Check your on-premise ADFS health with Azure AD Connect Health
Jul
22
Written by:
Wednesday, July 22, 2015 11:14 AM
In this post I show the necessary main steps to install / configure “Azure AD Connect Health”
(in my Azure profile I have the German – language selected an so the text in the printscreens is in German)
You need a “Azure Active Directory Premium-License” to install this feature!
Login to your Azure Preview Portal

On the Marketplace look for “Health” (1) select (2) and create (3)

The Quickstart page opens

Under to “Quickstart” (Schnellstart) in the Tools section you have a link to download the ADFS Health Agent
(AdHelathAdfsAgentSetup.exe)

Copy the downloaded File to all your ADFS + ADFS Proxy Servers (in my case I have Sophos UTM as a ADFS proxy – but Forefront UAG oder Windows Server 2012 R2 Application Proxy works as well)

Install the agent on all ADFS Servers


Configure (press <Configure Now> button)
An elevated PowerShell window opens and then
An Azure – Login Windows appears – Login with an Admin account

Various PS Cmdlets are executed and different WARNINGS / links are displayed

At the end you get your ADFS Server (s) listed –> rmt.gibel.net in my case

You get a section with warnings (=Warnungen) / errors
in my case there are 4

Here are the 4 warnings listed

For each error you can open a property – window with additional help / links
The 2nd warning is a “disabled ADFS – auditing” – I describe how to enable to get rid of the warning msg.
Here is the link for more details: follow
Edit “Generate Security Audits” entry in GPO

Add ADFS service

run the following command

In the ADFS management mmc enable the following checkboxes

… after some time the warning is resolved (=Behobene Warnungen)

There are another 2 important things to consider:
1. The ADFS Service Account has Full control on the Private Key of the Certificate


to get rid of this error

2. Firewall rules that Azure gets the Audit Events from your on-prem ADFS Servers

Sophos UTM Firewall live log before creating the rule


….
at the end you should have ZERO “active warnings” (Aktive Warnungen)
in picture below you see the corrected (Behobene) warnings..

on the portal

after opening “Azure AD Connect Health” you see your actual Health of your on-prem ADFS environment

Additional Source: Azure Active Directory Connect Health