Sign in Subscribe
azure

PRTG Sensor - Monitoring Azure AD Connect

Roman Hüsler

3 min read
PRTG Sensor - Monitoring Azure AD Connect

Today, a hybrid cloud strategy is standard for many companies and organizations. With a hybrid cloud strategy, you get the best from both worlds (private and public cloud): high scalability and flexibility, great device management, both on-premises and in the cloud, without compromising your security.

A core component of an Azure Hybrid Cloud strategy is the tool “Azure AD Connect”, which synchronizes a local Active Directory with the Azure AD. The identities (users / groups) can be synchronized into Azure AD this way.

Azure AD Connect offers the following functions:

  • Password hash synchronization – A sign-in method that synchronizes a hash of a users on-premises AD password with Azure AD.
  • Pass-through authentication – A sign-in method that allows users to use the same password on-premises and in the cloud, but doesn’t require the additional infrastructure of a federated environment.
  • Federation integration – Federation is an optional part of Azure AD Connect and can be used to configure a hybrid environment using an on-premises AD FS infrastructure. It also provides AD FS management capabilities such as certificate renewal and additional AD FS server deployments.
  • Synchronization – Responsible for creating users, groups, and other objects. As well as, making sure identity information for your on-premises users and groups is matching the cloud. This synchronization also includes password hashes.
  • Health Monitoring – Azure AD Connect Health can provide robust monitoring and provide a central location in the Azure portal to view this activity.

Monitoring der Azure AD Connect Synchronisation

When using “Azure AD Connect”, it is important, that the synchronization of the local Active Directory with Azure AD works properly at all times. To monitor the synchronization, we use PRTG, a monitoring software from Paessler. PRTG monitors traffic, availability and performance of devices and applications in IT infrastructures. This includes monitoring for classic network devices such as servers, routers, switches and firewalls, as well as virtual environments and also – as in this example – cloud components.

We would like to measure the following “Azure AD Connect” indicators with PRTG:

  • Number of users that have been synchronized
  • Number of groups that have been synchronized
  • Time – Last synchronization of users
  • Time – Last synchronization of the password hash

Prerequisite

A user is required in Azure AD to be able to read the desired indicators. The user must have read permission. https://docs.microsoft.com/de-de/azure/role-based-access-control/built-in-roles#reader

On the PRTG Probe install the Powershell Module “MSOnline” to access the desired Azure AD resources.

Install-Module MSOnline
Image – Enforce TLS 1.2

If the above error message appears, NuGet cannot be installed, TLS 1.2 must be enforced first.

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Install-PackageProvider NuGet

Script

Get the Sensor and extract the ZIP it to the PRTG path C:/Program Files (x86)/PRTG Network Monitor/Custom Sensors/EXEXML.

PRTG Sensor – Monitoring Azure AD Connect

Powershell scripts downloaded from the Internet needs to be unblocked.

Unblock-File Powershell Script - Azure AD Sync.ps1

PRTG Configuration

Create Device

  • Create a device in PRTG, e.g. Azure (IP address irrelevant, e.g. 127.0.0.1).
  • In the properties of the device, under Credentials for Windows Systems, enter the above created Azure username and password. Username must be the email address of the user.

Create Sensor

  • Create an EXE/Script Advanced Sensor.
  • In the sensor settings at script selection, select “ps_azure_ad_sync.ps1”.
  • In the sensor settings at parameter, enter -username “%windowsuser” -password “%windowspassword”.
  • Set Timeout to 120s.
Image – PRTG Sensor Settings

The alarming and notification is individual, so the desired thresholds should be defined in the channel settings under Value Lookups and Limits itself.
https://www.paessler.com/manuals/prtg/sensor_channels_settings

When everything has been completed, the desired indicators are displayed in the monitoring:

  • Number of users that have been synchronized (SyncedUsers)
  • Number of groups that have been synchronized (SyncedGroups)
  • Last synchronization of users (LastDirectorySync)
  • Last synchronization of the password hash (LastPasswordSync)

With little effort, the Azure AD Connect synchronization, a fundamental element of a hybrid cloud, is monitored with PRTG Monitoring and an alert is triggered when a threshold is exceeded.

Sign up for more like this.

Enter your email
Subscribe