Azure Active Directory Connect Health : Installation guide

Hi all,

Microsoft released Azure Active Directory Connect Health, an Azure service that allow you to monitor and gain insight into the on-premises identity infrastructure. It will provide you with precious information like alerts, performance, infrastructure configuration…

AAD Connect Healt Logo

AAD Connect Health logo

This blog post will guide you through a complete installation step by step. AAD Connect health supports both ADFS 2.0 and 3.0. This post is applicable to both versions, but steps are conducted on a Windows 2012 R2 server (ADFS 3.0). There are extra steps for ADFS 2.0 that will be explained and detailed.

NB : Until the writing time of this blog, Azure Active Directory Connect Health is in Public Preview version. Active Directory Federation Services is the only service that can be monitored with Azure AD Connect Health. This includes AD FS servers, AD FS Proxy servers, and Web Application Proxy servers. Microsoft will be adding additional services to Azure AD Connect Health during the preview with future updates. I have no information about the final release date.

Azure AD Connect Health is now GA

This blog will be organized like the following:

Introduction : I will introduce Azure AD Connect Health

Requirements : I will present the different requirements to prepare to be able to use Azure AD Connect health

Deployment : I will present and detail the different steps to successfully deploy Azure AD Connect Health

 


Introduction

Azure AD Connect Health is an Azure Service. It’s running and maintained in Azure. It’s agent based. Agents have to be installed on the servers to be monitored. Those agents will collect information and send them back to the Azure endpoints. The Azure AD Connect Health view and configuration panes  are accessed via the Azure Preview portal.

 

Requirements

  • Azure Active Directory Premium license

You should own an Azure Active Directory Premium license to be able to use Azure AD Connect Health. To verify that your Azure Active Directory license is premium, connect to the Azure portal (manage.windowsazure.com), sign in and go the Directory View (AzureDirectory). Go to the LICENSES tab and look to your LICENCE PLANS. Verify that your LICENCE PLAN includes the Azure Active Directory Premium feature (The following picture shows the LICENSES tab view, and we can see that the License plan is EMS (Enterprise Mobility Suite), that includes AAD Premium.

Snap 2015-04-30 at 16.34.40

(Picture Credit: SAMIR FARHAT)

  • Azure AD Global administrator account and assigned license

The user account you will use to register the AAD Connect health agents must be part of the global administrator role, on your Azure Active Directory Premium tenant. In addition, it must be assigned a license.

To verify that your account is a global administrator , connect to the Azure portal (manage.windowsazure.com), sign in and go the Directory View (AzureDirectory). Go to the USERS. Find your user account and enter its Properties.  Verify that the Organization role is set to Global Admin. If not, tell your Azure Active Directory administrator to add you to this role, or to provide you with a Global admin account.

Snap 2015-05-02 at 18.02.48

(Picture Credit: SAMIR FARHAT)

To verify that the user account is assigned a license,  Go to the LICENSES tab, enter the Properties of your License Plan, select All users, and find the user account. Verify that the Assignment Status is Enabled. If not, you can assign it a license using the Assign button on the bottom of the page.

Snap 2015-05-02 at 18.13.57

(Picture Credit: SAMIR FARHAT)

  • AAD Connect Health Agent requirement : For ADFS servers, ADFS auditing must be enabled to use Usage Analytics

To be able to use Usage Analytics for ADFS, ADFS auditing must be enabled on the ADFS Federation servers. Enabling Auditing is not applicable on ADFS Proxy servers and ADFS Web Application servers. If you have a load balanced ADFS farm, some configuration will be  made only on the Primary server (I will note it), so if it’s your case, connect first to the Primary server.

|||| The following steps should be done on all your ADFS federation farm servers (or in the unique federation server if you are not in a farm configuration)

Logon to your ADFS federation server with a domain user with local administrative privileges. Open the Local Security Policy console (SECPOL.mmc)

Snap 2015-04-30 at 14.53.07

(Picture Credit: SAMIR FARHAT)

Navigate to the Security Settings\Local Policies\User Rights Assignment folder, and then double-click Generate security audits.

Snap 2015-04-30 at 14.54.34

(Picture Credit: SAMIR FARHAT)

On the Local Security Setting tab, verify that the AD FS service account is listed. If it is not present, click Add User or Group and add it to the list, and then validate by clicking OK

 Snap 2015-04-30 at 14.55.05

(Picture Credit: SAMIR FARHAT)

Open a command prompt with elevated privileges and run the following command to enable auditing: auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable

Snap 2015-04-30 at 14.56.12

(Picture Credit: SAMIR FARHAT)

Verify that the command was successfully executed.

|||| The following steps should be done on the primary  ADFS federation  server (if you are in a farm configuration) or in the unique federation server if you are not in a farm configuration

Open the AD FS Management snap-in by going to  Server Manager, Tools. Select AD FS Management

Snap 2015-04-30 at 14.56.47

(Picture Credit: SAMIR FARHAT)

Go to the Actions pane, click Edit Federation Service Properties

Snap 2015-04-30 at 15.36.18

(Picture Credit: SAMIR FARHAT)

In the Federation Service Properties dialog box, click the Events tab. Check the Success audits and Failure audits check boxes and validate by clicking OK

Snap 2015-04-30 at 15.36.35

(Picture Credit: SAMIR FARHAT)

Now, you can locate the ADFS audit logs. Open Event Viewer, Go to Windows Logs and select Security, On the right, click Filter Current Logs.

Snap 2015-04-30 at 15.37.08

(Picture Credit: SAMIR FARHAT)

Under Event Source, select AD FS Auditing then click OK

Snap 2015-04-30 at 15.37.35

(Picture Credit: SAMIR FARHAT)

If your ADFS server is processing requests, you will see events logged and scrolling

Snap 2015-04-30 at 15.37.46

(Picture Credit: SAMIR FARHAT)

  • Allowing Azure endpoints (websites) on Internet Explorer

|||| The following steps should be done on all your ADFS  servers : Federation servers, Proxy servers and WAP servers

AAD connect health agents communicates with Azure services via different endpoints (During installation and registration). If Internet Explorer Enhanced Security is enabled, add the following websites on the IE trust Zone.

Open Internet Explorer, go to Internet Options, Security, Trusted Sites and click Sites

Snap 2015-05-03 at 23.02.37

(Picture Credit: SAMIR FARHAT)

Add the Azure sites to the trusted list then click Close

Snap 2015-04-30 at 15.42.39

(Picture Credit: SAMIR FARHAT)

|||| Inbound connection to Azure Endpoints services

AAD Connect Health agents will communicate with Azure services endpoints. You must be sure that all your ADFS servers can reach the following targets :

  • DNS: *.servicebus.windows.net – TCP Port: 5671 (New)
  • https://*.adhybridhealth.azure.com/
  • https://*.table.core.windows.net/
  • https://policykeyservice.dc.ad.msft.net/
  • https://login.windows.net
  • https://login.microsoftonline.com
  • https://secure.aadcdn.microsoftonline-p.com
  • |||| Update .NET Framework, Windows Management Framework and Internet Explorer (Only For Windows Server 2008 R2 SP1 ie ADFS 2.0)

    This steps are only applicable if you are using ADFS 2.0 on top of Windows Server 2008 R2 SP1. 3 steps are required if they not already done :

    • Update the .NET Framework to version 4.5 : You can download the offline .NET Framework 4.5 installer HERE 
    • Update the Windows Management Framework to version 4 : Powershell version 4.0 is mandatory for the AAD connect health agents. Powershell 4.0 comes with Windows Management Framework  version 4.  You can download the Windows Management Framework 4.0 HERE. Please read carefully the system requirements before proceeding.
    • Update Internet Explorer to version 10 or later : If your IE version is not already IE 10 or 11, then you should update it to Internet Explorer 11. Download HERE

    NB :  Each update discussed below will require the server reboot, so install them in one shot to  reboot your server only once

    Agents installation and configuration

    After preparing your environment to AAD Connect Health (See requirements below), you can install the agents and configure them to communicate with Azure.

    Tip : Install your agents and configure them in a the order you want to see your servers in. In fact, the first registered server will appear first on the Azure AAD Connect Health portal. Ordering the servers is not possible in the current release (Public Preview)

    • First download the agent source and copy it to all your ADFS servers. You can get the agent from HERE.
    • Install the agent on your ADFS server

    Snap 2015-04-30 at 15.46.01

    (Picture Credit: SAMIR FARHAT)

    • Verify that the three following services are present on the Services list. The services state should be ‘Stopped’ and set to ‘Automatic’

    | Microsoft AD Health Diagnostic Agent

    | Microsoft AD Health Insights Service

    | Microsoft AD Health Monitoring Service

    Snap 2015-04-30 at 15.47.03

    (Picture Credit: SAMIR FARHAT)

    • Now, open an elevated Powershell window, and run the following command : Register-ADHealthAgent. A Signing in window will prompt you for your Azure AD credentials (Global Admin account). Just a tip : The credentials will only be used to register the host with Azure, it will not be used for further authentication. The registration process will generate a certificate to be used for the agent authentication with Azure.

    Snap 2015-04-30 at 15.52.00

    (Picture Credit: SAMIR FARHAT)

    You should check that the registration was successful.

    Snap 2015-04-30 at 16.38.28

    (Picture Credit: SAMIR FARHAT)

    Proceed with the agents installation on the remaining servers.

    Adding Azure Active Directory Connect Health to the Azure portal

    To verify and to begin using the AAD Connect Health on the Azure portal, you can check my next blog post : Azure Active Directory Connect Health : User Guide

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s