- Article
- 7 minutes to read
This topic describes the various operations you can perform by using Azure Active Directory (Azure AD) Connect Health.
Enable email notifications
You can configure the Azure AD Connect Health service to send email notifications when alerts indicate that your identity infrastructure is not healthy. This occurs when an alert is generated, and when it is resolved.
Note
Email notifications are enabled by default.
To enable Azure AD Connect Health email notifications
- In the Azure Portal, search for Azure AD Connect Health
- Select Sync errors
- Select Notification Settings.
- At the email notification switch, select ON.
- Select the check box if you want all Hybrid Identity Administrators to receive email notifications.
- If you want to receive email notifications at any other email addresses, specify them in the Additional Email Recipients box. To remove an email address from this list, right-click the entry and select Delete.
- To finalize the changes, click Save. Changes take effect only after you save.
Note
When there are issues processing synchronization requests in our backend service, this service sends a notification email with the details of the error to the administrative contact email address(es) of your tenant. We heard feedback from customers that in certain cases the volume of these messages is prohibitively large so we are changing the way we send these messages.
Instead of sending a message for every sync error every time it occurs we will send out a daily digest of all errors the backend service has returned. This enables customers to process these errors in a more efficient manner and reduces the number of duplicate error messages.
Delete a server or service instance
Note
Azure AD premium license is required for the deletion steps.
In some instances, you might want to remove a server from being monitored. Here's what you need to know to remove a server from the Azure AD Connect Health service.
When you're deleting a server, be aware of the following:
- This action stops collecting any further data from that server. This server is removed from the monitoring service. After this action, you are not able to view new alerts, monitoring, or usage analytics data for this server.
- This action does not uninstall the Health Agent from your server. If you have not uninstalled the Health Agent before performing this step, you might see errors related to the Health Agent on the server.
- This action does not delete the data already collected from this server. That data is deleted in accordance with the Azure data retention policy.
- After performing this action, if you want to start monitoring the same server again, you must uninstall and reinstall the Health Agent on this server.
Delete a server from the Azure AD Connect Health service
Note
Azure AD premium license is required for the deletion steps.
Azure AD Connect Health for Active Directory Federation Services (AD FS) and Azure AD Connect (Sync):
- Open the Server blade from the Server List blade by selecting the server name to be removed.
- On the Server blade, from the action bar, click Delete.
- Confirm by typing the server name in the confirmation box.
- Click Delete.
Azure AD Connect Health for Azure Active Directory Domain Services:
- Open the Domain Controllers dashboard.
- Select the domain controller to be removed.
- From the action bar, click Delete Selected.
- Confirm the action to delete the server.
- Click Delete.
Delete a service instance from Azure AD Connect Health service
In some instances, you might want to remove a service instance. Here's what you need to know to remove a service instance from the Azure AD Connect Health service.
When you're deleting a service instance, be aware of the following:
- This action removes the current service instance from the monitoring service.
- This action does not uninstall or remove the Health Agent from any of the servers that were monitored as part of this service instance. If you have not uninstalled the Health Agent before performing this step, you might see errors related to the Health Agent on the servers.
- All data from this service instance is deleted in accordance with the Azure data retention policy.
- After performing this action, if you want to start monitoring the service, uninstall and reinstall the Health Agent on all the servers. After performing this action, if you want to start monitoring the same server again, uninstall, reinstall, and register the Health Agent on that server.
To delete a service instance from the Azure AD Connect Health service
- Open the Service blade from the Service List blade by selecting the service identifier (farm name) that you want to remove.
- On the Service blade, from the action bar, click Delete.
- Confirm by typing the service name in the confirmation box (for example: sts.contoso.com).
- Click Delete.
Manage access with Azure RBAC
Azure role-based access control (Azure RBAC) for Azure AD Connect Health provides access to users and groups other than Hybrid Identity Administrators. Azure RBAC assigns roles to the intended users and groups, and provides a mechanism to limit the Hybrid Identity Administrators within your directory.
Roles
Azure AD Connect Health supports the following built-in roles:
| Role | Permissions |
|---|---|
| Owner | Owners can manage access (for example, assign a role to a user or group), view all information (for example, view alerts) from the portal, and change settings (for example, email notifications) within Azure AD Connect Health. By default, Azure AD Hybrid Identity Administrators are assigned this role, and this cannot be changed. |
| Contributor | Contributors can view all information (for example, view alerts) from the portal, and change settings (for example, email notifications) within Azure AD Connect Health. |
| Reader | Readers can view all information (for example, view alerts) from the portal within Azure AD Connect Health. |
All other roles (such as User Access Administrators or DevTest Labs Users) have no impact to access within Azure AD Connect Health, even if the roles are available in the portal experience.
Access scope
Azure AD Connect Health supports managing access at two levels:
- All service instances: This is the recommended path in most cases. It controls access for all service instances (for example, an AD FS farm) across all role types that are being monitored by Azure AD Connect Health.
- Service instance: In some cases, you might need to segregate access based on role types or by a service instance. In this case, you can manage access at the service instance level.
Permission is granted if an end user has access either at the directory or service instance level.
Allow users or groups access to Azure AD Connect Health
The following steps show how to allow access.
Step 1: Select the appropriate access scope
To allow a user access at the all service instances level within Azure AD Connect Health, open the main blade in Azure AD Connect Health.
Step 2: Add users and groups, and assign roles
- From the Configure section, click Users.
- Select Add.
- In the Select a role pane, select a role (for example, Owner).
- Type the name or identifier of the targeted user or group. You can select one or more users or groups at the same time. Click Select.
- Select OK.
- After the role assignment is complete, the users and groups appear in the list.
Now the listed users and groups have access, according to their assigned roles.
Note
- Global administrators always have full access to all the operations, but global administrator accounts are not present in the preceding list.
- The Invite Users feature is not supported within Azure AD Connect Health.
- After you assign permissions, a user can access Azure AD Connect Health by going here.
- On the blade, the user can pin the blade, or different parts of it, to the dashboard. Simply click the Pin to dashboard icon.
Note
A user with the Reader role assigned is not able to get Azure AD Connect Health extension from the Azure Marketplace. The user cannot perform the necessary "create" operation to do so. The user can still get to the blade by going to the preceding link. For subsequent usage, the user can pin the blade to the dashboard.
Remove users or groups
You can remove a user or a group added to Azure AD Connect Health and Azure RBAC. Simply right-click the user or group, and select Remove.
Next steps
- Azure AD Connect Health
- Azure AD Connect Health Agent installation
- Using Azure AD Connect Health with AD FS
- Using Azure AD Connect Health for sync
- Using Azure AD Connect Health with AD DS
- Azure AD Connect Health FAQ
- Azure AD Connect Health version history
FAQs
Which components are included with Microsoft Azure Active Directory connect health all the options Active Directory Federation Services AD FS sync? ›
The correct answer is 3 - All of the options.
Which components are included with Microsoft Azure Active Directory connect health? ›Azure Active Directory Connect is comprised of three primary components: synchronisation services, the optional Active Directory Federation Services component, and the Azure AD Connect Health monitoring component. Synchronization is in charge of the creation of users, groups, and other objects.
What is Azure Active Directory Connect health? ›Azure Active Directory (Azure AD) Connect Health provides robust monitoring of your on-premises identity infrastructure. It enables you to maintain a reliable connection to Microsoft 365 and Microsoft Online Services. This reliability is achieved by providing monitoring capabilities for your key identity components.
What are the three primary components of Azure Active Directory AD connect? ›Azure Active Directory Connect is made up of three primary components: the synchronization services, the optional Active Directory Federation Services component, and the monitoring component named Azure AD Connect Health.
What is Azure Active Directory and why is it used? ›Azure Active Directory (Azure AD) is a cloud-based identity and access management service. This service helps your employees access external resources, such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.
Which actions can you perform with Microsoft Azure Active Directory Connect? ›Microsoft AAD Connect can connect to multiple on-premises forests and can exchange organizations and synchronized the customer defined attributes but cannot use Forefront Identity Management synchronization rules.
Does Azure AD Connect need a VPN? ›Azure AD authentication is supported only for OpenVPN® protocol connections and requires the Azure VPN Client.
Which of the following options is the requirement of Azure AD Connect? ›The minimum requirements for computers running AD FS or Web Application Proxy servers are: CPU: Dual core 1.6 GHz or higher. Memory: 2 GB or higher. Azure VM: A2 configuration or higher.
Does Azure AD Connect use SQL server? ›Azure AD Connect requires a SQL Server database to store data. You can either use the default SQL Server 2012 Express LocalDB installed with Azure AD Connect or use your own full version of SQL.
How many instances of Azure AD Connect are needed? ›For each Azure AD directory, you need one Azure AD Connect sync server installation. The Azure AD directory instances are by design isolated and users in one cannot see users in the other directory.
What are the two basic users types in Azure AD? ›
Guest account - A guest account can only be a Microsoft account or an Azure AD user that can be used to share administration responsibilities such as managing a tenant. Consumer account - A consumer account is used by a user of the applications you've registered with Azure AD B2C.
What are the two basic types of Active Directory objects? ›Once defined, data is stored within the active directory as individual objects. Every object must be unique and represent a single thing, such as a user, computer, or a unique group of things (e.g. user group). The two primary types of objects are resources and security principals.
How many types of Active Directory are there? ›There are technically 7 different types of Active Directory. Each of them are deployed in different way, places and for different purposes.
What is the difference between Microsoft Active Directory and Azure Active Directory? ›Azure AD provides managed identities to run other workloads in the cloud. The lifecycle of these identities is managed by Azure AD and is tied to the resource provider and it can't be used for other purposes to gain backdoor access. Active Directory doesn't natively support mobile devices without third-party solutions.
What is Active Directory simple answer? ›Active Directory (AD) is a database and set of services that connect users with the network resources they need to get their work done. The database (or directory) contains critical information about your environment, including what users and computers there are and who's allowed to do what.
Which actions can you perform with Microsoft Azure directory connect but not with Microsoft Azure Active Directory sync? ›Answer: correct answer is B. -Connect to multiple on-premises Exchange organizations and synchronized the customer defined attributes.
How do I connect to Microsoft Active Directory? ›Open Settings, and then select Accounts. Select Access work or school, and then select Connect. On the Set up a work or school account screen, select Join this device to Azure Active Directory.
Does Azure AD Connect need to be on a domain controller? ›"Azure AD Connect must be installed on Windows Server 2008 or later. This server may be a domain controller or a member server when using express settings. If you use custom settings, then the server can also be stand-alone and does not have to be joined to a domain."
Where is Active Directory database is stored? ›The AD database is stored in the NTDS. DIT file located in the NTDS folder of the system root, usually C:\Windows. AD uses a concept known as multimaster replication to ensure that the data store is consistent on all DCs. This process is known as replication.
What are 4 methods you can use to install Active Directory domain Services? ›In this article
Installing AD DS by Using Windows PowerShell. Installing AD DS by using Server Manager. Performing a Staged RODC Installation using the Graphical User Interface.
What are the three types of role basic access controls in Microsoft Azure? ›
The way you control access to resources using Azure RBAC is to assign Azure roles. This is a key concept to understand – it's how permissions are enforced. A role assignment consists of three elements: security principal, role definition, and scope.
How many types of authentication methods are there in Azure AD Connect? ›Microsoft offers the following three passwordless authentication options that integrate with Azure Active Directory (Azure AD): Windows Hello for Business. Microsoft Authenticator app. FIDO2 security keys.
How many types of IDS are there in Azure? ›There are two types of managed identities: System-assigned. Some Azure resources, such as virtual machines allow you to enable a managed identity directly on the resource.
What are the 4 parts of an Active Directory? ›The key components include domain, tree, forest, organizational unit, and site. As you read through each structural component description, consider that domains, trees, forest, and sites are not only integral with Active Directory but also integral with DNS.
What are the 3 important services offered by Azure? ›This gives users the flexibility to use their preferred tools and technologies. In addition, Azure offers four different forms of cloud computing: infrastructure as a service (IaaS), platform as a service (PaaS), software as a service (SaaS) and serverless functions.
What are the two main components of Active Directory? ›The Active Directory structure is comprised of three main components: domains, trees, and forests.
What is Azure Active Directory for Dummies? ›Azure Active Directory (Azure AD) is a cloud-based identity and access management service. This service helps your employees access external resources, such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.
What is the difference between Windows Active Directory and Azure Active Directory? ›Azure AD provides managed identities to run other workloads in the cloud. The lifecycle of these identities is managed by Azure AD and is tied to the resource provider and it can't be used for other purposes to gain backdoor access. Active Directory doesn't natively support mobile devices without third-party solutions.
Why is Azure Active Directory used? ›Help protect your users and data
Azure Active Directory (Azure AD), part of Microsoft Entra, is an enterprise identity service that provides single sign-on, multifactor authentication, and conditional access to guard against 99.9 percent of cybersecurity attacks.
Azure Active Directory (Azure AD), part of Microsoft Entra, is an enterprise identity service that provides single sign-on, multifactor authentication, and conditional access to guard against 99.9 percent of cybersecurity attacks.
What are the 4 service categories provided by Microsoft Azure? ›
A public cloud computing platform, Microsoft Azure offers infrastructure as a service (IaaS), software as a service (SaaS), platform as a service (PaaS), and a serverless model.
What are the 3 types of data that can be stored in Azure? ›Azure storage types include objects, managed files and managed disks. Customers should understand their often-specific uses before implementation. Each storage type has different pricing tiers -- usually based on performance and availability -- to make each one accessible to companies of every size and type.
What are the main features of Active Directory? ›The main function of Active Directory is to enable administrators to manage permissions and control access to network resources. In Active Directory, data is stored as objects, which include users, groups, applications, and devices, and these objects are categorized according to their name and attributes.