This chapter covers Entra Connect Health, a critical monitoring tool for on-premises identity infrastructure connected to Microsoft Entra ID. For the MS-102 exam, questions on this topic appear in approximately 5-8% of the identity domain sections, focusing on deployment, configuration, alert interpretation, and troubleshooting. You will learn the architecture, agent installation, data flow, alert types, and integration with Azure Monitor, as well as common misconfigurations that lead to exam traps.
Jump to a section
Imagine a large corporate building with multiple entrances, security cameras, and access card readers. The building's security system (Entra Connect Health) continuously monitors each entrance for anomalies: a door left ajar, a card reader failing, or a camera offline. Sensors (agents) at each entrance send heartbeat signals every 5 minutes to a central security console. If a sensor fails to report, the console flags that entrance as potentially compromised. The security team receives alerts and can drill into the logs to see the last successful card swipe, camera footage, and access attempts. Without this system, a broken door might go unnoticed for days, allowing unauthorized entry. Similarly, Entra Connect Health monitors the health of your on-premises identity infrastructure—Azure AD Connect servers, federation servers, and domain controllers—by collecting performance counters, event logs, and connectivity tests. It detects issues like failed password syncs, high CPU on the sync server, or expired federation certificates before they cause authentication failures. Alerts are sent to Azure Monitor or email, and administrators can view the health status in the Azure portal, just like security personnel watching the console. The analogy breaks down when considering that the health service also provides usage analytics and proactive recommendations, which a building security system typically does not, but the core monitoring and alerting mechanism is directly parallel.
What is Entra Connect Health?
Entra Connect Health is a cloud-based monitoring service that provides proactive alerts, performance insights, and usage analytics for your on-premises identity infrastructure when connected to Microsoft Entra ID (formerly Azure AD). It monitors three main components: - Azure AD Connect (Sync) – The server running the sync engine. - Active Directory Federation Services (AD FS) – Federation servers and proxies. - Domain Controllers – On-premises AD domain controllers.
The service runs as an agent on each monitored server, collecting data and sending it to the Entra Connect Health service in Azure. It helps administrators detect issues like sync failures, authentication errors, certificate expiry, and high resource utilization before they impact users.
How It Works Internally
The Entra Connect Health agent is installed on the server to be monitored. For Azure AD Connect, it is typically installed on the same server. For AD FS and domain controllers, separate agents are installed. The agent collects data from: - Windows Event Logs – Security, Application, and System logs. - Performance Counters – CPU, memory, disk, network, and AD-specific counters. - WMI queries – For system and service state. - AD FS-specific data – For AD FS, the agent collects from the AD FS audit logs and the AD FS configuration database.
The agent compresses and encrypts this data using TLS 1.2 and sends it to the Entra Connect Health service endpoint (https://connecthealth.azure.com) every 5 minutes by default (for performance data) and near-real-time for alerts. The service then processes the data, applies rules to detect anomalies, and generates alerts if thresholds are exceeded.
Key Components and Defaults
- Agent Types:
- Azure AD Connect Health Agent for Sync (installed on Azure AD Connect server)
- Azure AD Connect Health Agent for AD FS (installed on each AD FS server and proxy)
- Azure AD Connect Health Agent for AD DS (installed on each domain controller)
- Data Collection Intervals:
- Performance counters: every 5 minutes
- Event logs: near real-time (within 1-2 minutes)
- Alerts: generated within 5-10 minutes of issue detection
- Alert Thresholds (default):
- CPU usage > 90% for 15 minutes
- Memory usage > 90% for 15 minutes
- Password sync failure > 5 consecutive attempts
- AD FS token request failures > 10% of total requests over 5 minutes
- Certificate expiry within 30 days
- Data Retention: 30 days for raw data, 90 days for alerts and usage analytics
- Ports and Protocols:
- Outbound HTTPS (TCP 443) to *.blob.core.windows.net, *.queue.core.windows.net, *.table.core.windows.net, *.servicebus.windows.net
- No inbound ports required
- Authentication: The agent uses a service identity that is created when you register the agent with your Entra ID tenant. The identity is a managed service account (gMSA) or a virtual service account.
Configuration and Verification Commands
Installation of Health Agent for Sync:
1. Download the agent from the Azure portal: Entra Connect Health > Download.
2. Run AzureADConnectHealthSyncAgentSetup.exe on the Azure AD Connect server.
3. During installation, you will be prompted to authenticate with your Entra ID global admin credentials.
4. After installation, verify the service status:
Open Services.msc and look for "Azure AD Connect Health Sync Insights Service" and "Azure AD Connect Health Sync Monitoring Service".
Both should be running.
Verification using PowerShell:
Get-Service -Name *ADConnectHealth*Expected output:
Status Name DisplayName
------ ---- -----------
Running ADConnectHealthSyncInsights Azure AD Connect Health Sync Insights Service
Running ADConnectHealthSyncMonitoring Azure AD Connect Health Sync Monitoring ServiceCheck agent registration:
Get-AzureADConnectHealthAgentRegistrationThis cmdlet returns the agent ID and last heartbeat time. If the agent is not registered, you will see an error.
For AD FS agents:
Get-Service -Name *ADFederationHealth*Expected: ADFederationHealthService running.
How It Interacts with Related Technologies
Azure Monitor: Entra Connect Health alerts can be forwarded to Azure Monitor for integration with other monitoring tools. This is configured in the Health service settings in the Azure portal. Alerts appear as Azure Monitor alerts and can trigger actions like email, SMS, or webhooks.
Microsoft Entra Admin Center: The health status is displayed in the Entra admin center under "Health" > "Connect Health". Here you can see the overall health of each monitored component, recent alerts, and performance charts.
Microsoft 365 Defender: Some health alerts related to security (e.g., AD FS token replay) may appear in the Defender portal.
Azure AD Connect: The Health agent for Sync monitors the sync engine’s operational status, including import/export cycles, delta syncs, and password hash sync. If the sync service stops, an alert is raised.
Common Alerts and Their Meanings
Password Synchronization Failure: The agent detects that password hash sync has failed for more than 5 consecutive cycles. This could be due to network issues, SQL Server connectivity, or permissions.
AD FS Token Request Failure Rate: The percentage of failed token requests exceeds 10% over a 5-minute window. Common causes: expired certificates, misconfigured relying party trusts, or network issues.
High CPU Usage: CPU > 90% for 15 minutes on the sync server. This may indicate a need to scale up the server or reduce sync frequency.
Certificate Expiry: A certificate used by AD FS (token-signing, token-decrypting, or service communications) will expire within 30 days. The alert provides the certificate name and thumbprint.
Domain Controller Replication Error: An on-premises domain controller has a replication failure that could affect authentication or sync.
Troubleshooting Agent Connectivity
If the agent does not appear in the portal after installation:
1. Check that the server can reach the required endpoints: *.blob.core.windows.net, *.queue.core.windows.net, etc.
2. Verify the agent services are running.
3. Check the agent logs at %ProgramData%\Microsoft\Azure AD Connect Health\Logs.
4. Re-register the agent using the command:
Register-AzureADConnectHealthAgent -AccountType Sync(requires AzureAD module)
Exam Tips
The MS-102 exam expects you to know which agent to install on which server. For example, the AD FS agent must be installed on every AD FS server and proxy, not just one.
You may be asked to identify the correct outbound URLs needed for the agent to communicate. Common wrong answer: including inbound ports.
Know the default data retention period (30 days for raw data, 90 days for alerts).
Understand that Health alerts are based on aggregated data, not real-time per-second metrics. The minimum alert generation time is 5 minutes.
Be aware that the Health service does NOT require any on-premises database; all data is stored in Azure.
Install Health Agent for Sync
On the Azure AD Connect server, download the Azure AD Connect Health agent for Sync from the Azure portal. Run the installer as an administrator. During installation, you must sign in with a Global Administrator account for the tenant. The agent creates a service principal in Entra ID and registers itself. After installation, two services are created: 'Azure AD Connect Health Sync Insights Service' and 'Azure AD Connect Health Sync Monitoring Service'. These services collect performance counters and event logs every 5 minutes and upload them to Azure. If the installation fails, check that the server has outbound HTTPS access and that TLS 1.2 is enabled.
Install Health Agent for AD FS
On each AD FS server and each Web Application Proxy (WAP) server, download and install the Azure AD Connect Health agent for AD FS. The agent must be installed on every server in the farm. During installation, authenticate with Global Administrator credentials. The agent installs a service called 'ADFederationHealthService' that collects AD FS audit logs, performance data, and certificate information. It monitors token requests, sign-ins, and certificate expiry. If you only install on one server, you will miss alerts from other servers, such as a proxy being unreachable.
Install Health Agent for Domain Controllers
On each domain controller that you want to monitor, install the Azure AD Connect Health agent for AD DS. This agent collects domain controller performance data, replication status, and security events. It also monitors LDAP traffic and authentication requests. The agent must be installed on all domain controllers to get a complete picture. After installation, the agent registers with Entra ID and begins sending data. The data includes top N processes by CPU usage, disk I/O, and network utilization. This helps identify overloaded domain controllers.
Configure Alerts and Notifications
In the Azure portal, navigate to Entra Connect Health > Alerts. You can configure notification recipients by adding email addresses. By default, alerts are sent to the Global Administrators of the tenant. You can also set up webhook notifications to integrate with incident management systems. Each alert has a severity level: Critical, Warning, or Informational. For example, a certificate expiry within 7 days is Critical, while within 30 days is Warning. You can customize the threshold for some alerts, such as the CPU percentage that triggers a high-usage alert. Changes take effect within a few minutes.
View Health Dashboard and Reports
In the Entra admin center, go to Health > Connect Health. You will see an overview of all monitored servers, their health status (Healthy, Warning, Critical, or Not Monitored). Click on a component (Sync, AD FS, or AD DS) to see detailed metrics. For Sync, you can see the last sync cycle duration, number of errors, and export status. For AD FS, you can see token request trends, top applications, and failed sign-ins. For AD DS, you can see replication health and top authentication errors. You can also download usage reports in CSV format. The data is updated every 5 minutes.
Enterprise Deployment Scenario 1: Large Multinational with Hybrid Identity
A company with 50,000 users uses Azure AD Connect for password hash sync and seamless SSO. They have three Azure AD Connect servers in a staging mode configuration (one active, two standby). They deploy the Health agent for Sync on all three servers. The Health service alerts them when the active server's CPU exceeds 90% during a large sync cycle, allowing them to switch to a standby server. They also receive an alert when password sync fails due to a network outage between the primary and secondary domain controllers. Without Health, the sync failure might go unnoticed for hours, causing password change delays for users. The company also monitors 20 domain controllers across five sites using the AD DS agent. They use the replication health report to identify a domain controller that was not replicating due to a firewall change. The Health service helped them detect the issue within 10 minutes of the change.
Enterprise Scenario 2: Federation Migration Monitoring
A company planning to migrate from AD FS to managed authentication uses Entra Connect Health to monitor their AD FS farm during the transition. They have four AD FS servers and two WAP servers. The Health agent alerts them to a token-signing certificate that will expire in 10 days. They renew the certificate proactively, avoiding a service outage. During the migration, they use the AD FS usage analytics to identify the top relying parties and their usage patterns, helping them prioritize which apps to migrate first. After migration, they decommission the AD FS servers and uninstall the agents. The Health service continues to monitor the Azure AD Connect server for sync health.
Common Misconfigurations
Installing agents on only some servers: For AD FS, if you install the agent on only one server, you will not receive alerts from other servers. The exam often tests this: the correct answer is to install the agent on every AD FS and WAP server.
Firewall blocking outbound HTTPS: The agent requires outbound HTTPS to specific Azure endpoints. If the firewall only allows inbound, the agent cannot register or upload data. The health status will show "Not Monitored".
Using a non-global admin account for installation: The agent registration requires Global Administrator privileges. If you use a user with a lower role, installation will fail. The exam may present a scenario where installation fails and you need to identify the cause.
Not enabling TLS 1.2: Older servers may have TLS 1.0/1.1 disabled but TLS 1.2 not enabled. The agent requires TLS 1.2. You must enable it via registry or .NET configuration.
What MS-102 Tests on This Topic (Objective 2.2)
The MS-102 exam covers Entra Connect Health under the "Identity Access" domain, specifically objective 2.2: "Monitor and troubleshoot identity synchronization and authentication." You will be asked about:
Deployment of Health agents (which agent for which server)
Alert interpretation (e.g., what does "Password Sync Failure" indicate?)
Data retention periods (30 days raw, 90 days alerts)
Required outbound URLs and ports (HTTPS 443 to specific Azure domains)
Integration with Azure Monitor
Troubleshooting agent connectivity
Common Wrong Answers and Why
Wrong: Install the AD FS agent on only one server. Candidates think one agent covers the farm. Reality: Each server must have its own agent because the agent collects local performance and event data. If you install on only one, you miss alerts from other servers.
Wrong: The agent uses inbound ports. Candidates confuse with other monitoring tools. Reality: The agent only makes outbound connections; no inbound ports are needed.
Wrong: Data is stored on-premises. Candidates think the agent stores data locally. Reality: All data is sent to Azure and retained there. The agent does not use a local database.
Wrong: You need to configure the agent with a service account. Candidates think you need to create a domain service account. Reality: The agent uses a managed service account (gMSA) created automatically during installation.
Specific Numbers and Terms on the Exam
Data retention: 30 days for raw performance data, 90 days for alerts and usage analytics.
Alert thresholds: CPU > 90% for 15 minutes, memory > 90% for 15 minutes, password sync failure > 5 consecutive cycles.
Certificate expiry alert: triggers at 30 days (warning) and 7 days (critical).
Outbound URLs: *.blob.core.windows.net, *.queue.core.windows.net, *.table.core.windows.net, *.servicebus.windows.net.
Agent services names: "Azure AD Connect Health Sync Insights Service", "Azure AD Connect Health Sync Monitoring Service", "ADFederationHealthService".
Edge Cases and Exceptions
If the Azure AD Connect server is also a domain controller, you must install both the Sync agent and the AD DS agent. The exam may ask which agents are needed.
For AD FS, if you have a WAP server, you must install the AD FS agent on the WAP as well. The agent on the WAP monitors proxy health.
If you are using Azure AD Connect with staging mode, the Health agent still works and reports on the staging server. The exam may ask if Health works on staging servers (yes).
The Health agent does not support Windows Server Core. It requires a full GUI installation.
How to Eliminate Wrong Answers
If the question asks about agent installation on AD FS, always choose the option that says "on every AD FS server and every Web Application Proxy server."
If the question mentions data storage, choose Azure cloud storage, not on-premises.
If the question asks about connectivity, look for outbound HTTPS to Azure endpoints. Inbound is never required.
For alert interpretation, match the alert description to the symptom. For example, "High CPU usage" means the sync server is overloaded, not that sync is failing.
Entra Connect Health monitors Azure AD Connect, AD FS, and domain controllers via separate agents installed on each server.
The agent collects performance counters and event logs every 5 minutes and sends them to Azure via outbound HTTPS only.
Default alert thresholds: CPU >90% for 15 minutes, memory >90% for 15 minutes, password sync failure >5 consecutive cycles.
Data retention: 30 days for raw data, 90 days for alerts and usage analytics.
Certificate expiry alerts trigger at 30 days (Warning) and 7 days (Critical).
All agents require outbound HTTPS to *.blob.core.windows.net, *.queue.core.windows.net, *.table.core.windows.net, and *.servicebus.windows.net.
The AD FS agent must be installed on every AD FS server and every Web Application Proxy server.
Installation requires Global Administrator credentials to register the agent with the tenant.
Health alerts can be forwarded to Azure Monitor for integration with other notification channels.
The Health service does not require any on-premises database; all data is stored in Azure.
These come up on the exam all the time. Here's how to tell them apart.
Entra Connect Health
Designed specifically for identity components (Azure AD Connect, AD FS, DCs)
Provides pre-built alerts and dashboards for identity health
Agent is lightweight and purpose-built
Automatic alerting with default thresholds
Usage analytics for AD FS and sync (e.g., top apps, sign-in trends)
Azure Monitor (with Log Analytics)
General-purpose monitoring for all Azure and on-premises resources
Requires custom queries and alert rules for identity-specific metrics
Uses Log Analytics agent (MMA) or Azure Monitor agent
No predefined identity health alerts; you must create them
No built-in identity usage analytics; you must query the data
Mistake
Entra Connect Health requires an on-premises SQL Server database to store collected data.
Correct
No on-premises database is needed. All data is sent to Azure and stored in the cloud. The agent only collects and forwards data; it does not store it locally beyond temporary buffering.
Mistake
You only need to install the Health agent on one server in an AD FS farm.
Correct
You must install the agent on every AD FS server and every WAP server. Each agent monitors its own server's health. If you install on only one, you will miss alerts from other servers.
Mistake
The Health agent requires inbound firewall rules to receive data.
Correct
The agent only initiates outbound HTTPS connections to Azure. No inbound ports are required. The agent sends data, it does not listen for incoming connections.
Mistake
Health alerts are generated in real-time with no delay.
Correct
Alerts are based on aggregated data collected every 5 minutes. Therefore, alerts can take up to 5-10 minutes to appear after an issue starts. There is no sub-minute alerting.
Mistake
You can use the same Health agent to monitor both Azure AD Connect and domain controllers from a single installation.
Correct
Each component requires its own agent. The Sync agent monitors only Azure AD Connect; the AD DS agent monitors domain controllers. You must install the appropriate agent for each role.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The agent requires outbound HTTPS (TCP 443) to the following Azure endpoints: *.blob.core.windows.net, *.queue.core.windows.net, *.table.core.windows.net, and *.servicebus.windows.net. No inbound ports are needed. If your firewall restricts outbound traffic, you must allow these URLs. The agent uses these endpoints to upload performance data, event logs, and alerts to the Entra Connect Health service.
Download the agent from the Azure portal (Entra Connect Health > Download). Run the installer on each AD FS server and each Web Application Proxy server. During installation, sign in with a Global Administrator account for your tenant. The agent creates a service and registers itself. After installation, verify that the 'ADFederationHealthService' is running. The agent will start collecting data and sending it to Azure. It is critical to install on all servers; otherwise, you will not receive alerts from unmonitored servers.
Raw performance data is retained for 30 days. Alerts and usage analytics data are retained for 90 days. After these periods, the data is purged. You cannot extend the retention period. If you need longer retention, you can export the data or forward alerts to Azure Monitor, which has its own retention settings.
Yes, you can monitor on-premises domain controllers by installing the Azure AD Connect Health agent for AD DS on each domain controller. The agent collects performance counters, replication status, and security events. It provides alerts for issues like replication failures, high CPU, or authentication errors. You must install the agent on every domain controller you want to monitor.
The 'Not Monitored' status indicates that the agent is not sending data to Azure. Common causes: the agent service is not running, outbound connectivity to Azure endpoints is blocked (firewall/proxy), the agent is not registered (check using Get-AzureADConnectHealthAgentRegistration), or TLS 1.2 is not enabled. Start by verifying the service is running, then check network connectivity, and finally re-register the agent if needed.
Common alerts include: Password Synchronization Failure (more than 5 consecutive failures), High CPU Usage (>90% for 15 minutes), High Memory Usage (>90% for 15 minutes), Sync Service Stopped, and Export Errors. Each alert has a severity level (Critical, Warning, Informational). You can view them in the Azure portal under Entra Connect Health > Alerts.
Yes, the Health agent works on Azure AD Connect servers in staging mode. The agent monitors the server's health and sync operations even though the server is not actively synchronizing. This allows you to verify that the staging server is healthy before making it active.
You've just covered Entra Connect Health Monitoring — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?