-
Notifications
You must be signed in to change notification settings - Fork 898
Expand file tree
/
Copy pathreference-connect-health-faq.yml
More file actions
226 lines (179 loc) · 16.2 KB
/
reference-connect-health-faq.yml
File metadata and controls
226 lines (179 loc) · 16.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
### YamlMime:FAQ
metadata:
title: Microsoft Entra Connect Health FAQ - Azure
description: This FAQ answers questions about Microsoft Entra Connect Health. This FAQ covers questions about using the service, including the billing model, capabilities, limitations, and support.
author: omondiatieno
manager: mwongerapk
ms.assetid: f1b851aa-54d7-4cb4-8f5c-60680e2ce866
ms.service: entra-id
ms.subservice: hybrid-connect
ms.tgt_pltfrm: na
ms.custom: no-azure-ad-ps-ref
- sfi-ga-nochange
ms.topic: faq
ms.date: 12/27/2024
ms.author: jomondi
title: Microsoft Entra Connect Health frequently asked questions
summary: This article includes answers to frequently asked questions (FAQs) about Microsoft Entra Connect Health. These FAQs cover questions about how to use the service, which includes the billing model, capabilities, limitations, and support.
sections:
- name: General questions
questions:
- question: |
I manage multiple Microsoft Entra directories. How do I switch to the one that has Microsoft Entra ID P1 or P2?
answer: |
To switch between different Microsoft Entra tenants, select the currently signed-in **User Name** on the upper-right corner, and then choose the appropriate account. If the account isn't listed here, select **Sign out.** Next, use the Global Administrator credentials of the directory that has Microsoft Entra ID P1 or P2 (P1 or P2) enabled to sign in.
- question: |
What version of identity roles are supported by Microsoft Entra Connect Health?
answer: |
The following table lists the roles and supported operating system versions.
|Role| Operating system / Version|
|--|--|
|Active Directory Federation Services (AD FS)| <ul><li>Windows Server 2012 R2 </li> <li> Windows Server 2016 </li> <li> Windows Server 2019 </li> <li> Windows Server 2022 </li> </ul>|
|Microsoft Entra Connect | Version 1.0.9125 or higher|
|Active Directory Domain Services (AD DS)| <ul><li>Windows Server 2012 R2 </li> <li> Windows Server 2016 </li> <li> Windows Server 2019 </li> <li> Windows Server 2022 </li> </ul>|
Windows Server Core installations aren't supported.
The features provided by the service may differ based on the role and the operating system. All of the features may not be available, for all operating system versions. See the feature descriptions for details.
- question: |
How many licenses do I need to monitor my infrastructure?
answer: |
* The first Connect Health Agent requires at least one Microsoft Entra P1 or P2 license.
* Each additional registered agent requires 25 more Microsoft Entra P1 or P2 licenses.
* Agent count is equivalent to the total number of agents that are registered across all monitored roles (AD FS, Microsoft Entra Connect, and/or AD DS).
* Microsoft Entra Connect Health licensing doesn't require you to assign the license to specific users. You only need the requisite number of valid licenses.
Licensing information is also found on the [Microsoft Entra pricing page](https://aka.ms/aadpricing).
Example:
| Registered agents | Licenses needed | Example monitoring configuration |
| ------ | --------------- | --- |
| 1 | 1 | 1 Microsoft Entra Connect server |
| 2 | 26| 1 Microsoft Entra Connect server and 1 domain controller |
| 3 | 51 | 1 Active Directory Federation Services (AD FS) server, 1 AD FS proxy, and 1 domain controller |
| 4 | 76 | 1 AD FS server, 1 AD FS proxy, and 2 domain controllers |
| 5 | 101 | 1 Microsoft Entra Connect server, 1 AD FS server, 1 AD FS proxy, and 2 domain controllers |
- name: Installation questions
questions:
- question: |
Does my agent installation get updated automatically when there's a new version of the agent?
answer: |
Yes, all agents are updated automatically when there's a new version of the agent.
- question: |
Can I opt out or disable automatic upgrade of the agent?
answer: |
No, automatic upgrade is mandatory. If you don't want the agent to be upgraded when a new version is released, you should uninstall the agent.
- question: |
What is the impact of installing the Microsoft Entra Connect Health Agent on individual servers?
answer: |
The impact of installing the Microsoft Entra Connect Health Agent, AD FS, web application proxy servers, Microsoft Entra Connect (sync) servers, and domain controllers is minimal with respect to the CPU, memory consumption, network bandwidth, and storage.
The following numbers are an approximation:
* CPU consumption: ~1-5% increase.
* Memory consumption: Up to 10 % of the total system memory.
> [!NOTE]
> If the agent can't communicate with Azure, the agent stores the data locally for a defined maximum limit. The agent overwrites the “cached” data on a “least recently serviced” basis.
>
>
* Local buffer storage for Microsoft Entra Connect Health Agents: ~20 MB.
* For AD FS servers, we recommend that you provision a disk space of 1,024 MB (1 GB) for the AD FS audit channel for Microsoft Entra Connect Health Agents to process all the audit data before it's overwritten.
- question: |
Will I have to reboot my servers during the installation of the Microsoft Entra Connect Health Agents?
answer: |
No. The installation of the agents won't require you to reboot the server. However, installation of some prerequisite steps might require a reboot of the server.
For example, installation of .NET 4.6.2 Framework may require a server reboot.
- question: |
Does Microsoft Entra Connect Health work through a pass-through HTTP proxy?
answer: |
Yes. For ongoing operations, you can configure the Health Agent to use an HTTP proxy to forward outbound HTTP requests.
Read more about [configuring HTTP Proxy for Health Agents](how-to-connect-health-agent-install.md#configure-azure-ad-connect-health-agents-to-use-http-proxy).
If you need to configure a proxy during agent registration, you might need to modify your Internet Explorer Proxy settings beforehand.
1. Open Internet Explorer > **Settings** > **Internet Options** > **Connections** > **LAN Settings**.
2. Select **Use a Proxy Server for your LAN**.
3. Select **Advanced** if you have different proxy ports for HTTP and HTTPS/Secure.
- question: |
Does Microsoft Entra Connect Health support Basic authentication when connecting to HTTP proxies?
answer: |
No. A mechanism to specify an arbitrary user name and password for Basic authentication isn't currently supported.
- question: |
What firewall ports do I need to open for the Microsoft Entra Connect Health Agent to work?
answer: |
See the [requirements section](how-to-connect-health-agent-install.md#requirements) for the list of firewall ports and other connectivity requirements.
- question: |
Why do I see two servers with the same name in the Microsoft Entra Connect Health portal?
answer: |
When you remove an agent from a server, the server isn't automatically removed from the Microsoft Entra Connect Health portal. If you manually remove an agent from a server or remove the server itself, you need to manually delete the server entry from the Microsoft Entra Connect Health portal. To delete monitored servers from Microsoft Entra Connect Health, you must have either Microsoft Entra Global Administrator account permissions or the Contributor role in Azure role-based access control.
You might reimage a server or create a new server with the same details (such as machine name). If you didn't remove the already registered server from the Microsoft Entra Connect Health portal, and you installed the agent on the new server, you might see two entries with the same name.
In this case, manually delete the entry that belongs to the older server. The data for this server should be out of date.
- question: |
Can I install the Microsoft Entra Connect Health agent on Windows Server Core?
answer: |
No. Installation on Server Core isn't supported.
- question: |
After installing Microsoft Entra Connect Sync, with an account that has the Hybrid Administrator role, why is the Connect Health for Sync Agent disabled in services?
answer: |
In order to install the Connect Health for Sync Agent, you need to be a Global Administrator. To activate the agent, you need to reinstall the agent using a Global Administrator account.
- name: Health Agent registration and data freshness
questions:
- question: |
What are common reasons for the Health Agent registration failures and how do I troubleshoot issues?
answer: |
The health agent can fail to register due to the following possible reasons:
* The agent can't communicate with the required endpoints because a firewall is blocking traffic. This issue is common on web application proxy servers. Make sure that you allowed outbound communication to the required endpoints and ports. See the [requirements section](how-to-connect-health-agent-install.md#requirements) for details.
* Outbound communication is subjected to a TLS inspection by the network layer. This causes the certificate that the agent uses to be replaced by the inspection server/entity, and the steps to complete the agent registration fail.
* The user can't perform the registration of the agent. Global Administrators can by default. You can use [Azure role-based access control (Azure RBAC)](how-to-connect-health-operations.md#manage-access-with-azure-rbac) to delegate access to other users.
- question: |
I'm getting alerted that "Health Service data isn't up to date." How do I troubleshoot the issue?
answer: |
Microsoft Entra Connect Health generates the alert when it doesn't receive all the data points from the server in the last two hours. [Read more](how-to-connect-health-data-freshness.md).
- name: Operations questions
questions:
- question: |
Do I need to enable auditing on the web application proxy servers?
answer: |
No, auditing doesn't need to be enabled on the web application proxy servers.
- question: |
How do Microsoft Entra Connect Health Alerts get resolved?
answer: |
Microsoft Entra Connect Health alerts get resolved on a success condition. Microsoft Entra Connect Health Agents detect and report the success conditions to the service periodically. For a few alerts, the suppression is time-based. In other words, if the same error condition isn't observed within 72 hours from alert generation, the alert is automatically resolved.
- question: |
I'm getting alerted that "Test Authentication Request (Synthetic Transaction) failed to obtain a token." How do I troubleshoot the issue?
answer: |
Microsoft Entra Connect Health for AD FS generates this alert when the Health Agent installed on an AD FS server fails to obtain a token as part of a synthetic transaction initiated by the Health Agent. The Health agent uses the local system context and attempts to get a token for a self relying party. This behavior is a catch-all test to ensure that AD FS is in a state of issuing tokens.
Most often this test fails because the Health Agent is unable to resolve the AD FS farm name. This state can happen if the AD FS servers are behind a network load balancers and the request gets initiated from a node that's behind the load balancer (as opposed to a regular client that is in front of the load balancer). This issue can be fixed by updating the "hosts" file located under `C:\Windows\System32\drivers\etc` to include the IP address of the AD FS server or a loopback IP address (`127.0.0.1`) for the AD FS farm name (such as `sts.contoso.com`). Adding the host file short-circuits the network call, thus allowing the Health Agent to get the token.
- question: |
I got an email indicating my machines are NOT patched for the recent ransomware attacks. Why did I receive this email?
answer: |
Microsoft Entra Connect Health service scanned all the machines it monitors to ensure the required patches were installed. The email was sent to the tenant administrators if at least one machine didn't have the critical patches. The following logic was used to make this determination.
1. Find all the hotfixes installed on the machine.
2. Check if at least one of the HotFixes from the defined list is present.
3. If Yes, the machine is protected. If Not, the machine is at risk for the attack.
You can use the following PowerShell script to perform this check manually. It implements the above logic.
```powershell
Function CheckForMS17-010 ()
{
$hotfixes = "KB3205409", "KB3210720", "KB3210721", "KB3212646", "KB3213986", "KB4012212", "KB4012213", "KB4012214", "KB4012215", "KB4012216", "KB4012217", "KB4012218", "KB4012220", "KB4012598", "KB4012606", "KB4013198", "KB4013389", "KB4013429", "KB4015217", "KB4015438", "KB4015546", "KB4015547", "KB4015548", "KB4015549", "KB4015550", "KB4015551", "KB4015552", "KB4015553", "KB4015554", "KB4016635", "KB4019213", "KB4019214", "KB4019215", "KB4019216", "KB4019263", "KB4019264", "KB4019472", "KB4015221", "KB4019474", "KB4015219", "KB4019473"
#checks the computer it's run on if any of the listed hotfixes are present
$hotfix = Get-HotFix -ComputerName $env:computername | Where-Object {$hotfixes -contains $_.HotfixID} | Select-Object -property "HotFixID"
#confirms whether hotfix is found or not
if (Get-HotFix | Where-Object {$hotfixes -contains $_.HotfixID})
{
"Found HotFix: " + $hotfix.HotFixID
} else {
"Didn't Find HotFix"
}
}
CheckForMS17-010
```
- question: |
Why are my AD FS audits not being generated?
answer: |
Please use the PowerShell cmdlet <i>Get-AdfsProperties -AuditLevel</i> to ensure audit logs aren't in disabled state. Read more about [AD FS audit logs](/windows-server/identity/ad-fs/technical-reference/auditing-enhancements-to-ad-fs-in-windows-server#auditing-levels-in-ad-fs-for-windows-server-2016). Notice if there are audit settings pushed to the AD FS server, any changes with auditpol.exe are overwritten (event if Application Generated isn't configured). In this case, set the local security policy to log Application Generated failures and success.
- question: |
When will the agent certificate be automatically renewed before expiration?
answer: |
The agent certification is automatically renewed **six months** before its expiration date. If it isn't renewed, ensure the network connection of the agent is stable. Restart the agent services or update to the latest version may also solve the issue.
additionalContent: |
## Related links
* [Microsoft Entra Connect Health](./whatis-azure-ad-connect.md)
* [Microsoft Entra Connect Health Agent installation](how-to-connect-health-agent-install.md)
* [Microsoft Entra Connect Health operations](how-to-connect-health-operations.md)
* [Using Microsoft Entra Connect Health with AD FS](how-to-connect-health-adfs.md)
* [Using Microsoft Entra Connect Health for sync](how-to-connect-health-sync.md)
* [Using Microsoft Entra Connect Health with AD DS](how-to-connect-health-adds.md)
* [Microsoft Entra Connect Health version history](reference-connect-health-version-history.md)