Today I’m happy to get to share the news that Azure AD Connect Health for Sync is now Generally Available (GA)!
Connect Health for ADFS has been one of the most rapidly adopted Azure AD capabilities we’ve ever built so I’m excited to expand on that success with the addition of this new monitoring support. We know that your identity infrastructure is mission critical, so making it rock solid and providing you built in tools and services to monitor the availability and performance of that infrastructure across on-premises and the cloud is a critical part of our vision.
To give you a detailed run down of these new capabilities, I’ve asked Varun Karandikar from our AD Fabric PM team to write up a guest blog. You’ll find it below.
As always, we hope you’ll find this enhancement useful and we’d love to receive any feedback or suggestions you have!
Alex Simons (Twitter: @Alex_A_Simons)
Director of Program Management
Microsoft Identity Division
I’m Varun Karandikar, a PM on the Azure AD Connect Health team. With the growing success of Azure AD Connect, customer’s have been sending us a pretty clear message – they need tools and service to monitor both the authentication components and the sync engine of Azure AD Connect. I’m pleased to announce that the ability to monitor the sync engine with Azure AD Connect Health is now generally available. Azure AD Connect Health for sync addresses this requirement without any additional configuration or hardware. After installing and configuring the latest version of Azure AD Connect (version 1.0.9125 or higher), all you need to do is visit https://aka.ms/aadconnecthealth to view your Azure AD Connect Health Dashboard.
As we developed Connect Health for sync, there were a few common asks we heard from admins managing sync:
- Do I have any critical errors that prevents synchronizations from functioning correctly and can I be notified when this happens?
- How long does sync usually take and is my current sync taking a long time? Can I establish a baseline to set the right expectations with other teams in my organization that depend on it?
- How many objects were added, deleted, updated on an ongoing basis?
- What’s the trend of number of Object Level Sync errors? Are they increasing? Can I generate a report for these errors? How can I fix them quickly?
If these questions resonate with you, let’s learn more about the capabilities for Connect Health for sync that target these questions.
The sync component of Azure AD Connect is critical to ensuring that identities remain converged between your on-premises directories and Azure AD. Similar to Azure AD Connect Health for AD FS, Connect Health for sync offers alerts with email notifications for critical failures in the sync engine. An alert will tell you what the issue is, how to fix it and provide additional data on the issue along with links to relevant documentation.
The service monitors important components and operations of the sync engine. As a service we continue to add more checks based on customer feedback and support telemetry. Below are some additional details on how we detect and generate alerts.
- The alert engine covers password sync agent, import and export operations on all connectors, sync engine database and the sync engine windows service.
- It uses error events, sync run profile logs and performance counters to perform this analysis.
- It can detect different conditions that causes critical sync failures such as authentication failures, failure due to corrupt encryption keys, sync quota exceeding the current set limit, export operation failing due to the object deletion threshold, repetitive connection failures etc.
- Additionally, the service also monitors the machine through performance counters to ensure that the server is not overloaded for any reason.
Email Notification for Alerts
Don’t forget to enable email notifications for any critical alert that occurs for sync. It’s pretty simple. You can enable this by clicking the “Email notifications” button from the alerts blade and provide a custom email address where the notifications should be sent to. Usually a group email address works best or you can simply check the box to send mail to all your global administrators.
Sync Operational Insights
Using alerts for critical failures may not be enough for a monitoring solution. Having access to key data points is equally important and valuable to identity admins. Sync operational insights makes it easy to view the activity of the synchronization connecting your on-premises directory with Azure AD. Today we offer two graphs for each of your Azure AD Connect servers as you can see below. Let’s examine this further.
Sync Run Profile Latency
This sync run profile latency chart shows how long sync operations take and makes it easy to visualize this over a period of time. This allows admins to:
- Understand standard latency for operations
- Visually detect spikes that may occur due to a large set of changes (sometimes unexpected) or due to other latency in the network.
One can change the time range to be either last 24 hours (default), last 3 days or last 7 days by clicking the “Time Range” command. By default, we show the latency associated with the Export operation to Azure AD. You can right click and select “Filter” to select other operations as seen above.
Export Statistics to Azure AD
The export statistics graph is targeted at providing visibility to the number of changes that are being exported to Azure AD. It shows the trend for different actions such as add, update, deletes and failures that are performed during the export operation to Azure AD. For example, a large number of adds or deletes can be easily visualized through this graph.
Last Export to Azure AD:
We’ve also made it easy to know when was the last export operation to Azure AD was performed. I usually pin this part to my dashboard, simply by right clicking and selecting “Pin to dashboard”. The information in this part is refreshed every 15 minutes.
Additional Update: Alert Feedback for ADFS and Sync
Our goal as an Azure AD service is to ensure that the service is very simple to setup with little and almost no configuration, we want to make sure it adds value and helps in making your on-premises identity infrastructure more reliable for the consumption of Microsoft Online Services. To that extent Connect Health focuses on a simple and noise free alerting solution and your on-going feedback is important to us to make the right adjustment to the monitoring rules for a noise free solution..
To make it easy for you to provide feedback, we’ve added the capability for you to provide us feedback directly into the alerts blade. Your feedback and comments is going to help us make the service better for you.
- Deploying Connect Health for sync requires no added configuration or hardware. Install the latest Azure AD Connect (version 1.0.9125 or higher) and you’re set.
- You can access the dashboard at https://aka.ms/aadconnecthealth after installing Azure AD Connect. It takes 3-5 minutes for the data to initially appear.
- AAD Connect Health Requires an Azure AD Premium subscription. See Getting started with Azure AD Premium or get a start a trial
- Connect Health for sync provides
- Detailed documentation for Connect Health is available here.
A quick video showing Azure AD Connect Health for sync in action is available here.
We are continuing to work on additional features in this area such as provide an easy way to consume and remediate sync errors that can occur.
As always, we’d love to get your feedback. If you have any feedback, questions or see issues please leave a comment at the bottom of this post or send us a note to email@example.com.
Varun Karandikar (Twitter: @varundikar)