Check your on-premise ADFS health with Azure AD Connect Health

Jul 22

Written by:
Wednesday, July 22, 2015 11:14 AM  RssIcon

In this post I show the necessary main steps to install / configure “Azure AD Connect Health”

(in my Azure profile I have the German – language selected an so the text in the printscreens is in German)

You need a “Azure Active Directory Premium-License” to install this feature!

 

Login to your Azure Preview Portal

image

On the Marketplace look for “Health” (1) select (2) and create (3)

image

The Quickstart page opens

image

Under to “Quickstart” (Schnellstart) in the Tools section you have a link to download the ADFS Health Agent

(AdHelathAdfsAgentSetup.exe)

image

Copy the downloaded File to all your ADFS + ADFS Proxy Servers (in my case I have Sophos UTM as a ADFS proxy – but Forefront UAG oder Windows Server 2012 R2 Application Proxy works as well)

image

Install the agent on all ADFS Servers

imageimage

Configure  (press <Configure Now> button)

An elevated PowerShell window opens and then

An Azure – Login Windows appears – Login with an Admin account

image

Various PS Cmdlets are executed and different WARNINGS / links are displayed

image

 

At the end you get your ADFS Server (s) listed –> rmt.gibel.net in my case

image

You get a section with warnings (=Warnungen) / errors

in my case there are 4

image

Here are the 4 warnings listed

image

For each error you can open a property – window with additional help / links

 

The 2nd warning is a “disabled ADFS – auditing” – I describe how to enable to get rid of the warning msg.

Here is the link for more details: follow

 

Edit “Generate Security Audits” entry in GPO

image

Add ADFS service

image

run the following command

image

In the ADFS management mmc enable the following checkboxes

image

 

… after some time the warning is resolved (=Behobene Warnungen)

image

 

There are another 2 important things to consider:

1.  The ADFS Service Account has Full control on the Private Key of the Certificate

image

image

to get rid of this error

image

 

2. Firewall rules that Azure gets the Audit Events from your on-prem ADFS Servers

image

Sophos UTM Firewall live log before creating the rule

image

 

image

….

at the end you should have  ZERO “active warnings” (Aktive Warnungen)

in picture below you see the corrected (Behobene) warnings..

image

 

on the portal

 

image

after opening “Azure AD Connect Health” you see your actual Health of your on-prem ADFS environment

 

image

 

 

Additional  Source: Azure Active Directory Connect Health