Unit 8: Implement Microsoft Entra Connect Health

1. Introduction: What Is Microsoft Entra Connect Health?

Microsoft Entra Connect Health is a cloud-based monitoring service designed to give administrators deep visibility into the health of their on-premises identity infrastructure, including:

Microsoft Entra Connect (Sync)
Active Directory Federation Services (AD FS)
Active Directory Domain Services (AD DS)

It helps ensure reliable synchronization and authentication between on-prem AD and Microsoft Entra ID (Azure AD) by providing alerts, analytics, and performance insights.

2. Why Connect Health Is Important

Hybrid identity relies on multiple moving parts — directory synchronization, federation, and network connectivity. Without monitoring, failures can go unnoticed, leading to:

Missed synchronization cycles.
Expired certificates in AD FS.
Authentication latency or failures for users.
Security vulnerabilities due to misconfigurations.

Connect Health centralizes visibility by continuously uploading telemetry from your on-prem identity servers to the Microsoft Entra admin center.

You can view it in the Microsoft Entra Connect Health portal, which displays:

Alerts and recommended actions.
Performance metrics (CPU, latency, sign-in success rate).
Usage analytics for identity components.

3. Licensing Requirements

To use Connect Health, your organization must have at least:

Microsoft Entra ID Premium P1 or P2 license.

Without it, you can’t register or configure the health agents or access the Connect Health portal.

4. Core Components of Connect Health

Component	Description
Health Agents	Installed on-prem on AD FS, AD DS, or Entra Connect servers. Collect telemetry and send it securely to the cloud.
Connect Health Service	Cloud-based service hosted in Microsoft Entra ID. Processes data from agents and presents insights in the portal.
Connect Health Portal	Accessible via the Microsoft Entra admin center. Provides dashboards, alerts, and performance data for each service.

5. Supported Monitored Services

Service	What It Monitors	Key Benefits
Microsoft Entra Connect (Sync)	Sync cycles, errors, latency, scheduler state	Detect sync failures early
AD FS	Token issuance, authentication failures, certificate expiry	Detect sign-in outages or load issues
Active Directory DS	Replication, domain controller performance, replication latency	Identify domain health issues affecting hybrid identity

6. Connect Health Architecture Overview

Flow Summary:

The Health Agent is installed on the relevant on-prem server (e.g., AD FS or Connect server).
The agent collects metrics like:
CPU, memory, latency, and replication status.
Sync status and error counts.
Authentication attempts, failures, and token issuance rates.
Data is encrypted and sent securely to the Microsoft Entra Connect Health service in the cloud via HTTPS (port 443).
The cloud service analyzes and stores data.
Admins view insights, trends, and alerts through the Entra admin portal.

7. Installing and Configuring Microsoft Entra Connect Health Agents

Prerequisites

Before installing, ensure:

You have Microsoft Entra ID Premium P1/P2.
You are a Global Administrator in Entra ID.
You have outbound internet access (port 443, and 5671 for older versions).
PowerShell 4.0 or later is installed.
FIPS (Federal Information Processing Standard) mode is disabled.
Firewalls allow outbound connectivity to Microsoft Entra endpoints.

Firewall Requirements

Port	Purpose
TCP 443	HTTPS communication between the agent and the Connect Health service
TCP 5671	Used by older agents (no longer required in latest version)

Agent Installation Locations

Agent Type	Install On
AD FS Agent	Each AD FS server in the farm (not the sync server).
AD DS Agent	At least one domain controller per domain.
Sync Agent	Automatically installed with Microsoft Entra Connect (latest versions).

8. Installing the Connect Health Agent for AD FS

Download the installer from the .
Run the .exe file on each AD FS server.
In the wizard, click Install.
After installation, select Configure Now.
A PowerShell window launches prompting you to sign in with your Entra Global Admin account.
Once authenticated, the agent registers with your tenant.
The following services should start automatically:
Microsoft Entra Connect Health AD FS Diagnostics Service
Microsoft Entra Connect Health AD FS Insights Service
Microsoft Entra Connect Health AD FS Monitoring Service

Tip: Don’t install the AD FS agent on the same server as your Entra Connect sync service. Keep roles separated.

9. Installing the Connect Health Agent for Sync

If you use the latest version of Microsoft Entra Connect, the Sync Health Agent is automatically installed and configured during setup.

To verify:

Open Services.msc on the sync server.
Look for:
Microsoft Entra Connect Health Sync Insights Service
Microsoft Entra Connect Health Sync Monitoring Service

If they are stopped, start them manually and ensure the service account has Internet access.

10. Verifying Installation

After the agents are configured:

Go to the Microsoft Entra admin center → Identity → Connect Health.
You should see monitored services under:
“Sync Services”
“AD FS Services”
“Active Directory Services”
Each monitored instance displays status, alerts, and performance metrics.

11. What You Can Monitor

For AD FS

Token issuance success/failure rates.
Authentication latency.
Token signing certificate expiry.
Number of logins per hour.
Failed login reasons (bad password, expired password, MFA failure).
Federation service trust issues.

For Sync

Scheduler status (enabled/disabled).
Sync cycle duration and errors.
Number of adds/updates/deletes per cycle.
Connector health (AD and Microsoft Entra).
Pending exports or failed objects.

For AD DS

Replication health and latency.
Domain controller availability.
SYSVOL health.
Security policies.

12. Alerts and Health Indicators

Connect Health automatically generates alerts when it detects abnormalities. Examples include:

Alert Example	Possible Cause	Recommended Action
Sync cycle has not run in 24 hours	Scheduler disabled or network issue	Re-enable scheduler and test connectivity
AD FS token signing certificate will expire soon	Certificate near expiration	Renew certificate and update federation trust
High AD FS authentication failure rate	Incorrect passwords or external attack	Investigate AD FS logs for failed IPs
Replication latency above threshold	Slow domain replication	Check AD replication topology

Each alert includes a description, cause, and fix recommendation in the portal.

13. Real-World Example

Scenario: A large retail company notices users can’t sign in to Microsoft 365. Their hybrid environment uses AD FS.

Using Connect Health:

The admin opens the Entra Connect Health portal.
Sees an alert: “Token signing certificate expired.”
Drills into AD FS Service → Alerts → Details to confirm which server is affected.
Renews the certificate in AD FS Management → “Certificates.”
Reruns Entra Connect to repair federation trust.
Sync resumes, sign-ins restored.

Result: Outage resolved quickly thanks to proactive monitoring.

14. Best Practices

Install Connect Health agents on every AD FS and domain controller involved in hybrid identity.
Ensure outbound HTTPS connectivity (no TLS inspection).
Regularly check the Connect Health dashboard and email alerts.
Use Azure RBAC to delegate monitoring access securely.
Update agents periodically — old versions may stop sending telemetry.
Monitor for certificate expirations and replication delays before they cause sign-in failures.

15. Exam Tips

Connect Health monitors AD DS, AD FS, and Entra Connect Sync.
Requires Entra ID Premium P1.
Agents send telemetry securely via HTTPS (port 443).
The Sync agent is auto-installed with Entra Connect.
Alerts include replication issues, sync errors, certificate expiry, and more.
You view health data in the Microsoft Entra admin center → Identity → Connect Health.
Don’t install the AD FS agent on the sync server.
The AD FS agent registration requires a Global Admin account.

16. Summary

Microsoft Entra Connect Health provides a unified monitoring solution that ensures your hybrid identity infrastructure remains healthy and reliable. By deploying lightweight agents across your AD DS, AD FS, and Entra Connect servers, you can:

Detect issues proactively.
Prevent authentication outages.
Optimize sync performance.
Simplify root-cause analysis.

This service is essential for maintaining continuous hybrid identity synchronization and secure, uninterrupted access to Microsoft 365 and other cloud applications.

SC‑300 Study Portal Dark

Unit 8: Implement Microsoft Entra Connect Health