Hybrid Identity Protection comes in many shapes; Meet Azure AD Connect Health

Information protection consists of three pillars: confidentiality, integrity and availability. Hybrid Identity is no different; the three pillars still apply. However, availability is hard for Azure AD Connect. As a key link in the Hybrid Identity chain, it should be the focus, but not the only focus.

High availability for Azure AD Connect explained

About Azure AD Connect

Azure AD Connect takes care of synchronization of objects and their attributes from an on-premises identity store (either Active Directory Domain Services, or an LDAP version 3-compatible service) to Azure AD. It is also used to:

  • Make clear what Azure AD tenant is to be connected from the over 19 million Azure AD tenants available, and;
  • Configure the authentication method for that tenant (although the latter can also be achieved with Windows PowerShell to switch authentication methods for some scenarios).

A Single Engine; great for integrity, not for availability

To maintain integrity in terms of synchronization, Azure AD Connect’s synchronization is based on a single engine. This way, Azure AD Connect, just like MIM is always up to date on its information. Dueling engines might compromise that integrity.

However, traditional methods to create high availability cannot be used:

  • Azure AD Connect does not support Windows clustering, and;
  • You cannot deploy multiple actively synchronizing Azure AD Connect installations for the same synchronization scope.

In terms of capacity, this does not necessarily pose a problem, though. We’ve seen organizations beef up their Azure AD Connect installations (and supporting SQL Server clusters) into monster VMs and even dedicated physical boxes.

In terms of availability, problems arise when the engine fails.

Staging Mode to the rescue?

Many think Microsofts solution to this problem is the Staging Mode. An Azure AD Connect installation operating in Staging mode only performs import operations on its connectors, allowing it to build the same metaverse as the actively synchronizing Azure AD Connect installation, minus slight differences in time stamps.

Staging Mode is full of caveats. In terms of information protection, its biggest problem is that fail-over from an actively synchronizing Azure AD Connect installation to the Staging Mode server is non-automatic; Unavailability of Azure AD Connect needs to be detected, before it can be manually remediated by an admin.

An overview of Azure AD Connect Health

Azure AD Connect Health helps admins monitoring and gaining insights into Hybrid Identity components. It enables organizations to maintain a reliable connection to Azure AD and all Azure AD-integrated services, including Office 365.

Figure 1 Azure AD Connect Health – Quick start

Azure AD Connect Health makes the key data points about these components easily accessible in the Azure AD Connect Health portal to make performance monitoring, usage analysis, troubleshooting and gaining other important insights easy.

More than just Azure AD Connect

Azure AD Connect Health offers more than just monitoring of Azure AD Connect, despite its name resembling 80% of Azure AD Connect itself.

It provides monitoring capabilities for the following links in the Hybrid Identity chain through Azure AD Connect Health agents for:

  • Azure Active Directory Connect installations;
  • Active Directory Federation Services (AD FS) servers;
  • Web Application Proxies, and;
  • Active Directory Domain Controllers.

These systems form the entire Hybrid Identity chain for organizations that use Active Directory Federation Services (AD FS) and/or Password Hash Synchronization (PHS) with or without Seamless Single Sign-on (S3O) as their authentication method(s).

One pane to monitor, troubleshoot and gain insights into Hybrid Identity

Azure AD Connect receives information from all of the above agents, and displays all that information in a single dashboard as part of the Azure Management Portal.

Benefits of Azure AD Connect Health

Azure AD Connect offers the following benefits:

Reducing the time-to-action for Azure AD Connect failures

As Azure AD Connect cannot be setup in a highly-available way, and fail-overs are manual, it’s imperative that Azure AD Connect outages are detected as fast as possible.

That information is available in the Azure AD Connect Health dashboard, but no sane person would check the Azure Portal at 2 AM without reason. Therefore, Azure AD Connect Health notifies Global Administrators in the Azure AD tenant by mail when Azure AD Connect becomes unavailable. Other people and distribution lists can be configured to receive notifications, too:

Figure 2 Azure AD Connect Health Notification settings

Upon being notified, an admin can determine the course of action: troubleshoot the box, restart the box, switch to the Staging Mode server or begin all over (not necessarily in that order of preference…).

Improving availability of the chain

Azure AD Connect Health offers integrated monitoring of the complete Hybrid Identity chain, when Azure AD Connect agents are installed and configured on all links.

Moving beyond traditional monitoring, when the Azure AD Connect agent for AD FS is installed on both Web Application Proxies and AD FS Servers, the agents will perform synthetic authentications, monitoring their communications to detect problems in an early stage.

Improving Azure AD Connect Integrity

When Azure AD Connect is monitored, the Azure AD Connect Health dashboard, as part of the Azure Management Portal, displays synchronization errors, related to duplicate attributes, data mismatches, data validation failures, large attributes, federated domain changes and existing admin role conflicts.

Licensing Azure AD Connect Health

Azure AD Connect is a free download. However, Azure AD Connect Health is not free. Azure AD Connect requires at least one Azure AD Premium license in the Azure AD tenant that it synchronizes to.

This one license covers the Azure AD Connect installation. When an admin deploys multiple Azure AD Connect installations (in Staging Mode, obviously), each additional Azure AD Connect installations requires one additional Azure AD Premium license in the tenant. Monitoring additional hosts in the Hybrid Identity solution beyond Azure AD Connect, requires twenty-five Azure AD Premium licenses per host.

To give an example: On organization monitoring two Azure AD Connect installations, four AD FS Servers, four Web Application Proxies and six Domain Controllers, requires 352 Azure AD Premium licenses.

Azure AD Premium licenses do not need to be assigned to users, but they can be, without problems. Microsoft intends to make licensing Azure AD Connect Health easy. This becomes clear in the above example, as the scale of the infrastructure monitored would probably provide capacity to host Hybrid Identity for six-thousand employees.

Drawbacks of Azure AD Connect Health

Azure AD Connect Health is not perfect. There are a couple of drawbacks to the current solution, that you might want to know about, if you want to avoid being brought down to earth with a shock:

Notification time-outs

It’s imperative that Azure AD Connect outages are detected as fast as possible. However, only after a couple of missed synchronization cycles, Azure AD Connect will send out a notification. As Azure AD Connect synchronizes every 30 minutes, by default, this allows for quite a long period of unavailability, before any admin gets notified.

Figure 3 Azure AD Connect Health Sync Services overview with errors

Imagine the situation where a person being laid off promptly, when synchronization is unavailable; the person might keep access to the account, the Office 365 mailbox, team site and any other Azure AD-integrated application, service or system, until synchronization is working again, and the change in the on-premises Active Directory account synchronizes to disable or delete the Azure AD account object.

Multi-factor Authentication on Server Core installations

The Azure AD Connect Health Agents support Multi-factor Authentication (MFA) to allow for strong authentication for privileged accounts to the Azure AD tenant configuration.

However, the Azure AD Connect Health Agents strictly call upon Internet Explorer (iexplore.exe) to show the Multi-factor Authentication experience on the screen. As Internet Explorer is not available on Server Core installations of Windows Server, agents on these types of installations need to be configured with a Global Administrator account that (temporarily) is exempt from (baseline) policies requiring MFA for Admins.

PTA Agents

Pass-through Authentication (PTA) is the latest authentication method available from Microsoft in Azure AD Connect. Leveraging (at least three) PTA Agent installations, authentication request for Azure AD-integrated applications, services and systems are routed to the on-premises Active Directory Domain Services environment to get processed. PTA Agents leverage a service bus, allowing them to work their magic using outbound connections only.

Although the status of PTA Agents can be viewed in the Azure Management Portal, they do not integrate with Azure AD Connect Health. The promise of one dashboard to monitor, analyse usage, troubleshoot and gain insights into Hybrid Identity really unravels in this scenario…


Azure AD Connect adds integrity and availability to most Hybrid Identity implementations. It’s not perfect, but every helping hand is welcome, right?




*** This is a Security Bloggers Network syndicated blog from Semperis authored by Sander Berkouwer. Read the original post at: