Azure AD Connect Status Test
The Azure Active Directory Connect synchronization services (Azure AD Connect sync) is a main component of Azure AD Connect. It takes care of all the operations that are related to synchronize identity data between your on-premises environment and Azure AD.
Azure AD Connect sync synchronizes changes occurring in your on-premises directory using a scheduler. The scheduler is responsible for two tasks:
-
Synchronization cycle. The process to import, sync, and export changes.
-
Maintenance tasks. Renew keys and certificates for Password reset and Device Registration Service (DRS). Purge old entries in the operations log.
If users frequently complain that they are unable to access a critical Azure service or login to a cloud application, more often than not, it could be because the Synchronization cycle is not enabled or is in progress. Until this cycle is enabled or complete, changes made to identity data managed by on-premises AD will not be synced with Azure AD. In the absence of valid identity information on Azure AD, SSO attempts to the cloud will not be authenticated.
Authentication failures can also occur if the scheduler is renewing keys/certificates as part of maintenance, or is evaluating identity changes in the staging mode before exporting them to Azure AD.
Errors that occur during provisioning / synchronization can also result in failed authentication attempts.
To assure users of on-demand access to their cloud resources at all times, administrators should check user logins to the cloud, spot authentication failures quickly, check scheduler operations instantly, and figure out if the scheduler's operational health or settings are impacting cloud access. This is exactly what the Azure AD Connect Status test helps administrators achieve!
This test attempts to login to a configured Azure AD tenant as a specified user, and reports whether/not Azure AD could authenticate / validate the login. In the process, the test also tracks scheduler operations and reports their status. In the event of an authentication failure, administrators can look up the scheduler-related metrics reported by the test to quickly diagnose the probable cause of the failure - is it owing to the suspension of scheduler operations? is it because synchronization is yet to complete? is it because the synchronization cycle is not enabled? is it because the scheduler was performing maintenance tasks? or is it due to staging activities of the scheduler? The test also keeps an eye out for synchronization errors, and promptly alerts you to such errors. Detailed diagnostics reveal the complete details of these errors, so you can troubleshoot them quickly and effectively and ensure error-free synchronization.
Target of the Test: A Microsoft Azure Active Directory Connect
Agent deploying the test: An internal agent
Output of the test: One set of results for the Azure AD Connect that is monitored
| Parameters | Description |
|---|---|
|
Test Period |
How often should the test be executed. |
|
Host |
The host for which the test is to be configured. |
|
Tenant ID |
This test attempts to login to an Azure AD tenant as a valid user. For this purpose, you need to specify the Directory ID of that Azure AD tenant here. To know how to determine the Directory ID, refer to Configuring the eG Agent to Monitor a Microsoft Azure Subscription Using Azure ARM REST API. |
|
Username, Password, and Confirm Password |
Using the Username and Password text boxes, specify the credentials of a user who has access to the configured TenantID. Confirm that password by retyping it in the Confirm Password text box. |
|
Detailed Diagnosis |
To make diagnosis more efficient and accurate, the eG Enterprise embeds an optional detailed diagnostic capability. With this capability, the eG agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test for a particular server, choose the On option. To disable the capability, click on the Off option. The option to selectively enable/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled:
|
| Measurement | Description | Measurement Unit | Interpretation | ||||||
|---|---|---|---|---|---|---|---|---|---|
|
Authentication Status |
Indicates whether/not the test was able to connect to the configured tenant using the specified user credentials. |
|
The values that this measure reports and their corresponding numeric values are listed in the table below:
You can use the detailed diagnosis of the test to view when directory synchronization and/or password synchronization happened last on the configure Azure AD tenant, and when the next synchronization is scheduled. Note: By default, this measure reports the Measure Values listed in the table above to indicate the authentication status. In the graph of this measure however, the same is represented using the numeric equivalents only. |
||||||
|
Is directory synchronization enabled? |
Indicates whether/not directory synchronization is enabled. |
|
Directory synchronization is used when identity data is to be synchronized from on premises Active Directory environments to Azure AD. The values that this measure reports and their corresponding numeric values are listed in the table below:
Note: By default, this measure reports the Measure Values listed in the table above to indicate whether/not directory synchronization is enabled. In the graph of this measure however, the same is represented using the numeric equivalents only. |
||||||
|
Is password synchronization enabled? |
Indicates whether/not password synchronization is enabled. |
|
Azure AD Connect synchronizes a hash of a user's password from an on-premises Active Directory instance to a cloud-based Azure AD instance. The values that this measure reports and their corresponding numeric values are listed in the table below:
Note: By default, this measure reports the Measure Values listed in the table above to indicate whether/not password synchronization is enabled. In the graph of this measure however, the same is represented using the numeric equivalents only. |
||||||
|
Time since last directory synchronization |
Indicates the time that has elapsed since the last directory synchronization. |
Mins |
This measure will report a value only if the 'Is directory synchronization enabled?' measure reports the value 'Yes'. The detailed diagnosis of the Authentication status measure reveals when directory synchronization last occurred, and when the next is scheduled. Using this information, you will be able to deduce the expected time gap between two directory synchronizations. If the value of this measure is much higher than the time interval revealed by detailed diagnosis, it is a clear indicator that directory synchronization did not occur as per schedule. This warrants an immediate investigation. |
||||||
|
Time since last password synchronization |
Indicates the time that has elapsed since the last password synchronization. |
Mins |
This measure will report a value only if the 'Is password synchronization enabled?' measure reports the value 'Yes'. If the value of this measure is unusually high, it could mean that password synchronization did not occur as per schedule. This warrants an immediate investigation. |
||||||
|
Is synchronization cycle enabled? |
Indicates whether/not the synchronization cycle is enabled. |
|
When installing Azure Active Directory Connect (AAD Connect), it is sometimes required that the initial synchronization is not initiated until additional configuration has been performed. This may mean that rules have to be edited, or that certain filtering options are to be applied. This measure will inform you whether the scheduler is already running the import, sync, and export processes as part of its operations, or whether it is waiting for certain additional changes (described above) to be completed before it initiates the synchronization. The values that this measure reports and their corresponding numeric values are listed in the table below:
Note: By default, this measure reports the Measure Values listed in the table above to indicate whether/not the synchronization cycle is enabled. In the graph of this measure however, the same is represented using the numeric equivalents only. |
||||||
|
Is maintenance mode enabled? |
Indicates whether/not maintenance mode is enabled. |
|
The scheduler updates the certificates/keys and purges the operations log in the maintenance mode. The values that this measure reports and their corresponding numeric values are listed in the table below:
Note: By default, this measure reports the Measure Values listed in the table above to indicate whether/not the maintenance process is enabled. In the graph of this measure however, the same is represented using the numeric equivalents only. |
||||||
|
Is staging mode enabled? |
Indicates whether/not the staging mode is enabled. |
|
In the staging mode, the scheduler suppresses the exports from running but still runs import and synchronization. The values that this measure reports and their corresponding numeric values are listed in the table below:
Note: By default, this measure reports the Measure Values listed in the table above to indicate whether/not the staging mode is enabled. In the graph of this measure however, the same is represented using the numeric equivalents only. |
||||||
|
Is scheduler suspended? |
Indicates whether/not Azure AD Connect has suspended the scheduler. |
|
Typically, Azure AD Connect sets the 'suspended' mode during an upgrade to temporarily block the scheduler from running. The values that this measure reports and their corresponding numeric values are listed in the table below:
Note: By default, this measure reports the Measure Values listed in the table above to indicate whether/not the scheduler is suspended. In the graph of this measure however, the same is represented using the numeric equivalents only. |
||||||
|
Provisioning errors |
Indicates the count of provisioning / synchronization errors that occurred. |
Number |
Ideally, the value of this measure should be 0. A non-zero value indicates that one/more provisioning errors have occurred, and are a probable cause of the authentication failure. In this case therefore, use the detailed diagnosis of this measure to view the complete details of these errors and resolve them. |
You can use the detailed diagnosis of the Authentication status measure to view when directory synchronization and/or password synchronization happened last on the configure Azure AD tenant, and when the next synchronization is scheduled.
Figure 1 : The detailed diagnosis of the Authentication status measure
