- Article
- 15 minutes to read
This article shows you how to install and configure Azure AD Connect Health agents.
learn howdownload agents.
supervision
Azure AD Connect Health is not available on China Sovereign Cloud.
Requirements
The following table lists the requirements for using Azure AD Connect Health:
| Application | Description |
|---|---|
| You have an Azure Active Directory (Azure AD) Premium (P1 or P2) subscription. | Azure AD Connect Health is a feature of Azure AD Premium (P1 or P2). For more information, seeSign up for Azure AD Premium. To start a 30-day free trial, seestart a test. |
| It is a hybrid identity administrator in Azure AD. | By default, only Global Administrator and Hybrid Identity Administrator accounts can install and configure health agents, access the portal, and perform operations in Azure AD Connect Health. For more information, seeManage your Azure AD directory. You can allow other users in your organization to access Azure AD Connect Health by using Azure role-based access control (Azure RBAC). For more information, seeAzure RBAC para Azure AD Connect Health. Important: Use a work or school account to install agents. You cannot use a Microsoft account to install agents. For more information, seeSign up as an organization for Azure. |
| The Azure AD Connect Health agent is installed on each target server. | Health agents must be installed and configured on the destination servers to receive data and provide monitoring and analysis capabilities. For example, to pull data from your Active Directory Federation Services (AD FS) infrastructure, you must install the agent on both the AD FS server and the Web Application Proxy server. Similarly, you must install the agent on domain controllers to pull data from your on-premises Azure Active Directory Domain Services (Azure AD DS) infrastructure. |
| Azure service endpoints have outbound connectivity. | During installation and runtime, the agent requires connectivity to the Azure AD Connect Health service endpoints. If firewalls are blocking outgoing connections, add themoutbound connectivity endpointsin a white list. |
| Outbound connectivity is based on IP addresses. | For information on IP address-based firewall filtering, seeAzure IP Ranges. |
| Outbound TLS inspection is filtered or disabled. | The agent registration step or data upload operations can fail when there is TLS inspection or termination of outgoing traffic at the network layer. For more information, seeConfigure TLS inspection. |
| The firewall ports on the server run the agent. | The agent requires the following firewall ports to be open to communicate with the Azure AD Connect Health service endpoints: - Puerto TCP 443 - Puerto TCP 5671 The latest version of the agent does not require port 5671. Please upgrade to the latest version so that only port 443 is required. For more information, seePorts and protocols required for hybrid identity. |
| When Internet Explorer Enhanced Security is turned on, allow specific websites. | If Internet Explorer Enhanced Security is enabled, allow the following websites on the server where you are installing the agent: - https://login.microsoftonline.com - https://secure.aadcdn.microsoftonline-p.com - https://login.windows.net - https://aadcdn.msftauth.net - Your organization's federation server that is trusted by Azure AD (for example, https://sts.contoso.com).For more information, seeHow to configure Internet Explorer. If you have a proxy on your network, please read the note at the end of this table. |
| PowerShell version 5.0 or higher is installed. | Windows Server 2016 includes PowerShell-Version 5.0. |
Important
Windows Server Core does not support installing the Azure AD Connect Health agent.
supervision
If you have a highly blocked and restricted environment, you should add more URLs than are listed in the Internet Explorer Enhanced Security table. Also add the URLs listed in the table in the next section.
New agent versions and automatic updates
When a new version of the Health Agent is released, all existing installed agents are automatically updated.
Outbound connectivity to Azure service endpoints
During installation and runtime, the agent requires connectivity to the Azure AD Connect Health service endpoints. If firewalls are blocking outgoing connections, make sure the URLs in the following table are not blocked by default.
Do not disable security monitoring or scanning for these URLs. Instead, allow them like any other Internet traffic.
These URLs allow communication with the Azure AD Connect Health service endpoints. You will learn how to do this later in this article.Check Outbound Connectivityto useTest-AzureADConnectHealthKonnektivität.
| domain environment | Required Azure service endpoints |
|---|---|
| general public | -*.blob.core.windows.net - *.aadconnecthealth.azure.com - **.servicebus.windows.net- Port: 5671 (if 5671 is blocked, the agent falls back to 443, but we recommend you use port 5671. This endpoint is not needed in the latest version of the agent.)- *.adhybridhealth.azure.com/- https://management.azure.com - https://policykeyservice.dc.ad.msft.net/ - https://login.windows.net - https://login.microsoftonline.com - https://secure.aadcdn.microsoftonline-p.com - https://www.office.com(This endpoint is only used for discovery purposes during registration.)- https://aadcdn.msftauth.net - https://aadcdn.msauth.net |
| blue germany | -*.blob.core.cloudapi.de - *.servicebus.cloudapi.de - *.aadconnecthealth.microsoftazure.de - https://management.microsoftazure.de - https://policykeyservice.aadcdi.microsoftazure.de - https://login.microsoftonline.de - https://secure.aadcdn.microsoftonline-p.de - https://www.office.de(This endpoint is only used for discovery purposes during registration.)- https://aadcdn.msftauth.net - https://aadcdn.msauth.net |
| blue government | -*.blob.core.usgovcloudapi.net - *.servicebus.usgovcloudapi.net - *.aadconnecthealth.microsoftazure.us - https://management.usgovcloudapi.net - https://policykeyservice.aadcdi.azure.us - https://login.microsoftonline.us - https://secure.aadcdn.microsoftonline-p.com - https://www.office.com(This endpoint is only used for discovery purposes during registration.)- https://aadcdn.msftauth.net - https://aadcdn.msauth.net |
download agents
To download and install the Azure AD Connect Health agent:
- make sure you know themRequirementspara instalar Azure AD Connect Health.
- Introduction to Azure AD Connect Health for AD FS:
- Download the Azure AD Connect Health agent for AD FS.
- Watch theinstallation guide.
- Get started with Azure AD Connect Health to sync:
- Download and install the latest version of Azure AD Connect. Sync Health Agent is installed as part of the Azure AD Connect installation (version 1.0.9125.0 or later).
- Introduction to Azure AD Connect Health for Azure AD DS:
- Download the Azure AD Connect Health agent for Azure AD DS.
- Watch theinstallation guide.
Install Agent for AD FS
supervision
Your AD FS server must be separate from your synchronization server. Do not install the AD FS agent on your synchronization server.
Before you install the agent, make sure that the AD FS server host name is unique and does not exist in the AD FS service.
To start the agent installation, double-click the.exefile you downloaded. Select in the first dialoginstall.
Select after the installation is completeconfigure now.
A PowerShell window opens to start the agent registration process. If prompted, sign in with an Azure AD account that has permissions to register the agent. By default, the hybrid identity administrator account has permissions.
After you sign in, PowerShell continues with the installation. When you're done, you can close PowerShell. The setup is complete.
At this point, the agent services should automatically start allowing the agent to securely upload the necessary data to the cloud service.
If you don't meet all the prerequisites, warnings will appear in the PowerShell window. Be sure to fill them outRequirementsbefore installing the agent. The following screenshot shows an example of these alerts.
To verify that the agent has been installed, look for the following services on the server. If you've completed setup, they should already be running. Otherwise, they will be suspended until the setup is complete.
- Azure AD Connect Health AD FS-Diagnóstico
- Implementation of Azure AD Connect Health AD FS Insights
- Azure AD Connect Health AD FS Monitoring Service
Enable auditing for AD FS
supervision
This section only applies to AD FS servers. You do not need to perform these steps on web application proxies.
The usage analytics feature needs to collect and analyze data, so the Azure AD Connect Health agent needs the information in the AD FS audit logs. By default, these protocols are not enabled. Use the following procedures to enable AD FS auditing and find AD FS audit logs on your AD FS servers.
How to enable auditing for AD FS on Windows Server 2012 R2
Open from the home screenserver administratorand then openlocal security policy. Or open in the taskbarserver administratorand then selectTools/Local Security Policy.
I'm going toSecurity Settings\Local Policies\User Rights AssignmentsBinder. double clickGenerate security audits.
NOlocal security settingsOn the tab, make sure the AD FS service account is listed. If it is not on the list, selectAdd user or groupand add the AD FS service account to the list. then selectOK.
To enable auditing, open a command prompt window as an administrator and run the following command:
auditpol.exe /set /subcategory:{0CCE9222-69AE-11D9-BED3-505054503030} /failure:enable /success:enableFencelocal security policy.
Important
The remaining steps are only required for primary AD FS servers.
open thisADFS Administrationto break. (inserver administrator, chooseTool>ADFS Administration.)
NOBehaviorpanel, selectEdit Federation Service Properties.
NOFederation Service PropertiesChoose the dialogeventsab.
Choosesuccessful auditsmierror checkscheck the box and then selectOK.
Use the following command to enable verbose logging via PowerShell:
Set-AdfsProperties -LOGLevel verbose
How to enable auditing for AD FS on Windows Server 2016
Open from the home screenserver administratorand then openlocal security policy. Or open in the taskbarserver administratorand then selectTools/Local Security Policy.
I'm going toSecurity Settings\Local Policies\User Rights AssignmentsBinder. double clickGenerate security audits.
(Video) Azure AD Connect Cloud Sync: How to install and configure an agentNOlocal security settingsOn the tab, make sure the AD FS service account is listed. If it is not on the list, selectAdd user or groupand add the AD FS service account to the list. then selectOK.
To enable auditing, open a command prompt window as an administrator and run the following command:
auditpol.exe /set /subcategory:{0CCE9222-69AE-11D9-BED3-505054503030} /failure:enable /success:enableFencelocal security policy.
Important
The remaining steps are only required for primary AD FS servers.
open thisADFS Administrationto break. (inserver administrator, chooseTool>ADFS Administration.)
NOBehaviorpanel, selectEdit Federation Service Properties.
NOFederation Service PropertiesChoose the dialogeventsab.
Choosesuccessful auditsmierror checkscheck the box and then selectOK. Success checks and error checks should be enabled by default.
Open a PowerShell window and run the following command:
Set-AdfsProperties -AuditLevel Verbose
By default, the basic audit level is enabled. For more information, seeImproved AD FS monitoring in Windows Server 2016.
How to find AD FS audit logs
OpenEvents viewer.
Gonnawindows registriesand then selectSecurity.
Select in the right panefilter current recordings.
Forevent sources, chooseAD FS Audit.
For more information about audit logs, seeoperational questions.
use
Group Policy can disable AD FS auditing. When AD FS monitoring is disabled, usage analytics for login activities is not available. Make sure you don't have a group policy that disables AD FS auditing.
Install the sync agent
The Azure AD Connect Health Sync Agent is automatically installed on the latest version of Azure AD Connect. To use Azure AD Connect for synchronization,Download the latest version of Azure AD Connectand install it.
To verify that the agent has been installed, look for the following services on the server. When you have completed the configuration, the services should already be running. Otherwise, the services will be stopped until the configuration is complete.
- Azure AD Connect Health Sync Insights-Dienst
- Azure AD Connect Health Sync Monitoring Service
supervision
Remember that you must have Azure AD Premium (P1 or P2) to use Azure AD Connect Health. If you don't have Azure AD Premium, you won't be able to complete the setup in the Azure portal. For more information, seeRequirements.
Manually register Azure AD Connect Health for synchronization
If Azure AD Connect Health to Sync agent registration fails after successfully installing Azure AD Connect, you can use a PowerShell command to manually register the agent.
Important
Use this PowerShell command only if agent registration fails after installing Azure AD Connect.
Manually register the Azure AD Connect Health agent for synchronization using the following PowerShell command. Azure AD Connect Health services will start after the agent has successfully registered.
Registro-AzureADConnectHealthSyncAgent -AttributeFiltering $true -StagingMode $false
The command takes the following parameters:
attribute filter:$true(Default) if Azure AD Connect hasn't synchronized the default attribute set and has customized it to use a filtered attribute set. Otherwise use$incorrect.StagingMode:$incorrect(Default) if it is the Azure AD Connect serverNOin stage mode. If the server is configured for preparation mode, use$true.
When prompted for authentication, use the same global administrator account (eg.admin@dominio.onmicrosoft.com) that you used to configure Azure AD Connect.
Install Agent for Azure AD DS
To start the agent installation, double-click the.exefile you downloaded. Select in the first windowinstall.
After the installation is complete, selectconfigure now.
A command prompt window will open. PowerShell is runningRegistro-AzureADConnectHealthADDSAgent. If prompted, sign in to Azure.
After you sign in, PowerShell continues. When you're done, you can close PowerShell. The setup is complete.
At this point, the services should start automatically, allowing the agent to monitor and collect data. If you haven't met all of the prerequisites described in the previous sections, warnings will appear in the PowerShell window. Be sure to fill them outRequirementsbefore installing the agent. The following screenshot shows an example of these alerts.
To verify that the agent is installed, look for the following services on the domain controller:
- Servicio Insights para AD DS para Azure AD Connect Health
- Azure AD Connect Health AD DS Monitoring Service
When you have completed the configuration, these services should already be running. Otherwise, they will be paused until the setup is complete.
Quickly install the agent on multiple servers
Create a user account in Azure AD. Protect the account with a password.
Assign the owner roleto this on-premises Azure AD account in Azure AD Connect Health through the portal. Assign the role to all service instances.
download the.exeMSI file on the local domain controller for installation.
Run the following script. Replace the parameters with your new user account and password.
AdHealthAddsAgentSetup.exe /quietStart-Sleep 30$userName = "NEWUSER@DOMAIN"$secpasswd = ConvertTo-SecureString "PASSWORD" -AsPlainText -Force$myCreds = Novo objeto System.Management.Automation.PSCredential ($userName, $secpasswd)import - módulo „C:\Archivos de programa\Azure Ad Connect Health Adds Agent\PowerShell\AdHealthAdds“Register-AzureADConnectHealthADDSAgent -Credential $myCreds
When you're done, you can remove access to the local account by doing one or more of the following tasks:
- Remove the role assignment for the local account from Azure AD Connect Health.
- Rotate the local account password.
- Disable the local Azure AD account.
- Delete the local account from Azure AD.
Register the agent with PowerShell
After installing the appropriate agentsetup.exefile, you can register the agent using the following PowerShell commands, depending on the role. Open PowerShell as administrator and run the appropriate command:
Registry-AzureADConnectHealthADFSAgent Registry-AzureADConnectHealthADDSAgent Registry-AzureADConnectHealthSyncAgentsupervision
To register with Sovereign Clouds, use the following command lines:
Register-AzureADConnectHealthADDSAgent –UserPrincipalName upn-of-the-userRegister-AzureADConnectHealthADDSAgent –UserPrincipalName upn-of-the-userRegister-AzureADConnectHealthSyncAgent –UserPrincipalName upn-of-the-useraccept these commandscredentialsas a parameter to complete registration non-interactively or to complete registration on a computer running Server Core. Consider these factors:
- you can capture
credentialsin a PowerShell variable passed as a parameter. - You can specify any Azure AD identity that has permissions to register the agents and does notNOHave multi-factor authentication enabled.
- By default, global administrators have permissions to register agents. You can also allow less privileged identities to perform this step. For more information, seeAzure-RBAC.
$cred = Get-Credential Register-AzureADConnectHealthADFSAgent -Credential $credConfigure Azure AD Connect Health agents to use HTTP proxy
You can configure Azure AD Connect Health agents to work with an HTTP proxy.
supervision
Netsh WinHttp definir ProxyServerAddressis not supported. The agent uses System.Net instead of Windows HTTP services to make web requests.- The configured HTTP proxy address is used to pass encrypted HTTPS messages.
- Authenticated proxies (using HTTPBasic) are not supported.
Change agent proxy settings
To configure the Azure AD Connect Health agent to use an HTTP proxy, you can:
- Import existing proxy settings.
- Specify proxy addresses manually.
- Delete existing proxy settings.
supervision
To update the proxy settings, you must restart all Azure AD Connect Health agent services. Run the following command to restart all agents:
Restart the AdHealthAdfs* service
Import existing proxy settings
You can import Internet Explorer HTTP proxy settings so that Azure AD Connect Health agents can use the settings. Run the following PowerShell command on each of the servers running the Health Agent:
Establecer-AzureAdConnectHealthProxySettings-ImportFromInternetSettingsYou can import WinHTTP proxy settings so that Azure AD Connect Health agents can use them. Run the following PowerShell command on each of the servers running the Health Agent:
Establecer-AzureAdConnectHealthProxySettings-ImportFromWinHttpSpecify proxy addresses manually
You can specify a proxy server manually. Run the following PowerShell command on each of the servers running the Health Agent:
Set-AzureAdConnectHealthProxySettings -HttpsProxyAddress address:portHere's an example:
Establecer-AzureAdConnectHealthProxySettings-HttpsProxyAddress myproxyserver: 443
In this example:
- o
ADDRESSThe configuration can be a resolvable DNS server name or an IPv4 address. - you can skip
porta. In this case, 443 is the default port.
Delete existing proxy settings
You can remove existing proxy settings by running the following command:
Establecer-AzureAdConnectHealthProxySettings-NoProxyRead current proxy settings
You can read the current proxy settings by running the following command:
Get-AzureAdConnectHealthProxySettingsTest connectivity to the Azure AD Connect Health service
Occasionally, the Azure AD Connect Health agent loses connectivity to the Azure AD Connect Health service. The causes of this connection loss can be network issues, permission issues, and various other issues.
If the agent is unable to send data to the Azure AD Connect Health service for more than two hours, the following warning is displayed in the portal:The data of the health service is not updated.
You can find out if the affected Azure AD Connect Health agent can upload data to the Azure AD Connect Health service by running the following PowerShell command:
Prueba-AzureADConnectHealthConnectivity – Rolle ADFSopaperThe parameter currently takes the following values:
ADFSSynchronizeHE ADDS
supervision
To use the connectivity tool, you must first register the agent. If you are unable to complete the agent registration, please make sure to complete them allRequirementsfor Azure AD Connect Health. By default, connectivity is tested during agent registration.
Next steps
See the following related articles:
- Azure AD Connect Status
- Azure AD Connect Health operations
- Uso de Azure AD Connect Health con AD FS
- Using Azure AD Connect Health to sync
- Uso de Azure AD Connect Health con Azure AD DS
- Azure AD Connect status FAQ
- Azure AD Connect Health - Version Versions