Connect Health for AD FS data freshness alert troubleshooting steps - Troubleshooting Guide

Step 1

Check if your AD FS security audits are enabled

AD FS can be configured to do service auditing of user logons in order to reveal a level of detail. In order for the Usage Analytics feature to gather and analyze data, the Azure AD Connect Health agent needs the information in the AD FS Audit Logs. These logs are not enabled by default. On your AD FS servers, use the following procedures to enable auditing and to locate the audit logs. To check the status of AD FS security audits:

Click Start, point to Administrative Tools, and then click Local Security Policy.
Double-click Local Policies, and then click Audit Policy.
In the details pane, double-click Audit object access.
Check the status of the audit object policy on the Audit object access Properties page.

Are AD FS security audits enabled?

Yes No

Step 1

Enable AD FS audit events

Depending on your machine settings, we have steps for enabling here AD FS audit events.
Run Restart-Service AdHealth*

Has the alert been mitigated?

Yes No

Step 1

If using AD FS on Windows Server 2016, make sure Verbose AuditLevel is set.

Set-AD FSProperties -AuditLevel Verbose
Run Restart-Service AdHealth*

Has the alert been mitigated?

Yes No

Step 1

Check for multiple service member entries in config.json

Navigate to C:\Program Files\Azure Ad Connect Health ADFS Agent\Insights\config.json
Open the file in a json editor or look for multiple instances of string: ServiceType: AdFederationService

Are there multiple instances?

Yes No

Step 1

Reset registration

Warning: the following steps will remove historical data for the server

Self-resolution is to recreate the entire registration by renaming the machineId value name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent\MachineIdentity
Delete existing config.json file
Re-register by running Register-AzureADConnectHealthAD FSAgent
Delete old server registration from portal

Has the alert been mitigated?

Yes No

Step 1

Look for runtime errors in the agent debug trace

In the event viewer, enable analytic and debug logs.
Find Applications and Service logs\ADHealth-AD FS\Debug
Right click, increase size to 100032 and enable log. Disable and then re-enable to clear.
Restart the insight service by running: Restart-Service AdHealth*
Wait for 5 minutes and refresh the log.
Ctrl-f AgentType = Insights and look for logs with error/authorization information.
If errors look to be related to oAuth/token issuance: Re-register to refresh agent key for insights service and run Register-AzureADConnectHealthAD FSAgent
Otherwise the insights service can be executed in console mode to catch errors: Navigate to C:\Program Files\Azure Ad Connect Health ADFS Agent\Insights and run Microsoft.Identity.Health.ADFS.InsightsService.exe /console
Look at the debug log and find exception items.

Does the debug log show any exceptions that help find root cause of the issue?

Yes No

Step 1

Problem not solved

We are sorry that the problem persists. If you continue to see the same alert after two hours, please reach out to our support team and we will get back to you as soon as possible.

Step 1

Success

Congratulations! Your issue has been solved. Thank your for choosing Azure AD Connect Health.