Install Agents for Azure AD Connect Health and not Azure Active Directory - Microsoft Enter (2023)

  • Article
  • 15 minutes to read

This article shows you how to install and configure Azure AD Connect Health agents.

learn howdownload agents.

supervision

Azure AD Connect Health is not available on China Sovereign Cloud.

Requirements

The following table lists the requirements for using Azure AD Connect Health:

ApplicationDescription
You have an Azure Active Directory (Azure AD) Premium (P1 or P2) subscription.Azure AD Connect Health is a feature of Azure AD Premium (P1 or P2). For more information, seeSign up for Azure AD Premium.

To start a 30-day free trial, seestart a test.

It is a hybrid identity administrator in Azure AD.By default, only Global Administrator and Hybrid Identity Administrator accounts can install and configure health agents, access the portal, and perform operations in Azure AD Connect Health. For more information, seeManage your Azure AD directory.

You can allow other users in your organization to access Azure AD Connect Health by using Azure role-based access control (Azure RBAC). For more information, seeAzure RBAC para Azure AD Connect Health.

Important: Use a work or school account to install agents. You cannot use a Microsoft account to install agents. For more information, seeSign up as an organization for Azure.

The Azure AD Connect Health agent is installed on each target server.Health agents must be installed and configured on the destination servers to receive data and provide monitoring and analysis capabilities.

For example, to pull data from your Active Directory Federation Services (AD FS) infrastructure, you must install the agent on both the AD FS server and the Web Application Proxy server. Similarly, you must install the agent on domain controllers to pull data from your on-premises Azure Active Directory Domain Services (Azure AD DS) infrastructure.

Azure service endpoints have outbound connectivity.During installation and runtime, the agent requires connectivity to the Azure AD Connect Health service endpoints. If firewalls are blocking outgoing connections, add themoutbound connectivity endpointsin a white list.
Outbound connectivity is based on IP addresses.For information on IP address-based firewall filtering, seeAzure IP Ranges.
Outbound TLS inspection is filtered or disabled.The agent registration step or data upload operations can fail when there is TLS inspection or termination of outgoing traffic at the network layer. For more information, seeConfigure TLS inspection.
The firewall ports on the server run the agent.The agent requires the following firewall ports to be open to communicate with the Azure AD Connect Health service endpoints:
- Puerto TCP 443
- Puerto TCP 5671

The latest version of the agent does not require port 5671. Please upgrade to the latest version so that only port 443 is required. For more information, seePorts and protocols required for hybrid identity.

When Internet Explorer Enhanced Security is turned on, allow specific websites.If Internet Explorer Enhanced Security is enabled, allow the following websites on the server where you are installing the agent:
-https://login.microsoftonline.com
-https://secure.aadcdn.microsoftonline-p.com
-https://login.windows.net
-https://aadcdn.msftauth.net
- Your organization's federation server that is trusted by Azure AD (for example,https://sts.contoso.com).

For more information, seeHow to configure Internet Explorer. If you have a proxy on your network, please read the note at the end of this table.

PowerShell version 5.0 or higher is installed.Windows Server 2016 includes PowerShell-Version 5.0.

Important

Windows Server Core does not support installing the Azure AD Connect Health agent.

supervision

If you have a highly blocked and restricted environment, you should add more URLs than are listed in the Internet Explorer Enhanced Security table. Also add the URLs listed in the table in the next section.

New agent versions and automatic updates

When a new version of the Health Agent is released, all existing installed agents are automatically updated.

Outbound connectivity to Azure service endpoints

During installation and runtime, the agent requires connectivity to the Azure AD Connect Health service endpoints. If firewalls are blocking outgoing connections, make sure the URLs in the following table are not blocked by default.

Do not disable security monitoring or scanning for these URLs. Instead, allow them like any other Internet traffic.

These URLs allow communication with the Azure AD Connect Health service endpoints. You will learn how to do this later in this article.Check Outbound Connectivityto useTest-AzureADConnectHealthKonnektivität.

domain environmentRequired Azure service endpoints
general public-*.blob.core.windows.net
-*.aadconnecthealth.azure.com
-**.servicebus.windows.net- Port: 5671 (if 5671 is blocked, the agent falls back to 443, but we recommend you use port 5671. This endpoint is not needed in the latest version of the agent.)
-*.adhybridhealth.azure.com/
-https://management.azure.com
-https://policykeyservice.dc.ad.msft.net/
-https://login.windows.net
-https://login.microsoftonline.com
-https://secure.aadcdn.microsoftonline-p.com
-https://www.office.com(This endpoint is only used for discovery purposes during registration.)
-https://aadcdn.msftauth.net
-https://aadcdn.msauth.net
blue germany-*.blob.core.cloudapi.de
-*.servicebus.cloudapi.de
-*.aadconnecthealth.microsoftazure.de
-https://management.microsoftazure.de
-https://policykeyservice.aadcdi.microsoftazure.de
-https://login.microsoftonline.de
-https://secure.aadcdn.microsoftonline-p.de
-https://www.office.de(This endpoint is only used for discovery purposes during registration.)
-https://aadcdn.msftauth.net
-https://aadcdn.msauth.net
blue government-*.blob.core.usgovcloudapi.net
-*.servicebus.usgovcloudapi.net
-*.aadconnecthealth.microsoftazure.us
-https://management.usgovcloudapi.net
-https://policykeyservice.aadcdi.azure.us
-https://login.microsoftonline.us
-https://secure.aadcdn.microsoftonline-p.com
-https://www.office.com(This endpoint is only used for discovery purposes during registration.)
-https://aadcdn.msftauth.net
-https://aadcdn.msauth.net

download agents

To download and install the Azure AD Connect Health agent:

  • make sure you know themRequirementspara instalar Azure AD Connect Health.
  • Introduction to Azure AD Connect Health for AD FS:
    • Download the Azure AD Connect Health agent for AD FS.
    • Watch theinstallation guide.
  • Get started with Azure AD Connect Health to sync:
    • Download and install the latest version of Azure AD Connect. Sync Health Agent is installed as part of the Azure AD Connect installation (version 1.0.9125.0 or later).
  • Introduction to Azure AD Connect Health for Azure AD DS:
    • Download the Azure AD Connect Health agent for Azure AD DS.
    • Watch theinstallation guide.

Install Agent for AD FS

supervision

Your AD FS server must be separate from your synchronization server. Do not install the AD FS agent on your synchronization server.

Before you install the agent, make sure that the AD FS server host name is unique and does not exist in the AD FS service.

To start the agent installation, double-click the.exefile you downloaded. Select in the first dialoginstall.

Install Agents for Azure AD Connect Health and not Azure Active Directory - Microsoft Enter (1)

Select after the installation is completeconfigure now.

Install Agents for Azure AD Connect Health and not Azure Active Directory - Microsoft Enter (2)

A PowerShell window opens to start the agent registration process. If prompted, sign in with an Azure AD account that has permissions to register the agent. By default, the hybrid identity administrator account has permissions.

(Video) 47. Install and Configure Azure AD Connect Health Agent for AD DS

Install Agents for Azure AD Connect Health and not Azure Active Directory - Microsoft Enter (3)

After you sign in, PowerShell continues with the installation. When you're done, you can close PowerShell. The setup is complete.

At this point, the agent services should automatically start allowing the agent to securely upload the necessary data to the cloud service.

If you don't meet all the prerequisites, warnings will appear in the PowerShell window. Be sure to fill them outRequirementsbefore installing the agent. The following screenshot shows an example of these alerts.

Install Agents for Azure AD Connect Health and not Azure Active Directory - Microsoft Enter (4)

To verify that the agent has been installed, look for the following services on the server. If you've completed setup, they should already be running. Otherwise, they will be suspended until the setup is complete.

  • Azure AD Connect Health AD FS-Diagnóstico
  • Implementation of Azure AD Connect Health AD FS Insights
  • Azure AD Connect Health AD FS Monitoring Service

Install Agents for Azure AD Connect Health and not Azure Active Directory - Microsoft Enter (5)

Enable auditing for AD FS

supervision

This section only applies to AD FS servers. You do not need to perform these steps on web application proxies.

The usage analytics feature needs to collect and analyze data, so the Azure AD Connect Health agent needs the information in the AD FS audit logs. By default, these protocols are not enabled. Use the following procedures to enable AD FS auditing and find AD FS audit logs on your AD FS servers.

How to enable auditing for AD FS on Windows Server 2012 R2

  1. Open from the home screenserver administratorand then openlocal security policy. Or open in the taskbarserver administratorand then selectTools/Local Security Policy.

  2. I'm going toSecurity Settings\Local Policies\User Rights AssignmentsBinder. double clickGenerate security audits.

  3. NOlocal security settingsOn the tab, make sure the AD FS service account is listed. If it is not on the list, selectAdd user or groupand add the AD FS service account to the list. then selectOK.

  4. To enable auditing, open a command prompt window as an administrator and run the following command:

    auditpol.exe /set /subcategory:{0CCE9222-69AE-11D9-BED3-505054503030} /failure:enable /success:enable

  5. Fencelocal security policy.

    Important

    The remaining steps are only required for primary AD FS servers.

  6. open thisADFS Administrationto break. (inserver administrator, chooseTool>ADFS Administration.)

  7. NOBehaviorpanel, selectEdit Federation Service Properties.

  8. NOFederation Service PropertiesChoose the dialogeventsab.

  9. Choosesuccessful auditsmierror checkscheck the box and then selectOK.

  10. Use the following command to enable verbose logging via PowerShell:

    Set-AdfsProperties -LOGLevel verbose

How to enable auditing for AD FS on Windows Server 2016

  1. Open from the home screenserver administratorand then openlocal security policy. Or open in the taskbarserver administratorand then selectTools/Local Security Policy.

  2. I'm going toSecurity Settings\Local Policies\User Rights AssignmentsBinder. double clickGenerate security audits.

    (Video) Azure AD Connect Cloud Sync: How to install and configure an agent

  3. NOlocal security settingsOn the tab, make sure the AD FS service account is listed. If it is not on the list, selectAdd user or groupand add the AD FS service account to the list. then selectOK.

  4. To enable auditing, open a command prompt window as an administrator and run the following command:

    auditpol.exe /set /subcategory:{0CCE9222-69AE-11D9-BED3-505054503030} /failure:enable /success:enable

  5. Fencelocal security policy.

    Important

    The remaining steps are only required for primary AD FS servers.

  6. open thisADFS Administrationto break. (inserver administrator, chooseTool>ADFS Administration.)

  7. NOBehaviorpanel, selectEdit Federation Service Properties.

  8. NOFederation Service PropertiesChoose the dialogeventsab.

  9. Choosesuccessful auditsmierror checkscheck the box and then selectOK. Success checks and error checks should be enabled by default.

  10. Open a PowerShell window and run the following command:

    Set-AdfsProperties -AuditLevel Verbose

By default, the basic audit level is enabled. For more information, seeImproved AD FS monitoring in Windows Server 2016.

How to find AD FS audit logs

  1. OpenEvents viewer.

  2. Gonnawindows registriesand then selectSecurity.

  3. Select in the right panefilter current recordings.

  4. Forevent sources, chooseAD FS Audit.

    For more information about audit logs, seeoperational questions.

    Install Agents for Azure AD Connect Health and not Azure Active Directory - Microsoft Enter (6)

use

Group Policy can disable AD FS auditing. When AD FS monitoring is disabled, usage analytics for login activities is not available. Make sure you don't have a group policy that disables AD FS auditing.

Install the sync agent

The Azure AD Connect Health Sync Agent is automatically installed on the latest version of Azure AD Connect. To use Azure AD Connect for synchronization,Download the latest version of Azure AD Connectand install it.

To verify that the agent has been installed, look for the following services on the server. When you have completed the configuration, the services should already be running. Otherwise, the services will be stopped until the configuration is complete.

  • Azure AD Connect Health Sync Insights-Dienst
  • Azure AD Connect Health Sync Monitoring Service

Install Agents for Azure AD Connect Health and not Azure Active Directory - Microsoft Enter (7)

supervision

(Video) How To Install and Configure Azure AD Connect

Remember that you must have Azure AD Premium (P1 or P2) to use Azure AD Connect Health. If you don't have Azure AD Premium, you won't be able to complete the setup in the Azure portal. For more information, seeRequirements.

Manually register Azure AD Connect Health for synchronization

If Azure AD Connect Health to Sync agent registration fails after successfully installing Azure AD Connect, you can use a PowerShell command to manually register the agent.

Important

Use this PowerShell command only if agent registration fails after installing Azure AD Connect.

Manually register the Azure AD Connect Health agent for synchronization using the following PowerShell command. Azure AD Connect Health services will start after the agent has successfully registered.

Registro-AzureADConnectHealthSyncAgent -AttributeFiltering $true -StagingMode $false

The command takes the following parameters:

  • attribute filter:$true(Default) if Azure AD Connect hasn't synchronized the default attribute set and has customized it to use a filtered attribute set. Otherwise use$incorrect.
  • StagingMode:$incorrect(Default) if it is the Azure AD Connect serverNOin stage mode. If the server is configured for preparation mode, use$true.

When prompted for authentication, use the same global administrator account (eg.admin@dominio.onmicrosoft.com) that you used to configure Azure AD Connect.

Install Agent for Azure AD DS

To start the agent installation, double-click the.exefile you downloaded. Select in the first windowinstall.

Install Agents for Azure AD Connect Health and not Azure Active Directory - Microsoft Enter (8)

After the installation is complete, selectconfigure now.

Install Agents for Azure AD Connect Health and not Azure Active Directory - Microsoft Enter (9)

A command prompt window will open. PowerShell is runningRegistro-AzureADConnectHealthADDSAgent. If prompted, sign in to Azure.

Install Agents for Azure AD Connect Health and not Azure Active Directory - Microsoft Enter (10)

After you sign in, PowerShell continues. When you're done, you can close PowerShell. The setup is complete.

At this point, the services should start automatically, allowing the agent to monitor and collect data. If you haven't met all of the prerequisites described in the previous sections, warnings will appear in the PowerShell window. Be sure to fill them outRequirementsbefore installing the agent. The following screenshot shows an example of these alerts.

Install Agents for Azure AD Connect Health and not Azure Active Directory - Microsoft Enter (11)

To verify that the agent is installed, look for the following services on the domain controller:

  • Servicio Insights para AD DS para Azure AD Connect Health
  • Azure AD Connect Health AD DS Monitoring Service

When you have completed the configuration, these services should already be running. Otherwise, they will be paused until the setup is complete.

Install Agents for Azure AD Connect Health and not Azure Active Directory - Microsoft Enter (12)

Quickly install the agent on multiple servers

  1. Create a user account in Azure AD. Protect the account with a password.

  2. Assign the owner roleto this on-premises Azure AD account in Azure AD Connect Health through the portal. Assign the role to all service instances.

  3. download the.exeMSI file on the local domain controller for installation.

  4. Run the following script. Replace the parameters with your new user account and password.

    AdHealthAddsAgentSetup.exe /quietStart-Sleep 30$userName = "NEWUSER@DOMAIN"$secpasswd = ConvertTo-SecureString "PASSWORD" -AsPlainText -Force$myCreds = Novo objeto System.Management.Automation.PSCredential ($userName, $secpasswd)import - módulo „C:\Archivos de programa\Azure Ad Connect Health Adds Agent\PowerShell\AdHealthAdds“Register-AzureADConnectHealthADDSAgent -Credential $myCreds

When you're done, you can remove access to the local account by doing one or more of the following tasks:

  • Remove the role assignment for the local account from Azure AD Connect Health.
  • Rotate the local account password.
  • Disable the local Azure AD account.
  • Delete the local account from Azure AD.

Register the agent with PowerShell

After installing the appropriate agentsetup.exefile, you can register the agent using the following PowerShell commands, depending on the role. Open PowerShell as administrator and run the appropriate command:

Registry-AzureADConnectHealthADFSAgent Registry-AzureADConnectHealthADDSAgent Registry-AzureADConnectHealthSyncAgent

supervision

To register with Sovereign Clouds, use the following command lines:

Register-AzureADConnectHealthADDSAgent –UserPrincipalName upn-of-the-userRegister-AzureADConnectHealthADDSAgent –UserPrincipalName upn-of-the-userRegister-AzureADConnectHealthSyncAgent –UserPrincipalName upn-of-the-user
(Video) 46. How to Set Up Azure Active Directory Connect Pass-Through Authentication

accept these commandscredentialsas a parameter to complete registration non-interactively or to complete registration on a computer running Server Core. Consider these factors:

  • you can capturecredentialsin a PowerShell variable passed as a parameter.
  • You can specify any Azure AD identity that has permissions to register the agents and does notNOHave multi-factor authentication enabled.
  • By default, global administrators have permissions to register agents. You can also allow less privileged identities to perform this step. For more information, seeAzure-RBAC.
$cred = Get-Credential Register-AzureADConnectHealthADFSAgent -Credential $cred

Configure Azure AD Connect Health agents to use HTTP proxy

You can configure Azure AD Connect Health agents to work with an HTTP proxy.

supervision

  • Netsh WinHttp definir ProxyServerAddressis not supported. The agent uses System.Net instead of Windows HTTP services to make web requests.
  • The configured HTTP proxy address is used to pass encrypted HTTPS messages.
  • Authenticated proxies (using HTTPBasic) are not supported.

Change agent proxy settings

To configure the Azure AD Connect Health agent to use an HTTP proxy, you can:

  • Import existing proxy settings.
  • Specify proxy addresses manually.
  • Delete existing proxy settings.

supervision

To update the proxy settings, you must restart all Azure AD Connect Health agent services. Run the following command to restart all agents:

Restart the AdHealthAdfs* service

Import existing proxy settings

You can import Internet Explorer HTTP proxy settings so that Azure AD Connect Health agents can use the settings. Run the following PowerShell command on each of the servers running the Health Agent:

Establecer-AzureAdConnectHealthProxySettings-ImportFromInternetSettings

You can import WinHTTP proxy settings so that Azure AD Connect Health agents can use them. Run the following PowerShell command on each of the servers running the Health Agent:

Establecer-AzureAdConnectHealthProxySettings-ImportFromWinHttp

Specify proxy addresses manually

You can specify a proxy server manually. Run the following PowerShell command on each of the servers running the Health Agent:

Set-AzureAdConnectHealthProxySettings -HttpsProxyAddress address:port

Here's an example:

Establecer-AzureAdConnectHealthProxySettings-HttpsProxyAddress myproxyserver: 443

In this example:

  • oADDRESSThe configuration can be a resolvable DNS server name or an IPv4 address.
  • you can skipporta. In this case, 443 is the default port.

Delete existing proxy settings

You can remove existing proxy settings by running the following command:

Establecer-AzureAdConnectHealthProxySettings-NoProxy

Read current proxy settings

You can read the current proxy settings by running the following command:

Get-AzureAdConnectHealthProxySettings

Test connectivity to the Azure AD Connect Health service

Occasionally, the Azure AD Connect Health agent loses connectivity to the Azure AD Connect Health service. The causes of this connection loss can be network issues, permission issues, and various other issues.

If the agent is unable to send data to the Azure AD Connect Health service for more than two hours, the following warning is displayed in the portal:The data of the health service is not updated.

You can find out if the affected Azure AD Connect Health agent can upload data to the Azure AD Connect Health service by running the following PowerShell command:

Prueba-AzureADConnectHealthConnectivity – Rolle ADFS

opaperThe parameter currently takes the following values:

  • ADFS
  • Synchronize
  • HE ADDS

supervision

To use the connectivity tool, you must first register the agent. If you are unable to complete the agent registration, please make sure to complete them allRequirementsfor Azure AD Connect Health. By default, connectivity is tested during agent registration.

Next steps

See the following related articles:

  • Azure AD Connect Status
  • Azure AD Connect Health operations
  • Uso de Azure AD Connect Health con AD FS
  • Using Azure AD Connect Health to sync
  • Uso de Azure AD Connect Health con Azure AD DS
  • Azure AD Connect status FAQ
  • Azure AD Connect Health - Version Versions

Videos

1. Install & Configure Azure AD Connect to Sync On-Prem AD
(Akfash Latibu)
2. Install Azure AD Connect and configure- Step by Step.
(NUAA-TECH Videos)
3. 5 Install and Configure Azure Active Directory Connect Sync 555 Users with M365 Microsoft 365
(PASS Institute - Professional Certifications)
4. How to Set Up Co-Management in Microsoft SCCM to Connect to Microsoft Intune
(Patch My PC)
5. Integrate AD Connect with ADFS
(Carson Cloud)
6. Azure AD and Microsoft 365 Security Fundamentals Presentation at SecTor Conference
(Extranet User Manager and Envision IT)

References

Top Articles
Latest Posts
Article information

Author: Aracelis Kilback

Last Updated: 12/10/2023

Views: 5889

Rating: 4.3 / 5 (44 voted)

Reviews: 91% of readers found this page helpful

Author information

Name: Aracelis Kilback

Birthday: 1994-11-22

Address: Apt. 895 30151 Green Plain, Lake Mariela, RI 98141

Phone: +5992291857476

Job: Legal Officer

Hobby: LARPing, role-playing games, Slacklining, Reading, Inline skating, Brazilian jiu-jitsu, Dance

Introduction: My name is Aracelis Kilback, I am a nice, gentle, agreeable, joyous, attractive, combative, gifted person who loves writing and wants to share my knowledge and understanding with you.