Check your on-premise ADFS health with Azure AD Connect Health
Jul
22
Written by:
Wednesday, July 22, 2015 11:14 AM
In this post I show the necessary main steps to install / configure “Azure AD Connect Health”
(in my Azure profile I have the German – language selected an so the text in the printscreens is in German)
You need a “Azure Active Directory Premium-License” to install this feature!
Login to your Azure Preview Portal
On the Marketplace look for “Health” (1) select (2) and create (3)
The Quickstart page opens
Under to “Quickstart” (Schnellstart) in the Tools section you have a link to download the ADFS Health Agent
(AdHelathAdfsAgentSetup.exe)
Copy the downloaded File to all your ADFS + ADFS Proxy Servers (in my case I have Sophos UTM as a ADFS proxy – but Forefront UAG oder Windows Server 2012 R2 Application Proxy works as well)
Install the agent on all ADFS Servers
Configure (press <Configure Now> button)
An elevated PowerShell window opens and then
An Azure – Login Windows appears – Login with an Admin account
Various PS Cmdlets are executed and different WARNINGS / links are displayed
At the end you get your ADFS Server (s) listed –> rmt.gibel.net in my case
You get a section with warnings (=Warnungen) / errors
in my case there are 4
Here are the 4 warnings listed
For each error you can open a property – window with additional help / links
The 2nd warning is a “disabled ADFS – auditing” – I describe how to enable to get rid of the warning msg.
Here is the link for more details: follow
Edit “Generate Security Audits” entry in GPO
Add ADFS service
run the following command
In the ADFS management mmc enable the following checkboxes
… after some time the warning is resolved (=Behobene Warnungen)
There are another 2 important things to consider:
1. The ADFS Service Account has Full control on the Private Key of the Certificate
to get rid of this error
2. Firewall rules that Azure gets the Audit Events from your on-prem ADFS Servers
Sophos UTM Firewall live log before creating the rule
….
at the end you should have ZERO “active warnings” (Aktive Warnungen)
in picture below you see the corrected (Behobene) warnings..
on the portal
after opening “Azure AD Connect Health” you see your actual Health of your on-prem ADFS environment
Additional Source: Azure Active Directory Connect Health