Azure AD Connect Health - Monitorizar Windows Active Directory

 

Hola, 

Azure AD Connect health, es un servicio ofrecido en Azure que monitoriza tres escenarios y servicios diferentes. 

Los servicios que podemos monitorizar con Azure Ad Connect Health, son; 

• Sync services: Esto es la sincronización que nos proporciona AdConnect como servicio MIM entre Active Directory Domain Services (ADDS, no confundir con Azure Active Directory Domain Services AADDS)  y Azure AD.
• AD FS Services: Este agente es el ideal para monitorizar el servicio ADFS, si cuentas con él en tu organización.
• AD DS Services: Este agente monitorizará nuestro Windows Active Directory Clásico y es el que veremos hoy como poner en marcha.

En esta entrada, os hablaré de la monitorización desde Azure AD Connect Health  ADDS.

Requisitos

• Instalar un agente, requiere una licencia Azure AD P1 o superior
• Instalar un segundo agente, requiere 25 licencias Azure AD P1 o superior (en total 26).
• Resto de agentes, requieren 25 licencias Azure AD P1 o superior, cada uno de ellos.
• Cuenta Azure AD con role de administrador de identidad
• La cuenta es desechable una vez se haya instalado el agente.
• Cuenta con privilegios de administrador en la máquina en la que se ha va a instalar el agente
• Equipos con agente, requieren salida a internet.
• La versión última, lanzada de agente solo requiere puerto 443. Ya no se requiere el puerto 5671 como aparece en la documentación.
• Salida de internet a estas URls:
• login.microsoftonline.com
• secure.aadcdn.microsoftonline-p.com
• login.windows.net
• aadcdn.msftauth.net
• Powershell 5.0 o superior.
• Inspección TLS con inspección deshabilitada en la salida a internet.
• Servidor Windows Server excepto Windows Server Core.

Actualización y mantenimiento

En cuanto al mantenimiento. El agente se auto actualizará, con cada versión. 

Instalación 

• Instalación desatendida, la podéis ver en el siguiente link

• Configuración de salida a través de Proxy, la podéis ver en el siguiente Link

Proceso de instalación manual

1. El agente lo podéis descargar desde vuestro tenant y este link

2. Una vez tengáis este agente descargado y copiado en el servidor donde lo vais a instalar, el proceso de instalación es el siguiente:

Llegado este punto, tendréis que validaros en Azure AD con la cuenta creada con privilegios indicados en los requisitos.

Monitorización de resultado en consola

Comprobación de funcionamiento

Comando de powershell:  Test-AzureADConnectHealthConnectivity -Role ADDS

Saludos

Common problems publishing an app with Verified publisher

 

As Microsoft explain here.

Publisher verification gives app users and organization admins information about the authenticity of the developer's organization, who publishes an app that integrates with the Microsoft identity platform.

When an app has a verified publisher, this means that the organization that publishes the app has been verified as authentic by Microsoft. Verifying an app includes using a Microsoft Cloud Partner Program (MCPP), formerly known as Microsoft Partner Network (MPN), account that's been verified and associating the verified PartnerID with an app registration.

Keep in mind that the verified publisher is always a business who is part of the Microsoft Partner ecosystem and also, behind the MPN partnering there is, at least, an Azure tenant.

My post of today collects and explains you how to solve every problem that can appear during the process of getting the blue verified badge indicating the trusted publisher of the app.

This is the representation of the steps you have to keep for getting the registration made successfully. The known problems (in red) are explained below in this article:

Some obstacles that I usually find are so common in the scenario:

1. Lot of times you are publishing an app from different tenant that is associated to the MPN, may be from a tenant of your developers.

2. The above situation leads us to deduce that the domain filled in the MPN partnering as an email contact of your business, is not added in the secondary tenant too. Because a domain is only able to be added in one tenant as a custom domain. therefore. the domain .onmicrosoft.com cannot be used in this process and this domain cannot be the domain of the user who makes the registration (Problem in the steps 2 & 4).

3. Sending an invitation as guest is some times complicated, because the identity that you want to invite, doesn't has a mailbox and the invitation is sent as email. 

The ways to get over the difficulties shown above are:

1. You decide don't make the registration from the main tenant, it needs you to add this second tenant in the MPN Center.

2. You have to verify the domain used in the mail contact filled in MPN Partner Center- organization  profile - Legal Info using a microsoft-identity-association.json 

And the user who makes the registration needs to be a user with a custom domain, in the login name.  So you have to add a custom domain in your tenant previously. 

Example.: user@contosoapp.onmicrosoft.com is not allowed.

It fix this problem: 

The target application's Publisher Domain (publisherDomain) either doesn't match the domain used to perform email verification in Partner Center (pcDomain) or has not been verified. Ensure these domains match and have been verified then try again.

3. After the invitation to a guest has been sent, you are able to get the link that has to be accepted, going to the guest object, and clicking on the Resend Invitation.

For more information: Troubleshoot publisher verification - Microsoft Entra | Microsoft Learn

I hope it helps you.