Azure AD Connect Health Lab

Estimate time to complete: 45 minutes

Pre-requisites
1. Azure AD directory premium tenant
2. Set up an environment at https://demos.microsoft.com/
3. On-Premises AD infrastructure:
a. Azure AD Connect (build newer than November 2015) installed in the On-Premises AD
structure
b. AD FS Deployed and configured.
c. Complete Azure AD Connect Prerequisites for AD FS at: https://azure.microsoft.com/en-
us/documentation/articles/active-directory-aadconnect-health-agent-install/

Task 1: Azure AD Connect Health for Sync Data Review

Azure AD Connect Health for Sync is built as part of Azure AD Connect build versions newer than
November 2015. In this lab, you will get familiar with the Azure AD Connect Health data offered in the
Azure portal

Confirm the Azure AD Connect Health agent on premises is currently installed

1. Confirm that the Azure AD Connect Health is running in your test machine. In the services
console, confirm that the following services are running:

Enable Azure AD Connect Health view in the Azure AD Portal

1. Navigate to https://aka.ms/aadconnecthealth and log in using your global admin credentials.
You should see the content similar to the screenshot below.
 2. Click on the pin icon . This will add the Azure AD Connect Health to the Azure Portal main
page for subsequent logins
3. Click on the Azure AD Connect Health Tile for Sync:

Force an alert in the Sync Service and see it in the Azure Portal
4. In the on-prem machine that runs Azure AD Connect, stop “Microsoft Azure AD Sync” windows
service. This will generate a critical alert because Sync is no longer running.
5. Restart the “Azure AD Connect Health Sync Insights Service”. This will accelerate the agent
detecting the condition in the portal. Alternatively, you can wait 15 minutes
6. Reload the azure ad connect health navigating back to https://aka.ms/aadconnecthealth from
the browser. You should now see:

7. Click on the tenant name. A new blade should open with 1 new active alert in the Operations
Sections as shown below.
8. Click on the operations tile to get more detail on the alert. Notice the Active Alert Section
contains a new alert that pinpoints exactly what the problem is:

9. Click on the active alert and you can see all the details. Notice all the state and Fix information
10. Fix the problem by restarting the service per the instructions in the Azure Portal.
11. To refresh the state detection, restart the “Azure AD Connect Health Sync Insights Service”.
Note this is only for this lab purposes. In the real deployment the alert will go away on its own
within 15 minutes
12. Reload the azure ad connect health navigating back to https://aka.ms/aadconnecthealth from
the browser. You should now see the main tile showing a healthy state that you saw in step 6
above
13. Click again on the Azure AD Connect Sync tile, and then click again on the Operations tile. Note
that there are not any active alerts and that the “resolved from last 24 hours” counter should
have incremented
14. The operations tile shows the alert we saw in step 8 as resolved:

15. Click the alert and see the new data about the resolved time:
Check the Reports
16. Navigate back to https://aka.ms/aadconnecthealth
17. Click on the Sync tile. In the next tile, click on the tenant name. In the next blade, click on the
“Overview” Tile:
18. In the server list blade, click on the server name. You should see details about Last Export to
Azure AD, as well as the run profile latency
19. Click on the run profile chart and observe the different charts. Get familiar with what the graphs
tell you and how to position this. The goal of these reports is for the customer to identify trends
and have historical record on how the sync evolves over time and discover anomalies. Explore
with the different options (Time range, filter, hover over the different data points, etc. ).
Please note that if you just set up the lab, then this reports will have little samples; this is
expected.
Task 2: Azure AD Connect Health for AD FS
Install Azure AD Connect Health Agent for AD FS
1. Follow the steps to install the Agent in the AD FS Servers (Federation Server and WAP) in this
link: https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-
health-agent-install/#installing-the-azure-ad-connect-health-agent-for-ad-fs
2. Generate some ad fs traffic by login with several test users.
3. Navigate to https://aka.ms/aadconnecthealth. You should see a tile with the federation services
you are monitoring.

4. In the next tile, click on the federation service name. You should see a blade similar to the one
below with overview
Explore Properties Tile
1. In the main tile for your AD FS farm, click on the properties tile:
2. Check the various properties shown in the details blade.
Force an AD FS Service alert and see it in the Azure Portal
1. In the on-prem machine that runs Azure AD Connect, stop the AD FS windows service. This will
generate a critical alert because ADFS is not running
2. Restart the “Azure AD Connect Health AD FS Diagnostics Service” and “Azure AD Connect health
AD FS Monitoring service”. This will accelerate the agent detecting the condition in the portal.
Alternatively, you can wait 15 minutes
3. Reload the azure ad connect health navigating back to https://aka.ms/aadconnecthealth from
the browser. You should now see:

4. Click on the tenant name, and then expand the AD FS farm name in the next tile. A new blade
should open with 2 new active alerts in the Overview and Operations Sections as shown below.
5. Click on the operations tile to get more detail on the alert. Notice the Active Alert Section
contains a new alert that pinpoints exactly what the problem is:

6. Click on the active alert and you can see all the details. Notice all the state and Fix information
7. Fix the problem by restarting the service per the instructions in the Azure Portal.
8. To refresh the state detection, restart the “Azure AD Connect Health AD FS Diagnostics Service”
and “Azure AD Connect Health AD FS Monitoring Service”. Note this is only for this lab
purposes. In the real deployment the alert will go away on its own within 15 minutes
9. Reload the azure ad connect health navigating back to https://aka.ms/aadconnecthealth from
the browser. You should now see the main tile showing a healthy state that you saw in step 6
above
10. Click again on the Azure AD Connect Sync tile, and then click again on the Operations tile. Note
that there are not any active alerts and that the “resolved from last 24 hours” counter should
have incremented

11. The operations tile shows the alert we saw in step 8 as resolved:

12. Click the alert and see the new data about the resolved time:
Explore Monitoring Tile
3. Navigate to the main AD FS Farm Blade, and check the Monitoring Blade.
4. This will show performance counters in the different servers in the ADFS deployment. Explore
the different charting options available (hover over to see specific data points, right click to see
different filtering options, plot different counters, etc.). the screenshots below shows a
customized chart with different time range and metric.
Explore Usage Analytics Tile
5. Close that blade, and check the Usage Analytics.
6. This will show aggregate usage metrics in the ADFS deployment. Explore the different charting
options available (hover over to see specific data points, right click to see different filtering
options, plot different metrics, etc.) the screenshot below shows a customized chart with
different time range and metric.
Explore Reports Tile
1. Close that blade, and check the Reports Tile

2. Check the report and explore the data present:

Task 3: Email notifications for critical alerts
1. Navigate to https://aka.ms/aadconnecthealth to get to the main blade.
2. Switch to the Azure AD Connect Sync Tile; in the next tile, select the tenant name; in the tenant
details, click on the Operations tab.
3. Click on the “Notification Settings” Icon on the top section of the blade:

4. In the notification blade, turn on the notification setting and select the “Notify all global
administrators” as it is shown below:
5. Repeat the lab “Force an alert in the Sync Service and see it in the Azure Portal”. Now, the
Global admins would get email notification whenever a critical alert is raised. Check the email of
the global admin:
6. Reset the AD Sync service to a good state. You will see a new email indicating that the alert is
resolved:
Task 4: Manage Role Based Access Control
Azure AD Connect Health for Sync is built as part of Azure AD Connect build versions newer than
November 2015. In this lab, you will get familiar with the Azure AD Connect Health data offered in the
Azure portal
1. Navigate to the main blade by going to https://aka.ms/aadconnecthealth
2. In the main blade, click on the users tile:

3. In The Users Blade, click the ‘add’ Button . In the Roles Blade , Click on the ‘Reader’ Role

4. Assign the reader role to one of your test users who does not have any privileged roles:
5. After assigning the role, you should see one user in reader role in the consolidated list in the
Roles blade
6. In a separate browser, Log in as the user you granted the reader role. Noticed that settings such
as Configure Blade shows in read only mode for the Reader:
Learn More
Follow the links below for deeper details on Azure ad connect Health

 https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-health/