health.

Step 3: Share the blade location with users or groups

  1. After you assign permissions, a user can access Azure AD Connect Health by going here.
  2. On the blade, the user can pin the blade, or different parts of it, to the dashboard. Simply click the Pin to dashboard icon.
    Screenshot of Azure AD Connect Health and Azure RBAC pin blade, with pin icon highlighted

Note

A user with the Reader role assigned is not able to get Azure AD Connect Health extension from the Azure Marketplace. The user cannot perform the necessary "create" operation to do so. The user can still get to the blade by going to the preceding link. For subsequent usage, the user can pin the blade to the dashboard.

Remove users or groups

You can remove a user or a group added to Azure AD Connect Health and Azure RBAC. Simply right-click the user or group, and select Remove.
Screenshot of Azure AD Connect Health and Azure RBAC with Remove highlighted

Next steps

Sours: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-health-operations
Azure Active Directory Connect Health for AD FS

Azure AD Connect Health Agent Installation

This document will walk you through installing and configuring the Azure AD Connect Health Agents. You can download the agents from here.

Requirements

The following table is a list of requirements for using Azure AD Connect Health.

RequirementDescription
Azure AD PremiumAzure AD Connect Health is an Azure AD Premium feature and requires Azure AD Premium.

For more information see Getting started with Azure AD Premium
To start a free 30 day trial see Start a trial.
You must be a global administrator of your Azure AD to get started with Azure AD Connect HealthBy default, only the global administrators can install and configure the health agents to get started, access the portal and perform any operations within Azure AD Connect Health. For additional information see Administering your Azure AD directory.

Using Role Based Access Control you can allow access to Azure AD Connect Health to other users in your organization. For more information see Role Based Access Control for Azure AD Connect Health.

Important: The account you use when installing the agents must be a work or school account and cannot be a Microsoft account. For more information see Sign up for Azure as an organization
The Azure AD Connect Health Agent is installed on each targeted serverAzure AD Connect Health requires that an agent be installed on targeted servers in order to provide the data that is viewed in the portal.

For example, in order to get data on your AD FS on-premises infrastructure, the agent must be installed on the AD FS servers, AD FS Proxy servers and Web Application Proxy servers. Similarly, to get data on your on-premises AD DS infrastructure, the agent must be installed on the domain controllers.

Important: The account you use when installing the agents must be a work or school account and cannot be a Microsoft account. For more information see Sign up for Azure as an organization
Outbound connectivity to the Azure service endpointsDuring installation and runtime, the agent requires connectivity to the Azure AD Connect Health service end points listed below. If you block outbound connectivity make sure that the following are added to the allowed list:

  • *.blob.core.windows.net
  • *.queue.core.windows.net
  • adhsprodwus.servicebus.windows.net - Port:
  • https://management.azure.com
  • https://s1.adhybridhealth.azure.com/
  • https://policykeyservice.dc.ad.msft.net/
  • https://login.windows.net
  • https://login.microsoftonline.com
  • https://secure.aadcdn.microsoftonline-p.com
  • Firewall ports on the server running the agent.The agent requires the following firewall ports to be open in order for the agent to communicate with the Azure AD Health service endpoints.

  • TCP/UDP port
  • TCP/UDP port
  • Allow the following websites if IE Enhanced Security is enabledThe following websites need to be allowed if IE Enhanced Security is enabled on the server that is going to have the agent installed.

  • https://login.microsoftonline.com
  • https://secure.aadcdn.microsoftonline-p.com
  • https://login.windows.net
  • The federation server for your organization trusted by Azure Active Directory. For example: https://sts.contoso.com
  • Installing the Azure AD Connect Health Agent for AD FS

    To start the agent installation, double-click on the .exe file that you downloaded. On the first screen, click Install.

    Verify Azure AD Connect Health

    Once the installation is finished, click Configure Now.

    Verify Azure AD Connect Health

    This will launch a command prompt followed by some PowerShell that will execute Register-AzureADConnectHealthADFSAgent. You will be prompted to sign in to Azure. Go ahead and sign in.

    Verify Azure AD Connect Health

    After signing in, PowerShell will continue. Once it completes you can close PowerShell and the configuration is complete.

    At this point, the services should be started automatically and the agent will be now monitoring and gathering data. Be aware that you will see warnings in the PowerShell window if you have not met all of the pre-requisites that were outlined in the previous sections. Be sure to complete the requirements here prior to installing the agent. The screenshot below is an example of these errors.

    Verify Azure AD Connect Health

    To verify the agent has been installed, open services and look for the following. These services should be running if you completed the configuration. Otherwise, they will not start until the configuration is complete.

    • Azure AD Connect Health AD FS Diagnostics Service
    • Azure AD Connect Health AD FS Insights Service
    • Azure AD Connect Health AD FS Monitoring Service

    Verify Azure AD Connect Health

    Agent installation on Windows Server R2 Servers

    For Windows Server R2 servers do the following:

    1. Ensure that the server is running at Service Pack 1 or higher.
    2. Turn off IE ESC for agent installation:
    3. Install Windows PowerShell on each of the servers prior to installing the AD Health agent. To install Windows PowerShell
    • Install Microsoft .NET Framework using the following link to download the offline installer.
    • Install PowerShell ISE (From Windows Features)
    • Install the Windows Management Framework
    • Install Internet Explorer version 10 or above on the server. This is required by the Health Service to authenticate you using your Azure Admin credentials.
    1. For additional information on installing Windows PowerShell on Windows Server R2 see the wiki article here.

    Enable Auditing for AD FS

    In order for the Usage Analytics feature to gather and analyze data, the Azure AD Connect Health agent needs the information in the AD FS Audit Logs. These logs are not enabled by default. This only applies to AD FS federation servers. You do not need to enable auditing on AD FS Proxy servers or Web Application Proxy servers. Use the following procedures to enable AD FS auditing and to locate the AD FS audit logs.

    To enable auditing for AD FS

    1. Click Start, point to Programs, point to Administrative Tools, and then click Local Security Policy.
    2. Navigate to the Security Settings\Local Policies\User Rights Management folder, and then double-click Generate security audits.
    3. On the Local Security Setting tab, verify that the AD FS service account is listed. If it is not present, click Add User or Group and add it to the list, and then click OK.
    4. Open a command prompt with elevated privileges and run the following command to enable auditing.
    5. Close Local Security Policy, and then open the Management snap-in. To open the Management snap-in, click Start, point to Programs, point to Administrative Tools, and then click AD FS Management.
    6. In the Actions pane, click Edit Federation Service Properties.
    7. In the Federation Service Properties dialog box, click the Events tab.
    8. Select the Success audits and Failure audits check boxes.
    9. Click OK.

    To enable auditing for AD FS on Windows Server R2

    1. Open Local Security Policy by opening Server Manager on the Start screen, or Server Manager in the taskbar on the desktop, then click Tools/Local Security Policy.
    2. Navigate to the Security Settings\Local Policies\User Rights Assignment folder, and then double-click Generate security audits.
    3. On the Local Security Setting tab, verify that the AD FS service account is listed. If it is not present, click Add User or Group and add it to the list, and then click OK.
    4. Open a command prompt with elevated privileges and run the following command to enable auditing:
    5. Close Local Security Policy, and then open the AD FS Management snap-in (in Server Manager, click Tools, and then select AD FS Management).
    6. In the Actions pane, click Edit Federation Service Properties.
    7. In the Federation Service Properties dialog box, click the Events tab.
    8. Select the Success audits and Failure audits check boxes and then click OK.

    To locate the AD FS audit logs

    1. Open Event Viewer.
    2. Go to Windows Logs and select Security.
    3. On the right, click Filter Current Logs.
    4. Under Event Source, select AD FS Auditing.

    AD FS audit logs

    [AZURE.WARNING] If you have a group policy that is disabling AD FS auditing then the Azure AD Connect Health Agent will not be able to collect information. Ensure that you don’t have a group policy that may be disabling auditing.

    Installing the Azure AD Connect Health agent for sync

    The Azure AD Connect Health agent for sync is installed automatically in the latest build of Azure AD Connect. To use Azure AD Connect for sync you will need to download the latest version of Azure AD Connect and install it. You can download the latest version here.

    To verify the agent has been installed, open services and look for the following. These services should be running if you completed the configuration. Otherwise, they will not start until the configuration is complete.

    • Azure AD Connect Health Sync Insights Service
    • Azure AD Connect Health Sync Monitoring Service

    Verify Azure AD Connect Health for Sync

    [AZURE.NOTE] Remember that using Azure AD Connect Health requires Azure AD Premium. If you do not have Azure AD Premium you will not be able to complete the configuration in the Azure portal. For more information see the requirements here.

    Manual Azure AD Connect Health for Sync registration

    If the Azure AD Connect Health for Sync agent registration fails after successfully installing Azure AD Connect, you can use the following PowerShell command to manually register the agent.

    [AZURE.IMPORTANT] Using this PowerShell command is only required if the agent registration fails after installing Azure AD Connect.

    The below PowerShell command is required ONLY when the health agent registration fails even after a successful installation and configuration of Azure AD Connect. In such cases Azure AD Connect Health services will NOT start until agent has been successfully registered.

    You can manually register the Azure AD Connect Health agent for sync using the following PowerShell command:

    The command takes following parameters:

    • AttributeFiltering : $true (default) - if Azure AD Connect is not syncing the default attribute set and has been customized to use a filtered attribute set. $false otherwise.
    • StagingMode : $false (default) - if the Azure AD Connect server is NOT in staging mode, $true if the server is configured to be in staging mode.

    When prompted for authentication you should use the same global admin account (such as [email protected]) that was used for configuring Azure AD Connect.

    Installing the Azure AD Connect Health Agent for AD DS

    To start the agent installation, double-click on the .exe file that you downloaded. On the first screen, click Install.

    Verify Azure AD Connect Health

    Once the installation is finished, click Configure Now.

    Verify Azure AD Connect Health

    This will launch a command prompt followed by some PowerShell that will execute Register-AzureADConnectHealthADDSAgent. You will be prompted to sign in to Azure. Go ahead and sign in.

    Verify Azure AD Connect Health

    After signing in, PowerShell will continue. Once it completes you can close PowerShell and the configuration is complete.

    At this point, the services should be started automatically and the agent will be now monitoring and gathering data. The screenshot below is an example of the output. Be aware that you will see warnings in the PowerShell window if you have not met all of the pre-requisites that were outlined in the previous sections. Be sure to complete the requirements here prior to installing the agent.

    Verify Azure AD Connect Health

    To verify the agent has been installed, open services and look for the following:

    • Azure AD Connect Health AD DS Insights Service
    • Azure AD Connect Health AD DS Monitoring Service

    These two services will not start until the configuration is complete.

    Verify Azure AD Connect Health

    Configure Azure AD Connect Health Agents to use HTTP Proxy

    You can configure Azure AD Connect Health Agents to work with an HTTP Proxy.

    [AZURE.NOTE]

    • Using “Netsh WinHttp set ProxyServerAddress” will not work as the agent uses System.Net to make web requests instead of Microsoft Windows HTTP Services.
    • The configured Http Proxy address will be used to pass-through encrypted Https messages.
    • Authenticated proxies (using HTTPBasic) are not supported.

    Change Health Agent Proxy Configuration

    You have the following options to configure Azure AD Connect Health Agent to use an HTTP Proxy.

    [AZURE.NOTE] You must restart all Azure AD Connect Health Agent services for the proxy settings to be updated. Run the following command:
    Restart-Service AdHealth*

    Import existing proxy Settings

    Import from Internet Explorer

    You can import your Internet Explorer HTTP proxy settings and use them for Azure AD Connect Health Agents by executing the following PowerShell command on each server running the Health Agent.

    Import from WinHTTP

    You can import you WinHTTP proxy settings by executing the following PowerShell command on each server running the Health Agent.

    Specify Proxy addresses manually

    You can specify a proxy server manually by executing the following PowerShell command on each server running the Health Agent.

    Example: Set-AzureAdConnectHealthProxySettings -HttpsProxyAddress myproxyserver

    • "address" can be a DNS resolvable server name or an IPv4 address
    • "port" can be omitted. If omitted then is chosen as default port.

    Clear existing proxy configuration

    You can clear the existing proxy configuration by running the following command.

    Read current proxy settings

    You can use the following command to read the currently configured proxy settings.

    Test Connectivity to Azure AD Connect Health Service

    It is possible that issues may arise that cause the Azure AD Connect Health agent to lose connectivity with the Azure AD Connect Health service. These include network issues, permission issues, or various other reasons.

    If the agent is unable to send data to the Azure AD Connect Health service for more than 2 hours, you will see an Alert indicating "Health Service data is not up to date." Should this occur you can now test whether or not the Azure AD Connect Health agents are able to upload data to the Azure AD Connect Health service by running the following PowerShell command from the machine whose agent is having the issue.

    The role parameter currently takes the following values:

    You can use the -ShowResults flag in the command to view detailed logs. Use the following example:

    [AZURE.NOTE]In order to use the connectivity tool, you must first complete the agent registration. If you are not able to complete the agent registration, make sure that you have met all of the requirements for Azure AD Connect Health. This connectivity test is performed by default during agent registration.

    Related links

    Sours: https://github.com/uglide/azure-content/blob/master/articles/active-directory/active-directory-aadconnect-health-agent-install.md

    You will also like:

    Azure AD Connect Health agent installation

    In this article, you'll learn how to install and configure the Azure Active Directory (Azure AD) Connect Health agents. To download the agents, see these instructions.

    Requirements

    The following table lists requirements for using Azure AD Connect Health.

    RequirementDescription
    There is an Azure AD Premium (P1 or P2) Subsciption.Azure AD Connect Health is a feature of Azure AD Premium (P1 or P2). For more information, see Sign up for Azure AD Premium.

    To start a free day trial, see Start a trial.
    You're a global administrator in Azure AD.By default, only global administrators can install and configure the health agents, access the portal, and do any operations within Azure AD Connect Health. For more information, see Administering your Azure AD directory.

    By using Azure role-based access control (Azure RBAC), you can allow other users in your organization to access Azure AD Connect Health. For more information, see Azure RBAC for Azure AD Connect Health.

    Important: Use a work or school account to install the agents. You can't use a Microsoft account. For more information, see Sign up for Azure as an organization.
    The Azure AD Connect Health agent is installed on each targeted server.Health agents must be installed and configured on targeted servers so that they can receive data and provide monitoring and analytics capabilities.

    For example, to get data from your Active Directory Federation Services (AD FS) infrastructure, you must install the agent on the AD FS server and the Web Application Proxy server. Similarly, to get data from your on-premises Azure AD Domain Services (Azure AD DS) infrastructure, you must install the agent on the domain controllers.
    The Azure service endpoints have outbound connectivity.During installation and runtime, the agent requires connectivity to Azure AD Connect Health service endpoints. If firewalls block outbound connectivity, add the outbound connectivity endpoints to the allow list.
    Outbound connectivity is based on IP addresses.For information about firewall filtering based on IP addresses, see Azure IP ranges.
    TLS inspection for outbound traffic is filtered or disabled.The agent registration step or data upload operations might fail if there's TLS inspection or termination for outbound traffic at the network layer. For more information, see Set up TLS inspection.
    Firewall ports on the server are running the agent.The agent requires the following firewall ports to be open so that it can communicate with the Azure AD Connect Health service endpoints:
  • TCP port
  • TCP port

  • The latest version of the agent doesn't require port Upgrade to the latest version so that only port is required. For more information, see Hybrid identity required ports and protocols.
    If Internet Explorer enhanced security is enabled, allow specified websites.If Internet Explorer enhanced security is enabled, then allow the following websites on the server where you install the agent:
  • https://login.microsoftonline.com
  • https://secure.aadcdn.microsoftonline-p.com
  • https://login.windows.net
  • https://aadcdn.msftauth.net
  • The federation server for your organization that's trusted by Azure AD (for example, https://sts.contoso.com)

  • For more information, see How to configure Internet Explorer. If you have a proxy in your network, then see the note that appears at the end of this table.
    PowerShell version or newer is installed.Windows Server includes PowerShell version
    FIPS (Federal Information Processing Standard) is disabled.Azure AD Connect Health agents don't support FIPS.

    Important

    Windows Server Core doesn't support installing the Azure AD Connect Health agent.

    Note

    If you have a highly locked-down and restricted environment, you need to add more URLs than the ones the table lists for Internet Explorer enhanced security. Also add URLs that are listed in the table in the next section.

    Outbound connectivity to the Azure service endpoints

    During installation and runtime, the agent needs connectivity to Azure AD Connect Health service endpoints. If firewalls block outbound connectivity, make sure that the URLs in the following table aren't blocked by default.

    Don't disable security monitoring or inspection of these URLs. Instead, allow them as you would allow other internet traffic.

    These URLs allow communication with Azure AD Connect Health service endpoints. Later in this article, you'll learn how to check outbound connectivity by using .

    Domain environmentRequired Azure service endpoints
    General public
  • *.blob.core.windows.net
  • *.aadconnecthealth.azure.com
  • *.servicebus.windows.net - Port: (This endpoint isn't required in the latest version of the agent.)
  • *.adhybridhealth.azure.com/
  • https://management.azure.com
  • https://policykeyservice.dc.ad.msft.net/
  • https://login.windows.net
  • https://login.microsoftonline.com
  • https://secure.aadcdn.microsoftonline-p.com
  • https://www.office.com (This endpoint is used only for discovery purposes during registration.)
  • https://aadcdn.msftauth.net
  • https://aadcdn.msauth.net
  • Azure Germany
  • *.blob.core.cloudapi.de
  • *.servicebus.cloudapi.de
  • *.aadconnecthealth.microsoftazure.de
  • https://management.microsoftazure.de
  • https://policykeyservice.aadcdi.microsoftazure.de
  • https://login.microsoftonline.de
  • https://secure.aadcdn.microsoftonline-p.de
  • https://www.office.de (This endpoint is used only for discovery purposes during registration.)
  • https://aadcdn.msftauth.net
  • https://aadcdn.msauth.net
  • Azure Government
  • *.blob.core.usgovcloudapi.net
  • *.servicebus.usgovcloudapi.net
  • *.aadconnecthealth.microsoftazure.us
  • https://management.usgovcloudapi.net
  • https://policykeyservice.aadcdi.azure.us
  • https://login.microsoftonline.us
  • https://secure.aadcdn.microsoftonline-p.com
  • https://www.office.com (This endpoint is used only for discovery purposes during registration.)
  • https://aadcdn.msftauth.net
  • https://aadcdn.msauth.net
  • Install the agent

    To download and install the Azure AD Connect Health agent:

    Install the agent for AD FS

    Note

    Your AD FS server should be different from your Sync server. Don't install the AD FS agent on your Sync server.

    Before you install the agent, make sure your AD FS server host name is unique and isn't present in the AD FS service. To start the agent installation, double-click the .exe file that you downloaded. In the first window, select Install.

    Screenshot showing the installation window for the Azure AD Connect Health AD FS agent.

    After the installation finishes, select Configure Now.

    Screenshot showing the confirmation message for the Azure AD Connect Health AD FS agent installation.

    A PowerShell window opens to start the agent registration process. When you're prompted, sign in by using an Azure AD account that has permissions to register the agent. By default, the global admin account has permissions.

    Screenshot showing the sign-in window for Azure AD Connect Health AD FS.

    After you sign in, PowerShell continues. When it finishes, you can close PowerShell. The configuration is complete.

    At this point, the agent services should start automatically to allow the agent to securely upload the required data to the cloud service.

    If you haven't met all of the prerequisites, warnings appear in the PowerShell window. Be sure to complete the requirements before you install the agent. The following screenshot shows an example of these warnings.

    Screenshot showing the Azure AD Connect Health AD FS configure script.

    To verify that the agent was installed, look for the following services on the server. If you completed the configuration, they should already be running. Otherwise, they're stopped until the configuration is complete.

    • Azure AD Connect Health AD FS Diagnostics Service
    • Azure AD Connect Health AD FS Insights Service
    • Azure AD Connect Health AD FS Monitoring Service

    Screenshot showing Azure AD Connect Health AD FS services.

    Enable auditing for AD FS

    Note

    This section applies only to AD FS servers. You don't have to follow these steps on the Web Application Proxy servers.

    The Usage Analytics feature needs to gather and analyze data. So the Azure AD Connect Health agent needs the information in the AD FS audit logs. These logs aren't enabled by default. Use the following procedures to enable AD FS auditing and to locate the AD FS audit logs on your AD FS servers.

    To enable auditing for AD FS on Windows Server R2

    1. On the Start screen, open Server Manager, and then open Local Security Policy. Or on the taskbar, open Server Manager, and then select Tools/Local Security Policy.

    2. Go to the Security Settings\Local Policies\User Rights Assignment folder. Then double-click Generate security audits.

    3. On the Local Security Setting tab, verify that the AD FS service account is listed. If it's not listed, then select Add User or Group, and add it to the list. Then select OK.

    4. To enable auditing, open a Command Prompt window with elevated privileges. Then run the following command:

    5. Close Local Security Policy.

      Important

      The following steps are required only for primary AD FS servers.

    6. Open the AD FS Management snap-in. (In Server Manager, select Tools > AD FS Management.)

    7. In the Actions pane, select Edit Federation Service Properties.

    8. In the Federation Service Properties dialog box, select the Events tab.

    9. Select the Success audits and Failure audits check boxes, and then select OK.

    10. To enable verbose logging through PowerShell, use the following command:

    To enable auditing for AD FS on Windows Server

    1. On the Start screen, open Server Manager, and then open Local Security Policy. Or on the taskbar, open Server Manager, and then select Tools/Local Security Policy.

    2. Go to the Security Settings\Local Policies\User Rights Assignment folder, and then double-click Generate security audits.

    3. On the Local Security Setting tab, verify that the AD FS service account is listed. If it's not listed, then select Add User or Group, and add the AD FS service account to the list. Then select OK.

    4. To enable auditing, open a Command Prompt window with elevated privileges. Then run the following command:

    5. Close Local Security Policy.

      Important

      The following steps are required only for primary AD FS servers.

    6. Open the AD FS Management snap-in. (In Server Manager, select Tools > AD FS Management.)

    7. In the Actions pane, select Edit Federation Service Properties.

    8. In the Federation Service Properties dialog box, select the Events tab.

    9. Select the Success audits and Failure audits check boxes, and then select OK. Success audits and failure audits should be enabled by default.

    10. Open a PowerShell window and run the following command:

    The "basic" audit level is enabled by default. For more information, see AD FS audit enhancement in Windows Server

    To locate the AD FS audit logs

    1. Open Event Viewer.

    2. Go to Windows Logs, and then select Security.

    3. On the right, select Filter Current Logs.

    4. For Event sources, select AD FS Auditing.

      For more information about audit logs, see Operations questions.

      Screenshot showing the Filter Current Log window. In the "Event sources" field, "AD FS auditing" is selected.

    Warning

    A group policy can disable AD FS auditing. If AD FS auditing is disabled, usage analytics about login activities are unavailable. Ensure that you have no group policy that disables AD FS auditing.

    Install the agent for Sync

    The Azure AD Connect Health agent for Sync is installed automatically in the latest version of Azure AD Connect. To use Azure AD Connect for Sync, download the latest version of Azure AD Connect and install it.

    To verify the agent has been installed, look for the following services on the server. If you completed the configuration, the services should already be running. Otherwise, the services are stopped until the configuration is complete.

    • Azure AD Connect Health Sync Insights Service
    • Azure AD Connect Health Sync Monitoring Service

    Screenshot showing the running Azure AD Connect Health for Sync services on the server.

    Note

    Remember that you must have Azure AD Premium (P1 or P2) to use Azure AD Connect Health. If you don't have Azure AD Premium, you can't complete the configuration in the Azure portal. For more information, see the requirements.

    Manually register Azure AD Connect Health for Sync

    If the Azure AD Connect Health for Sync agent registration fails after you successfully install Azure AD Connect, then you can use a PowerShell command to manually register the agent.

    Important

    Use this PowerShell command only if the agent registration fails after you install Azure AD Connect.

    Manually register the Azure AD Connect Health agent for Sync by using the following PowerShell command. The Azure AD Connect Health services will start after the agent has been successfully registered.

    The command takes following parameters:

    • AttributeFiltering: (default) if Azure AD Connect isn't syncing the default attribute set and has been customized to use a filtered attribute set. Otherwise, use .
    • StagingMode: (default) if the Azure AD Connect server is not in staging mode. If the server is configured to be in staging mode, use .

    When you're prompted for authentication, use the same global admin account (such as [email protected]) that you used to configure Azure AD Connect.

    Install the agent for Azure AD DS

    To start the agent installation, double-click the .exe file that you downloaded. In the first window, select Install.

    Screenshot showing the Azure AD Connect Health agent for AD DS installation window.

    When the installation finishes, select Configure Now.

    Screenshot showing the window that finishes the installation of the Azure AD Connect Health agent for Azure AD DS.

    A Command Prompt window opens. PowerShell runs . When you're prompted, sign in to Azure.

    Screenshot showing the sign-in window for the Azure AD Connect Health agent for Azure AD DS.

    After you sign in, PowerShell continues. When it finishes, you can close PowerShell. The configuration is complete.

    At this point, the services should be started automatically, allowing the agent to monitor and gather data. If you haven't met all of the prerequisites outlined in the previous sections, then warnings appear in the PowerShell window. Be sure to complete the requirements before you install the agent. The following screenshot shows an example of these warnings.

    Screenshot showing a warning for the Azure AD Connect Health agent for Azure AD DS configuration.

    To verify that the agent is installed, look for the following services on the domain controller:

    • Azure AD Connect Health AD DS Insights Service
    • Azure AD Connect Health AD DS Monitoring Service

    If you completed the configuration, these services should already be running. Otherwise, they're stopped until the configuration finishes.

    Screenshot showing the running services on the domain controller.

    Quickly install the agent on multiple servers

    1. Create a user account in Azure AD. Secure it by using a password.

    2. Assign the Owner role for this local Azure AD account in Azure AD Connect Health by using the portal. Follow these steps. Assign the role to all service instances.

    3. Download the .exe MSI file in the local domain controller for the installation.

    4. Run the following script. Replace the parameters with your new user account and its password.

    When you finish, you can remove access for the local account by doing one or more of the following tasks:

    • Remove the role assignment for the local account for Azure AD Connect Health.
    • Rotate the password for the local account.
    • Disable the Azure AD local account.
    • Delete the Azure AD local account.

    Register the agent by using PowerShell

    After you install the appropriate agent setup.exe file, you can register the agent by using the following PowerShell commands, depending on the role. Open a PowerShell window and run the appropriate command:

    Note

    To register against sovereign clouds, use the following command lines:

    These commands accept as a parameter to complete the registration noninteractively or to complete the registration on a machine that runs Server Core. Keep in mind that:

    • You can capture in a PowerShell variable that's passed as a parameter.
    • You can provide any Azure AD identity that has permissions to register the agents and that does not have multifactor authentication enabled.
    • By default, global admins have permissions to register the agents. You can also allow less-privileged identities to do this step. For more information, see Azure RBAC.

    Configure Azure AD Connect Health agents to use HTTP proxy

    You can configure Azure AD Connect Health agents to work with an HTTP proxy.

    Note

    • is not supported. The agent uses System.Net instead of Windows HTTP Services to make web requests.
    • The configured HTTP proxy address is used to pass-through encrypted HTTPS messages.
    • Authenticated proxies (using HTTPBasic) are not supported.

    Change the agent proxy configuration

    To configure the Azure AD Connect Health agent to use an HTTP proxy, you can:

    • Import existing proxy settings.
    • Specify proxy addresses manually.
    • Clear the existing proxy configuration.

    Note

    To update the proxy settings, you must restart all Azure AD Connect Health agent services. Run the following command:

    Import existing proxy settings

    You can import Internet Explorer HTTP proxy settings so that the Azure AD Connect Health agents can use the settings. On each of the servers that run the health agent, run the following PowerShell command:

    You can import WinHTTP proxy settings so that the Azure AD Connect Health agents can use them. On each of the servers that run the health agent, run the following PowerShell command:

    Specify proxy addresses manually

    You can manually specify a proxy server. On each of the servers that run the health agent, run the following PowerShell command:

    Here's an example:

    In this example:

    • The setting can be a DNS-resolvable server name or an IPv4 address.
    • You can omit . If you do, then is the default port.

    Clear the existing proxy configuration

    You can clear the existing proxy configuration by running the following command:

    Read current proxy settings

    You can read the current proxy settings by running the following command:

    Test connectivity to Azure AD Connect Health service

    Occasionally, the Azure AD Connect Health agent can lose connectivity with the Azure AD Connect Health service. Causes of this connectivity loss can include network problems, permission problems, and various other problems.

    If the agent can't send data to the Azure AD Connect Health service for longer than two hours, the following alert appears in the portal: "Health Service data is not up to date."

    You can find out whether the affected Azure AD Connect Health agent can upload data to the Azure AD Connect Health service by running the following PowerShell command:

    The role parameter currently takes the following values:

    Note

    To use the connectivity tool, you must first register the agent. If you can't complete the agent registration, make sure that you have met all of the requirements for Azure AD Connect Health. Connectivity is tested by default during agent registration.

    Next steps

    Check out the following related articles:

    Sours: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-health-agent-install


    822 823 824 825 826