Securing Hybrid Identities with Azure AD Connect Health

Securing Hybrid Identities with Azure AD Connect Health

06/01/2024

This technical and educational article aims to guide security analysts, IT administrators, and systems engineers in using Microsoft Entra Connect Health (formerly Azure AD Connect Health) to monitor and secure hybrid identities. Azure AD Connect Health is a monitoring service that provides a consolidated view of your on-premises identity infrastructure, including Azure AD Connect, Active Directory Federation Services (AD FS), and Active Directory domain controllers, helping to ensure that identity synchronization and authentication work reliably and securely [1].

Introduction

For many organizations, identity management is a complex challenge, especially in hybrid environments where identities exist in both on-premises Active Directory and Microsoft Entra ID in the cloud. Synchronizing and authenticating these identities is critical for accessing resources and services. Synchronization failures or performance issues can lead to service interruptions, security issues, and user frustration. Azure AD Connect Health provides monitoring and reporting tools that enable you to proactively identify and resolve hybrid identity issues, ensuring the health and security of your environment [2].

This practical guide will cover installing Azure AD Connect Health agents, configuring monitoring, analyzing sync reports, identifying and troubleshooting common errors, and best practices for maintaining a healthy and secure hybrid identity environment. Step-by-step instructions, interface usage examples, and validation methods will be provided so that readers can implement and manage Azure AD Connect Health effectively, protecting their hybrid identities and ensuring business continuity.

Why is Azure AD Connect Health crucial?

  • Proactive Monitoring: Provides alerts and notifications about sync, performance, and availability issues before they impact users.
  • Centralized Visibility: Provides a single pane of glass to monitor the health of all components of your hybrid identity infrastructure.
  • Detailed Reporting: Generates reports on sync errors, authentication activities, and AD FS usage, facilitating auditing and compliance.
  • Simplified Troubleshooting: Helps diagnose and resolve sync and authentication issues quickly, reducing downtime.
  • Enhanced Security: Identifies misconfigurations and suspicious usage patterns that may indicate security risks.

Prerequisites

To use Azure AD Connect Health, you will need the following items:

  1. Licensing: A Microsoft Entra ID Free, Premium P1 or Premium P2 license. Azure AD Connect Health is included with all of these licenses [3].
  2. Administrative Access: An account with the role of Global Administrator in Microsoft Enter ID to configure the service.
  3. Azure AD Connect: An instance of Azure AD Connect must be installed and configured to synchronize identities between on-premises Active Directory and Microsoft Entra ID.
  4. Network Connectivity: The Azure AD Connect server and/or AD FS servers must have outbound connectivity to the Azure AD Connect Health endpoints (TCP ports 443).

Step by Step: Configuring and Using Azure AD Connect Health

We'll cover installing the agents and monitoring identity synchronization.

1. Accessing the Microsoft Portal Enter admin center

  1. Open your browser and navigate to https://entra.microsoft.com.
  2. Log in with an account that has the necessary permissions.
  3. In the left navigation pane, select Protection > Azure AD Connect.

2. Installing the Azure AD Connect Health Agents

Agents are automatically installed during Azure AD Connect installation. However, if you need to reinstall them or install them on AD FS servers or Domain Controllers, follow these steps:

  1. On the Azure AD Connect page, click Azure AD Connect Health.
  2. In the Azure AD Connect Health left navigation pane, select Connection Sync.

  3. If the agent is not installed or is out of date, you will see a warning. Click Installr agent or Download agent.

  4. Run the agent installer (AdHealthAgentSetup.exe) on the server where Azure AD Connect is installed (or on the AD FS/Domain Controller server).

  5. Follow the wizard's instructions. During installation, you will be prompted to log in with a Microsoft Entra ID Global Administrator account to register the agent.

  6. After successful installation, the agent will begin collecting and sending data to the Azure AD Connect Health service.

3. Monitoring Identity Synchronization

The Azure AD Connect Health dashboard provides a detailed view of your sync status.

  1. In the Azure AD Connect Health dashboard, select Connection Sync.
  2. You will see a list of sync services. Click your sync service (usually the name of your Azure AD Connect server).
  3. The overview panel will display:
    • Sync Status: Indicates whether synchronization is working correctly.
    • Sync Errors: A chart and list of sync errors that need to be resolved.
    • Sync Latency: The time it takes for changes to be synced.
    • Exported Changes: The number of objects that were exported to Microsoft Entra ID.

4. Analyzing Synchronization Errors

Azure AD Connect Health helps you identify and diagnose sync errors.

  1. In the sync service overview, click the Sync Errors section.
  2. You will see a list of errors, categorized by type (e.g. AttributeConflict, DuplicateValue).
  3. Click on a specific error to view details, including:
    • Affected Objects: A list of the objects that are causing the error.
    • Error Details: A description of the error and suggested resolution.
    • Conflicting Attributes: If it is an attribute conflict, which attributes are causing the problem.

5. Monitoring AD FS (if applicable)

If you use AD FS for federation, Azure AD Connect Health can monitor the health and performance of your AD FS servers.

  1. In the Azure AD Connect Health dashboard, select Federation Services.
  2. You will see an overview of your AD FS environment, including:
    • Server Status: Health of AD FS and Web Application Proxy servers.
    • Authentication Errors: Reports on failed authentication attempts.
    • Performance: Performance metrics for authentication requests.

6. Monitoring Domain Controllers (if applicable)

Azure AD Connect Health can also monitor the health of your on-premises domain controllers.

  1. In the Azure AD Connect Health dashboard, select Active Directory Domain Services.
  2. You will see an overview of your domain controllers, including:
    • Server Status: Health of domain controllers.
    • Alerts: Warnings about replication, performance, or other issues.

Validation and Testing

Validating your Azure AD Connect Health implementation is crucial to ensure it is monitoring correctly and providing accurate information.

1. Checking Agent Status

  1. In the Azure AD Connect Health portal, verify that the agent status is 'Active' for all relevant servers (Azure AD Connect, AD FS, Domain Controllers).

2. Simulating a Synchronization Error

  1. In a test environment, create a user in the local Active Directory with an attribute that could cause a synchronization conflict (ex: proxyAddresses duplicated with an existing user in Microsoft Entra ID).
  2. Force an Azure AD Connect sync cycle: powershell Import-Module ADSync Start-ADSyncSyncCycle -PolicyType Delta
  3. Wait a few minutes and check the Azure AD Connect Health dashboard to see if the sync error was detected and reported.

3. Checking Alerts and Notifications

  1. Make sure email notifications are configured for critical alerts in Azure AD Connect Health.
  2. Check your inbox to see if you received alerts about the simulated sync error.

Security Tips and Best Practices

  • Comprehensive Installation: Install Azure AD Connect Health agents on all relevant servers (Azure AD Connect, AD FS, Domain Controllers) to get a complete view of your infrastructureidentity structure.
  • Alerts Configuration: Configure alerts for critical synchronization, performance and availability events to be proactively notified about issues.
  • Regular Error Review: Regularly monitor and resolve sync errors to maintain identity data integrity and prevent access issues.
  • Azure AD Connect maintenance: Keep your Azure AD Connect software up to date to ensure you have the latest features and security fixes.
  • Backup and Recovery: Have a backup and recovery plan for your Azure AD Connect server and on-premises Active Directory database.
  • Principle of Least Privilege: Ensure that the Azure AD Connect service account and accounts used by Connect Health agents have only the necessary permissions.
  • Server Security: Protect your Azure AD Connect server and AD FS servers with best security practices (patching, antivirus, firewall, etc.) as they are critical components of your identity infrastructure.

Common Troubleshooting

  • Agent does not connect: Check network connectivity from the server to the Azure AD Connect Health endpoints. Verify that the firewall is allowing outbound traffic on port 443. Check the event logs on the server for agent-related errors.
  • Outdated data on dashboard: There may be a delay in synchronizing agent data to the service. Verify that the agent is running on the server. Restart the agent service if necessary.
  • Persistent sync errors: Review the error details in the Azure AD Connect Health dashboard. Use Azure AD Connect troubleshooting tools (e.g. Synchronization Service Manager) to investigate the root cause. Attribute conflicts are common and often require data correction in on-premises Active Directory.
  • False alerts: Review alert settings and thresholds. Adjust them if they are generating too many irrelevant alerts.
  • AD FS performance issues: Use Azure AD Connect Health to monitor AD FS performance metrics and identify bottlenecks. Check event logs on AD FS servers.

Conclusion

Azure AD Connect Health is an indispensable tool for organizations operating hybrid identity environments. By providing proactive monitoring, centralized visibility, and troubleshooting capabilities, it empowers IT and security teams to maintain the health, performance, and security of their identity infrastructure. Effective implementation and management of Azure AD Connect Health ensures identity synchronization and authentication works reliably, minimizing disruptions and protecting against security threats. With this practical guide, security professionals will be able to strengthen the protection of hybrid identities, ensuring continuous and secure access to the organization's resources.

References:

[1] Microsoft Learn. What is Microsoft Entra Connect Health?. Available at: https://learn.microsoft.com/pt-br/entra/identity/hybrid/connect/whatis-azure-ad-connect [2] Microsoft Learn. Using Microsoft Entra Connect Health with sync. Available at: https://learn.microsoft.com/pt-br/entra/identity/hybrid/connect/how-to-connect-health-sync [3] Microsoft Learn. Microsoft Entra Connect Health licensing requirements. Available at: https://learn.microsoft.com/pt-br/entra/identity/hybrid/connect/whatis-azure-ad-connect#license-requirements