Azure AD Connect Health - Alert List - Microsoft Entra (2023)

Table of Contents
in this article General notices Notifications for Azure AD Connect (Sync) Notifications for Active Directory Federation Services Notifications for Active Directory Domain Services Next steps Feedback in this article FAQs Videos

The Azure AD Connect Health service sending alerts indicates that your identity infrastructure is not healthy. This article includes alert titles, descriptions, and remediation steps for each alert.
Error, Warning, and Warning are three stages of alerts generated by the Connect Health service. We strongly recommend that you take immediate action on activated alerts.
Azure AD Connect Health alerts are resolved under a success condition. Azure AD Connect Health Agents detect and report success conditions to the service periodically. For some notifications, suppression is based on time. In other words, if the same error condition is not observed within 72 hours of creating an alert, the alert is automatically resolved.

(Video) Azure Active Directory: Decommissioning ADFS

General notices

Notification nameDescriptionRestoration
Health services data is not up to dateHealth Services running on one or more servers are not connected to the Health Service and the Health Service does not receive the latest data from that server. The last data processed by the Health Service is older than 2 hours.Ensure healthcare agents have outbound connectivity to required service endpoints.read more

Notifications for Azure AD Connect (Sync)

Notification nameDescriptionRestoration
The Azure AD Connect synchronization service is not runningThe Windows Microsoft Azure AD Sync service is not running or could not be started. As a result, the objects will not be synchronized with Azure Active Directory.Start Microsoft Azure Active Directory Synchronization Services
  1. clickPrinciple, ClickRun, guyServices.mscand then clickOkay.
  2. Locate itMicrosoft Azure AD Sync serviceand then check if the service is started. If the service is not started, right-click it, and then clickPrinciple.
Import from Azure Active Directory failedImport operation from Azure Active Directory Connector failed.Investigate the import function event log errors for more details.
Connecting to Azure Active Directory failed due to authentication failureConnecting to Azure Active Directory failed due to authentication failure. As a result, the objects will not be synchronized with Azure Active Directory.Investigate event log errors for more details.
Export to Active Directory failedExport operation on Active Directory Connector failed.Investigate the export operation event log errors for more details.
Import from Active Directory failedImport from Active Directory failed. As a result, objects from some domains may not be imported from this cluster.
  • Verify DC connectivity
  • Repeat input manually
  • Investigate the import function event log errors for more details.
    • Export to Azure Active Directory failedExport operation to Azure Active Directory Connector failed. As a result, some objects may not be successfully exported to Azure Active Directory.Investigate the export operation event log errors for more details.
    The password hash sync heartbeat was skipped in the last 120 minutesPassword hash synchronization has not connected to Azure Active Directory in the last 120 minutes. As a result, passwords will not be synchronized with Azure Active Directory.Restart Microsoft Azure Active Directory Synchronization Services:
    Any synchronization operations currently running will be interrupted. You can choose to perform the following steps when no synchronization operation is in progress.
    1. ClickPrinciple, ClickRun, guyServices.mscand then clickOkay.
    2. LocateMicrosoft Azure AD Sync, right-click it, and then clickRestart.
    High CPU usage detectedThe CPU consumption rate exceeded the recommended limit on this server.
  • This could be a temporary spike in CPU consumption. Check CPU usage trend from Monitoring section.
  • Inspect the top processes consuming the highest CPU usage on the server.
    1. You can use Task Manager or run the following PowerShell command:
      download process | Sort-Object -Decreasing CPU | Select-Object-First 10
    2. If there are unexpected processes consuming high CPU usage, stop the processes using the following PowerShell command:
      stop-process -ProcessName [process name]
  • If the processes shown in the above list are the intended processes running on the server and the CPU consumption is consistently close to the limit, consider re-evaluating the deployment requirements of this server.
  • As a safe option, you can consider restarting the server.
    • High memory consumption detectedThe server's memory consumption rate exceeds the recommended limit on this server.Inspect the top processes consuming the highest memory on the server. You can use Task Manager or run the following PowerShell command:
    download process | Sort-Object -Descending WS | Select-Object-First 10If there are unexpected processes consuming high memory, stop the processes using the following PowerShell command:
    stop-process -ProcessName [process name]
  • If the processes shown in the above list are the intended processes running on the server, consider re-evaluating the deployment requirements of that server.
  • As a safe option, you can consider restarting the server.
    • Password hash sync stopped workingPassword hash synchronization has stopped. As a result, passwords will not be synchronized with Azure Active Directory.Restart Microsoft Azure Active Directory Synchronization Services:
    Any synchronization operations currently running will be interrupted. You can choose to perform the following steps when no synchronization operation is in progress.
    1. clickPrinciple, ClickRun, guyServices.mscand then clickOkay.
    2. Locate itMicrosoft Azure AD Sync, right-click it, and then clickRestart.
    Export to Azure Active Directory stopped. Random delete limit reachedExport operation to Azure Active Directory failed. There were more objects to delete than the configured limit. As a result, no objects were exported.
  • The number of objects marked for deletion is greater than the specified limit. Make sure this result is desired.
  • To allow the export to continue, perform the following steps:
    1. Disable the threshold by running Disable-ADSyncExportDeletionThreshold
    2. Start the Synchronization Service Manager
    3. Run Export to Connector with type = Azure Active Directory
    4. After successfully exporting the objects, enable Threshold by running: Enable-ADSyncExportDeletionThreshold

    • Notifications for Active Directory Federation Services

    Notification nameDescriptionRestoration
    Authentication request (Composite transaction) failed to obtain tokenTest authentication requests (Synthetic transactions) initiated by this server failed to obtain token after 5 retries. This can be due to transient network issues, AD DS domain controller availability, or a misconfigured AD FS server. As a result, authentication requests processed by the federated service may fail. The agent uses the local computer account context to obtain a token from the federation service.Make sure the following steps have been taken to validate the health of the server.
    1. Confirm that there are no additional outstanding alerts for this or other AD FS servers in your farm.
    2. Confirm that this condition is not a transient failure by logging in with a test user from the AD FS login page available at https://{your_adfs_server_name}/adfs/ls/idpinitiatedsignon.aspx
    3. I'm going to youhttps://testconnectivity.microsoft.comand select the "Office 365" tab. Run the Office 365 single sign-on Test.
    4. Verify that the AD FS service name can be resolved by this server by running the following command from a command prompt on this server. nslookup your_adfs_server_name

    If the service name cannot be resolved, see the FAQ section for instructions on adding an AD FS HOST file entry with this server's IP address. This will allow the synthetic transaction engine running on that server to request a token

    The proxy server cannot reach the federation serverThis AD FS proxy cannot communicate with the AD FS service. As a result, authentication requests processed by this server will fail.Perform the following steps to validate connectivity between this server and the AD FS service.
    1. Ensure that the firewall between this server and the AD FS service is configured accurately.
    2. Ensure that the DNS resolution for the AD FS service name properly points to the AD FS service located within the corporate network. This can be accomplished through a DNS server serving that server on the perimeter network or through entries in the HOSTS files for the AD FS service name.
    3. Validate network connectivity by opening the browser to this server and accessing the federation metadata endpoint located athttps:///federationmetadata/2007-06/federationmetadata.xml
    SSL Certificate is about to expireThe TLS/SSL certificate used by the Federation's servers is set to expire in 90 days. Once they expire, any requests that require a valid TLS connection will fail. For example, for Microsoft 365 customers, mail clients will not be able to authenticate.Update the TLS/SSL certificate on each AD FS server.
    1. Get your TLS/SSL certificate with the following requirements.
      1. Improved key usage is at least Server Authentication.
      2. The certificate subject or Subject Alternative Name (SAN) contains the DNS name of the federation service or an appropriate wildcard. For example: sso.contoso.com or *.contoso.com
    2. Install the new TLS/SSL certificate on each server in the local machine certificate store.
    3. Ensure that the AD FS service account has read access to the certificate's private key

    For AD FS 2.0 on Windows Server 2008R2:

    • Attach the new TLS/SSL certificate to the website in IIS that hosts the federation service. Note that you must perform this step on each federation server and federation proxy.

    For AD FS on Windows Server 2012 R2 and later:

  • I'm referring toManage SSL certificates in AD FS and WAP
    • The AD FS service is not running on the serverThe Active Directory Federation Service (Windows Service) is not running on this server. Any requests aimed at this server will fail.To start the Active Directory Federation Service (Windows Service):
    1. Log in to the server as an administrator.
    2. Open services.msc
    3. Find "Active Directory Federation Services".
    4. Right-click and select "Start".
    DNS for the Federal Service may be misconfiguredThe DNS server could be configured to use a CNAME record for the AD FS farm name. It is recommended that you use an A or AAAA record for AD FS in order for Integrated Windows Authentication to work seamlessly on your corporate network.Verify that the DNS record type of the AD FS farmit is not a CNAME. Set it to be an A or AAAA record.
    AD FS checking is disabledAD FS auditing is disabled for the server. The Use AD FS section in the portal will not include data from this server.If AD FS controls are not enabled, follow these instructions:
    1. Assign the AD FS service account "Create Security Controls" directly on the AD FS server.
    2. Open the local security policy in gpedit.msc server.
    3. Go to "Computer Configuration\Windows Settings\Local Policies\User Rights Assignment"
    4. Add the AD FS service account to have the "Create Security Audits" right.
    5. Run the following command from the command prompt:
      auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable
    6. Update the federation service properties to include success and failure checks.
    7. In the AD FS console, select Edit Federation Service Properties.
    8. From the Federation Service Properties dialog box select the Events tab and select Success Checks and Failure Checks.

    After following these steps, AD FS audit events should be visible from the Event Viewer. Confirm:

    1. Go to Event Viewer/Windows Logs/Security.
    2. Select Filter Current Logs and select AD FS Auditing from the Event Sources drop-down menu. For an active AD FS server with AD FS auditing enabled, the events should be visible for the above filtering.

    If you've followed these instructions before, but still see this alert, it's possible that a Group Policy object is disabling AD FS auditing. The root cause may be one of the following:

    1. The AD FS service account is removed from the right to create security audits.
    2. A custom script in the Group Policy Object disables success and failure checks based on "App Created".
    3. AD FS configuration is not enabled to generate pass/fail checks.
    The AD FS SSL certificate is self-signedYou are currently using a self-signed certificate as the TLS/SSL certificate in your AD FS farm. As a result, mail client authentication for Microsoft 365 will fail

    Update the TLS/SSL certificate on each AD FS server.

    1. Obtain a publicly trusted TLS/SSL certificate with the following requirements.
    2. The certificate installation file contains its private key.
    3. Improved key usage is at least Server Authentication.
    4. The certificate subject or Subject Alternative Name (SAN) contains the DNS name of the federation service or an appropriate wildcard. For example: sso.contoso.com or *.contoso.com

    Install the new TLS/SSL certificate on each server in the local machine certificate store.

      Ensure that the AD FS service account has read access to the certificate's private key.
      For AD FS 2.0 on Windows Server 2008R2:
    1. Attach the new TLS/SSL certificate to the website in IIS that hosts the federation service. Note that you must perform this step on each federation server and federation proxy.

      2. For AD FS on Windows Server 2012 R2 or later:
    2. I'm referring toManage SSL certificates in AD FS and WAP
    The trust between the proxy server and the federation server is invalidThe trust between the federation server proxy and the federation service could not be established or renewed.Update the Proxy Trust Certificate on the proxy server. Run the Proxy Configuration Wizard again.
    Extranet lockout protection is disabled for AD FSThe Extranet Lockout Protection feature is DISABLED in your AD FS farm. This feature protects your users from brute-force password attacks from the Internet and prevents denial-of-service attacks against your users when AD DS account lockout policies are in effect. With this feature enabled, if the number of failed extranet login attempts for a user (login attempts via WAP server and AD FS) exceeds "ExtranetLockoutThreshold", then AD FS servers will stop processing further login attempts for "ExtranetObservationWindow " We strongly recommend that you enable this feature on your AD FS servers.Run the following command to enable AD FS Extranet Lockout Protection with default values.
    Set-AdfsProperties -EnableExtranetLockout $true

    If you have configured AD lockout policies for your users, make sure that'ExtranetLockout Threshold'The property is set to a value below the AD DS lock limit. This ensures that requests that have exceeded the limit for AD FS are rejected and are never validated against your AD DS servers.

    Invalid service principal name (SPN) for the AD FS service accountThe Service Principal Name of the Federal Service account is not registered or is not unique. As a result, Integrated Windows authentication from domain-joined clients may not be seamless.Use [SETSPN -L Service account name] to list the Service Managers.
    Use [SETSPN -X] to check for duplicate service principal names.

    If the SPN is a duplicate for the AD FS service account, remove the SPN from the duplicate account using [SETSPN -d service/hostname]

    If the SPN is not set, use [SETSPN -s {Desired-SPN} {domain_name}{service_account}] to set the desired SPN for the federation service account.

    The Primary AD FS Token Decrypting certificate is about to expireThe Primary AD FS Token Decrypting certificate is due to expire in less than 90 days. AD FS cannot decrypt tokens from trusted claims providers. AD FS cannot decrypt encrypted SSO cookies. End users will not be able to authenticate to access resources.If automatic certificate rollover is enabled, AD FS manages the Token Decryption Certificate.

    If you manage your certificate manually, follow the instructions below.Get a new token decryption certificate.

    1. Make sure Enhanced Key Usage (EKU) includes "Key Encryption".
    2. The subject or Subject Alternative Name (SAN) has no restrictions.
    3. Note that federation server and claims provider partners must be able to connect to a trusted root certification authority when validating your certificate to decrypt tokens.
    Decide how your Claims Provider partners will trust the new Token-Decrypting certificate
    1. Ask the partners to pull the Federation Metadata after updating the certificate.
    2. Share the public key of the new certificate. (.cer file) with partners. On the claims provider's partner AD FS server, launch AD FS Management from the Administrative Tools menu. Under Trust Relationships/Relying Party Trusts, select the trust created for you. Under Properties/Encryption, click "Browse" to select the new token decryption certificate and click OK.
    Install the certificate in the local certificate store on each Federation Server.
    • Ensure that the certificate installation file has the private key of the certificate on each server.
    Ensure that the federation service account has access to the new certificate's private key. Add the new certificate to AD FS.
    1. Start AD FS Management from the Administrative Tools menu
    2. Expand the service and select Certificates
    3. In the Actions window, click Add token decryption certificate
    4. A list of certificates valid for Token Decryption will appear. If you find that your new certificate is not listed, you need to go back and ensure that the certificate is in the local computer's personal store with an associated private key, and that the certificate has the key encryption as extended key usage .
    5. Select the new Token-Decrypting certificate and click OK.
    Set the new token decryption certificate as Principal.
    1. With the Certificates node selected in AD FS Manager, you should now see two certificates listed under Token-Decrypting: the existing certificate and the new certificate.
    2. Select the new Token-Decrypting certificate, right-click and select Set as master.
    3. Leave the old certificate as secondary for rollover purposes. You should plan to remove the old certificate once you are sure it is no longer needed for renewal or when the certificate has expired.
    The primary AD FS token signing certificate is about to expireThe AD FS token signing certificate is set to expire in 90 days. AD FS cannot issue signed tokens when this certificate is invalid.Get a new Token Signing Certificate.
    1. Make sure Enhanced Key Usage (EKU) includes "Digital Signature".
    2. The subject or Subject Alternative Name (SAN) has no restrictions.
    3. Please note that your Federation Servers, Resource Partner Federation Servers, and Third Party Application Servers must be able to connect to a trusted root certificate authority when validating the token signing certificate.
    Install the certificate in the local certificate store on each federation server.
    • Ensure that the certificate installation file has the private key of the certificate on each server.
    Ensure that the federated service account has access to the new certificate's private key. Add the new certificate to AD FS.
    1. Start AD FS Management from the Administrative Tools menu.
    2. Expand the service and select Certificates
    3. In the Actions window, click Add Token Signing Certificate...
    4. You will be presented with a list of certificates that are valid for Signing Token. If you find that your new certificate is not listed, you need to go back and ensure that the certificate is in the local computer's personal store with an associated private key and that the certificate has the KU Digital Signature.
    5. Select your new Token-Signing certificate and click OK
    Notify all Third Parties of the change to the Token Signing Certificate.
    1. Dependents that consume AD FS federation metadata must pull the new federation metadata to start using the new certificate.
    2. Dependents NOT consuming AD FS federation metadata must manually update the public key of the new Token Signing Certificate. Share the .cer file with Third Parties.
      3. Set the new token signing certificate as master.
      1. With the Certificates node selected in AD FS Manager, you should now see two certificates listed in the Token-Signing section: the existing certificate and the new certificate.
      2. Select the new Token-Signing certificate, right-click and select Set Asprimary
      3. Leave the old certificate as secondary for rollover purposes. You should plan to remove the old certificate once you are sure it is no longer needed for conversion or when the certificate has expired. Note that the SSO sessions of the current users are signed. Current AD FS Proxy Trust relationships use tokens that are signed and encrypted using the old certificate.
    The AD FS SSL certificate is not in the local certificate storeThe certificate with the thumbprint configured as a TLS/SSL certificate in the AD FS database was not found in the local certificate store. As a result, any authentication request over TLS will fail. For example, mail client authentication for Microsoft 365 will fail.Install the certificate with the configured thumbprint in the local certificate store.
    SSL certificate expiredThe TLS/SSL certificate for the AD FS service has expired. As a result, any authentication requests that require a valid TLS connection will fail. For example: mail client authentication will not be possible for Microsoft 365 authentication.Update the TLS/SSL certificate on each AD FS server.
    1. Get your TLS/SSL certificate with the following requirements.
    2. Improved key usage is at least Server Authentication.
    3. The certificate subject or Subject Alternative Name (SAN) contains the DNS name of the federation service or an appropriate wildcard. For example: sso.contoso.com or *.contoso.com
    4. Install the new TLS/SSL certificate on each server in the local machine certificate store.
    5. Ensure that the AD FS service account has read access to the certificate's private key

    For AD FS 2.0 on Windows Server 2008R2:

    • Attach the new TLS/SSL certificate to the website in IIS that hosts the federation service. Note that you must perform this step on each federation server and federation proxy.

    For AD FS on Windows Server 2012 R2 or later:I'm referring to:Manage SSL certificates in AD FS and WAP

    Required endpoints for Azure Active Directory (for Microsoft 365) are not enabledThe following set of endpoints required by Exchange Online Services, Azure AD, and Microsoft 365 are not enabled for the federation service:
  • /adfs/services/trust/2005/usernamemixed
  • /adfs/ls/
    		• Enable the required endpoints for Microsoft Cloud Services in your federation service.
    For AD FS on Windows Server 2012R2 or later
  • I'm referring to:Manage SSL certificates in AD FS and WAP
    • The federation server could not connect to the AD FS configuration databaseThe AD FS service account is having problems connecting to the AD FS configuration database. As a result, the AD FS service on this computer may not work as expected.
  • Ensure that the AD FS service account has access to the configuration database.
  • Ensure that the AD FS Configuration Database service is available and accessible.
    • Required SSL connections are missing or not configuredThe TLS bindings required for this federation server to run successfully are not configured correctly. As a result, AD FS cannot process any incoming requests.For Windows Server 2012 R2
    Open an admin command prompt and run the following commands:
    1. To view the current TLS binding:Get-AdfsSsl Certificate
    2. To add new commitments:netsh http add sslcert hostnameport=:443 certhash=0102030405060708090A0B0C0D0E0F1011121314 appid={00112233-4455-6677Ename9MYCDDE
    The primary AD FS token signing certificate has expiredThe AD FS Token Signing certificate has expired. AD FS cannot issue signed tokens when this certificate is invalid.If automatic certificate conversion is enabled, AD FS will manage the Token Signing Certificate update.

    If you manage your certificate manually, follow the instructions below.

    1. Get a new Token Signing Certificate.
      1. Make sure Enhanced Key Usage (EKU) includes "Digital Signature".
      2. The subject or Subject Alternative Name (SAN) has no restrictions.
      3. Remember that your Federation Servers, Resource Partner Federation Servers, and Third Party Application Servers must be able to connect to a trusted root certificate authority when validating the token signing certificate.
    2. Install the certificate in the local certificate store on each federation server.
      • Ensure that the certificate installation file has the private key of the certificate on each server.
    3. Ensure that the federated service account has access to the new certificate's private key.
    4. Add the new certificate to AD FS.
      1. Start AD FS Management from the Administrative Tools menu.
      2. Expand the service and select Certificates
      3. In the Actions window, click Add Token Signing Certificate...
      4. You will be presented with a list of certificates that are valid for Signing Token. If you find that your new certificate is not listed, you need to go back and ensure that the certificate is in the local computer's personal store with an associated private key and that the certificate has the KU Digital Signature.
      5. Select your new Token-Signing certificate and click OK
    5. Notify all Third Parties of the change to the Token Signing Certificate.
      1. Dependents that consume AD FS federation metadata must pull the new federation metadata to start using the new certificate.
      2. Dependents NOT consuming AD FS federation metadata must manually update the public key of the new Token Signing Certificate. Share the .cer file with Third Parties.
    6. Set the new token signing certificate as master.
      1. With the Certificates node selected in AD FS Manager, you should now see two certificates listed in the Token-Signing section: the existing certificate and the new certificate.
      2. Select the new Token-Signing certificate, right-click and select Set Asprimary
      3. Leave the old certificate as secondary for rollover purposes. You should plan to remove the old certificate once you are sure it is no longer needed for conversion or when the certificate has expired. Remember that the current users' SSO sessions are signed. Current AD FS Proxy Trust relationships use tokens that are signed and encrypted using the old certificate.
    The proxy rejects requests for congestion controlThis proxy is rejecting requests from the extranet due to higher than normal latency between this proxy and the federated server. As a result, a certain portion of the authentication requests processed by the AD FS proxy may fail.
  • Verify that the network latency between the federation proxy and the federation servers is within the acceptable range. See Watch for "Token Request Delay" price trends. A delay greater than [1500 ms] should be considered a high delay. If high latency is observed, ensure that the network between the AD FS and AD FS proxies does not have connectivity issues.
  • Ensure that the federation servers are not overloaded with authentication requests. The monitoring section provides trend views for Token Requests per second, CPU usage, and memory consumption.
  • If the above items have been verified and this issue still occurs, adjust the congestion avoidance setting on each of the federation proxies according to the instructions from the relevant links.
    • The AD FS service account does not have access to one of the certificate's private keys.The AD FS service account does not have access to the private key of one of the AD FS certificates on this computer.Ensure that the AD FS service account is granted access to the TLS, signing, and token decryption certificates stored in the local computer certificate store.
    1. From the command line type MMC.
    2. Go to File-> Add/Remove Snap-In
    3. Select Certificates and click Add. -> Select Computer Account and click Next. -> Select Local Computer and click Finish. Click OK.

    Open Certificates (Local Computer)/Personal/Certificates. For all certificates used by AD FS:
    1. Right-click on the certificate.
    2. Select All Tasks -> Manage Private Keys.
    3. On the Security tab under the group or user names, ensure that the AD FS service account is present. If not, select Add and add the AD FS service account.
    4. Select the AD FS service account and under "Permissions for " make sure that Read permission is allowed (check mark).
    The AD FS SSL certificate does not have a private keyThe AD FS TLS/SSL certificate was installed without a private key. As a result, any authentication request over SSL will fail. For example, mail client authentication for Microsoft 365 will fail.Update the TLS/SSL certificate on each AD FS server.
    1. Obtain a publicly trusted TLS/SSL certificate with the following requirements.
      1. The certificate installation file contains its private key.
      2. Improved key usage is at least Server Authentication.
      3. The certificate subject or Subject Alternative Name (SAN) contains the DNS name of the federation service or an appropriate wildcard. For example: sso.contoso.com or *.contoso.com
    2. Install the new TLS/SSL certificate on each server in the local machine certificate store.
    3. Ensure that the AD FS service account has read access to the certificate's private key

    For AD FS 2.0 on Windows Server 2008R2:

    • Attach the new TLS/SSL certificate to the website in IIS that hosts the federation service. Note that you must perform this step on each federation server and federation proxy.

    For AD FS on Windows Server 2012 R2 or later:

  • I'm referring to:Manage SSL certificates in AD FS and WAP
    • The Primary AD FS Token Decrypting certificate has expiredThe Primary AD FS Token Decrypting certificate has expired. AD FS cannot decrypt tokens from trusted claims providers. AD FS cannot decrypt encrypted SSO cookies. End users will not be able to authenticate to access resources.

    If automatic certificate rollover is enabled, AD FS manages the Token Decryption Certificate.

    If you manage your certificate manually, follow the instructions below.

    1. Get a new token decryption certificate.
      • Make sure Enhanced Key Usage (EKU) includes "Key Encryption".
      • The subject or Subject Alternative Name (SAN) has no restrictions.
      • Note that federation server and claims provider partners must be able to connect to a trusted root certification authority when validating your certificate to decrypt tokens.
    2. Decide how your Claims Provider partners will trust the new Token-Decrypting certificate
      • Ask the partners to pull the Federation Metadata after updating the certificate.
      • Share the public key of the new certificate. (.cer file) with partners. On the claims provider's partner AD FS server, launch AD FS Management from the Administrative Tools menu. Under Trust Relationships/Relying Party Trusts, select the trust created for you. Under Properties/Encryption, click "Browse" to select the new token decryption certificate and click OK.
    3. Install the certificate in the local certificate store on each Federation Server.
      • Ensure that the certificate installation file has the private key of the certificate on each server.
    4. Ensure that the federation service account has access to the new certificate's private key.
    5. Add the new certificate to AD FS.
      • Start AD FS Management from the Administrative Tools menu
      • Expand the service and select Certificates
      • In the Actions window, click Add token decryption certificate
      • A list of certificates valid for Token Decryption will appear. If you find that your new certificate is not listed, you need to go back and ensure that the certificate is in the local computer's personal store with an associated private key, and that the certificate has the key encryption as extended key usage .
      • Select the new Token-Decrypting certificate and click OK.
    6. Set the new token decryption certificate as Principal.
      • With the Certificates node selected in AD FS Manager, you should now see two certificates listed under Token-Decrypting: the existing certificate and the new certificate.
      • Select the new Token-Decrypting certificate, right-click and select Set as master.
      • Leave the old certificate as secondary for rollover purposes. You should plan to remove the old certificate once you are sure it is no longer needed for renewal or when the certificate has expired.

    Notifications for Active Directory Domain Services

    Notification nameDescriptionRestoration
    The domain controller is not reachable via LDAP pingThe domain controller is not reachable via LDAP Ping. This can be caused due to network issues or machine issues. As a result, LDAP pings will fail.
  • Review the notification list for related notifications, such as: Domain Controller is not an ad.
  • Ensure that the affected domain controller has sufficient disk space. Running out of space will stop the DC from advertising itself as an LDAP server.
  • Try to find PDC: Run
    netdom query fsmoon the affected domain controller.
  • Make sure the physical network is properly configured/connected.
    • An Active Directory replication error occurredThis domain controller is experiencing replication issues, which you can find by going to the Replication Status Dashboard. Playback errors may be due to improper configuration or other related issues. Unhandled replication errors can lead to data inconsistency.See additional details for the names of the affected source and destination DCs. Go to the replication status dashboard and look for active errors on the affected DCs. Click on the error to open a blade with more details on how to fix that particular error.
    The domain controller cannot find a PDCA PDC is not reachable through this domain controller. This will result in affected user logins, unapplied Group Policy changes, and system time synchronization failure.
  • Review the notification list for related notifications that could affect your PDC, such as: Domain controller is not advertising.
  • Try to find PDC: Run
    netdom query fsmoon the affected domain controller.
  • Make sure the network is working properly.
    • The domain controller cannot find a global directory serverA global directory server is not reachable by this domain controller. It will result in failed authentication attempts through this domain controller.Review the list of notifications for anyThe domain controller is not an advertisementnotifications where the affected server may be a GC. If there are no advertising notices, check SRV records for GCs. You can check them by running:
    nltest /dnsgetdc: [ForestName] /gcIt should report DC ads as GC. If the list is empty, check the DNS configuration to ensure that the GC has registered the SRV records. DC can find them in DNS.
    To troubleshoot Global Catalogs, seeAdvertise as a global directory server.
    The domain controller cannot reach the local share sysvolSysvol contains important elements from GPOs and scripts to be distributed to DCs of a domain. The DC will not be advertised as a DC and group policies will not be applied.I seeHow to troubleshoot missing sysvol and Netlogon shares
    Domain controller time is out of syncThe time in this domain controller is outside the normal Time Skew range. As a result, Kerberos authentications will fail.
  • Restart the Windows Time Service: Run
    net stop w32timeafterward
    net start w32timeon the affected domain controller.
  • Resync Time: Running
    w32tm /resyncon the affected domain controller.
    • The domain controller is not an advertisementThis domain controller does not properly advertise the roles it can perform. This can be caused by replication issues, incorrect DNS configuration, critical services not running, or because the server is not fully initialized. As a result, domain controllers, domain members, and other devices will not be able to locate this domain controller. Additionally, other domain controllers may not be able to replicate from this domain controller.Check the notification list for other related notifications, such as: Playback has stopped. Domain controller time is out of sync. The Netlogon service is not running. DFSR and/or NTFRS services are not running. Identify and troubleshoot DNS-related issues: Log in to the affected domain controller. Open the system event log. If events 5774, 5775, or 5781 are present, seeTroubleshooting Discovery domain controller DNS records failed to registerIdentify and troubleshoot Windows Time Service issues: Make sure the Windows Time Service is running: Run 'net start w32timeon the affected domain controller. Restart the Windows Time Service: Runnet stop w32time' afterward 'net start w32timeon the affected domain controller.
    The GPSVC service is not runningIf the service is stopped or disabled, settings configured by the administrator will not be applied, and applications and items will not be manageable through Group Policy. Any components or applications that depend on the Group Policy component may not be functional if the service is disabled.Run
    clean boot gpsvcon the affected domain controller.
    DFSR and/or NTFRS services are not runningIf both DFSR and NTFRS are stopped, domain controllers will not be able to replicate sysvol data. sysvol Data will be inconsistent.
  • If you are using DFSR:
      runningclean boot dfsron the affected domain controller.
  • If you are using NTFRS:
      runningclean boot ntfrson the affected domain controller.
    • The Netlogon service is not runningConnection requests, registration, authentication, and discovery of domain controllers will not be available on this DC.runningnetlogon clean starton the affected domain controller
    The W32Time service is not runningIf the Windows Time service is stopped, date and time synchronization will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.runningclean start win32Timeon the affected domain controller
    The ADWS service is not runningIf Active Directory Web Services is stopped or disabled, client applications such as Active Directory PowerShell will not be able to access or manage any directory service instances running locally on that server.runningclean launch adwson the affected domain controller
    The Root PDC is not synchronized by the NTP serverIf you do not configure the PDC to synchronize time from an external or internal time source, the PDC emulator uses its internal clock and is itself the trusted time source for the forest. If the time is not accurate on the PDC itself, all computers will have incorrect time settings.On the affected domain controller, open a command prompt. Stop the time service: clean stop w32time
  • Configure the external time source:
    w32tm /config /manualpeerlist: time.windows.com /syncfromflags:manual /reliable:yes
    Note: Replace time.windows.com with the address of your desired external time source. Start the time service:
    net start w32time
    • The domain controller is in quarantineThis domain controller is not connected to any of the other working domain controllers. This may be due to improper configuration. As a result, this DC is not used and will not be reproduced by/to anyone.Enable inbound and outbound playback: Run 'repadmin /options servername -DISABLE_INBOUND_REPLon the affected domain controller. runningrepadmin /options servername -DISABLE_OUTBOUND_REPLon the affected domain controller. Create a new replication connection to another domain controller:
    1. Open Active Directory Sites and Services: Start menu, point to Administrative Tools, and then click Active Directory Sites and Services.
    2. In the console tree, expand Sites, and then expand the site that this DC belongs to.
    3. Expand the Servers container to display the list of servers.
    4. Deploy the server object for this DC.
    5. Right-click the NTDS Settings object and click Connect New Active Directory Domain Services...
    6. Select a server from the list and click Ok.
    How to remove orphaned domains from Active Directory.
    Outbound playback is disabledDCs with Outbound Replication disabled will not be able to distribute any changes originating from themselves.To enable outbound replication on the affected domain controller, follow these steps: Click Start, click Run, type cmd, and then click OK. Type the following text, and then press ENTER:
    repadmin /options -DISABLE_OUTBOUND_REPL
    Incoming playback is disabledDCs with Inbound Replication disabled will not have the latest information. This situation can lead to connection failures.To enable inbound replication on the affected domain controller, follow these steps: Click Start, click Run, type cmd, and then click OK. Type the following text, and then press ENTER:
    repadmin /options -DISABLE_INBOUND_REPL
    The LanmanServer service is not runningIf this service is disabled, any services that explicitly depend on it will fail to start.runningclean boot LanManServeron the affected domain controller.
    The Kerberos Key Distribution Center service is not runningIf the KDC service goes down, users will not be able to authenticate through that DC using the Kerberos v5 authentication protocol.runningclean boot kdcon the affected domain controller.
    DNS service is not runningIf the DNS service goes down, computers and users using this server for DNS purposes will fail to find resources.runningclean boot dnson the affected domain controller.
    DC had USN RollbackWhen USN replications occur, modifications to objects and attributes are not replicated inbound from target domain controllers that have previously seen the USN. Because these target domain controllers believe they are up to date, no replication errors are reported in the directory service event logs or through monitoring and diagnostic tools. Resetting the USN may affect the reproduction of any item or feature in any partition. The most commonly observed side effect is that user accounts and computer accounts created on the recovery domain controller do not exist on one or more replication partners. Or, password updates coming from the recovery domain controller are not present on replication partners.There are two approaches to recovering from a USN reset:

    Remove the domain controller from the domain by following these steps:

    1. Remove Active Directory from the domain controller to force it to be a standalone server. For more information, click the article number below to view the article in the Microsoft Knowledge Base:
      332199Domain controllers are not gracefully demoted when you use the Active Directory Setup Wizard to force demote on Windows Server 2003 and Windows 2000 Server.
    2. Terminate the demoted server.
    3. On a healthy domain controller, clear the demoted domain controller's metadata. For more information, click the article number below to view the article in the Microsoft Knowledge Base:
      216498How to remove data from Active Directory after domain controller demotion fails
    4. If the failed domain controller hosts primary function roles, migrate those roles to a healthy domain controller. For more information, click the article number below to view the article in the Microsoft Knowledge Base:
      255504Using Ntdsutil.exe to transfer or seize FSMO roles on a domain controller
    5. Restart the demoted server.
    6. If prompted, reinstall Active Directory on the standalone server.
    7. If the domain controller was previously a global directory, configure the domain controller to be a global directory. For more information, click the article number below to view the article in the Microsoft Knowledge Base:
      313994How to create or move a global directory in Windows 2000
    8. If the domain controller previously hosted primary function roles, migrate the primary function roles to the domain controller. For more information, click the article number below to view the article in the Microsoft Knowledge Base:
      255504Using Ntdsutil.exe to transfer or seize FSMO roles on a domain controller Restore the system state of a good backup.

    Evaluate whether there are valid system state backups for this domain controller. If a valid backup of the system state was created before the failed restore of the recovery domain controller, and the backup contains recent changes made to the domain controller, restore the system state from the most recent backup.

    You can also use the snapshot as a backup source. Or you can configure the database to give itself a new invocation ID by using the procedure in "To restore a previous version of a VHD virtual domain controller without a system state data backup" inthis article

    Next steps

    • Azure AD Connect Health FAQ

    Feedback

    Submit and view comments for

    This product This page

    (Video) How to troubleshoot Azure AD Connect | Identity | Microsoft

    (Video) How to monitor and troubleshoot Service Health issues in Microsoft 365. All you need to know!!

    FAQs

    How do I check my Azure AD Connect health? ›

    View the health status
    1. In the Azure portal, search for and select Azure AD Domain Services.
    2. Select your managed domain, such as aaddscontoso.com.
    3. On the left-hand side of the Azure AD DS resource window, select Health.
    Jan 30, 2023

    Discover More Details
    Which services can you monitor by using Azure AD Connect health? ›

    Azure Active Directory (Azure AD) Connect Health provides robust monitoring of your on-premises identity infrastructure. It enables you to maintain a reliable connection to Microsoft 365 and Microsoft Online Services. This reliability is achieved by providing monitoring capabilities for your key identity components.

    Know More
    What administrators will receive users at risk detection alerts from Azure AD identity protection? ›

    Configure users at risk detected alerts

    The user risk level that triggers the generation of this email - By default, the risk level is set to “High” risk. The recipients of this email - Users in the Global Administrator, Security Administrator, or Security Reader roles are automatically added to this list.

    See More
    How to monitor synchronization events generated by Azure AD Connect? ›

    Azure AD Connect Health Performance Monitoring provides monitoring information on metrics. Selecting the Monitoring box, opens a new blade with detailed information on the metrics. By selecting the Filter option at the top of the blade, you can filter by server to see an individual server's metrics.

    Explore More
    How do I check my ad health status? ›

    How to check the health of your Active Directory
    1. Make sure that domain controllers are in sync and that replication is ongoing. ...
    2. Make sure that all the dependency services are running properly. ...
    3. Use the Domain Controller Diagnostic tool (DCDiag) to check various aspects of a domain controller. ...
    4. Detect unsecure LDAP binds.

    Know More
    How do I check my ad health replication? ›

    Use either of the following methods to view replications errors:
    1. Download and run the Microsoft Support and Recovery Assistant tool OR Run AD Status Replication Tool on the DCs.
    2. Read the replication status in the repadmin /showrepl output. Repadmin is part of Remote Server Administrator Tools (RSAT).
    Apr 28, 2023

    Discover More
    What is the difference between Azure Monitor and Azure health? ›

    Azure Monitor helps you understand how your applications are performing and proactively identifies issues affecting them and the resources they depend on. Azure Service Health helps you stay informed and take action when Azure service issues like outages and planned maintenance affect you. So what's the difference?

    Discover More
    What is the difference between Azure resource health and Azure service health? ›

    Resource Health provides information about the health of your individual cloud resources, such as a specific virtual machine instance. Service Health provides a personalized view of the status of your Azure services and regions, as well as information about current incidents, planned maintenance, and health advisories.

    Learn More Now
    Can Azure service health send alerts? ›

    You can receive an alert when Azure sends service health notifications to your Azure subscription. You can configure the alert based on: The class of service health notification (Service issues, Planned maintenance, Health advisories, Security advisories).

    Show Me More
    Which 3 tasks can be performed by using Azure AD identity Protection? ›

    Identity Protection allows organizations to accomplish three key tasks: Automate the detection and remediation of identity-based risks. Investigate risks using data in the portal. Export risk detection data to other tools.

    View Details

    What are the different types of risk detection in Azure AD? ›

    Risk can be detected at the User and Sign-in level and two types of detection or calculation Real-time and Offline. Some risks are considered premium available to Azure AD Premium P2 customers only, while others are available to Free and Azure AD Premium P1 customers.

    See More
    Which Azure monitoring service allows you to set alerts to be notified? ›

    Prometheus alerts are used for alerting on the performance and health of Kubernetes clusters, including Azure Kubernetes Service (AKS).

    Find Out More
    What is the difference between DirSync Azure AD Sync and Azure AD Connect? ›

    DirSync always used the proxy server that was configured for the user who installed it, but Azure AD Connect uses machine settings instead. URLs required to be open in the proxy server: For basic scenarios that were also supported by DirSync, the requirements are the same.

    View Details
    How frequently does Azure AD Connect sync? ›

    How Often? Once every 30 minutes, the Azure AD synchronization is triggered, unless it is still processing the last run. Runs generally take less than 10 minutes, but if we need to replace the tool, it can take 2-3 days to get into synchronicity.

    Keep Reading
    Is Azure AD Connect a two way sync? ›

    By default, the sync is one way: from on-premises AD to Azure AD. However, you can configure the writeback function to sync changes from Azure AD back to your on-premises AD.

    Discover More Details
    What is the command to check domain health? ›

    To check your domain controller's replication health, run the repadmin /showrepl command. This displays the replication status along with a summary of your DC's health.

    Discover More Details
    How to check Active Directory health using PowerShell? ›

    How to get health check reports using PowerShell
    1. repadmin /replsummary. Force replications, ie. ...
    2. repadmin /syncall /Aped. Find the last time your domain controllers were backed up.
    3. Repadmin /showbackup. Get a list of all the Domain Controllers in Active Directory.
    4. DSQUERY Server -o rdn. ...
    5. DCDiag.

    Get More Info Here
    How do I check my Microsoft DNS health? ›

    To open DNS, click Start. In Start Search, type dnsmgmt. msc, and then press ENTER. If the User Account Control dialog box appears, confirm that it displays the action you want and then click Continue.

    Read The Full Story
    How do I check my Azure AD replication? ›

    Watch your AD DS replication health with Azure AD Connect Health
    1. Azure Active Directory Connect Health dashboard. ...
    2. Make sure you have an Azure AD Premium license. ...
    3. Install Microsof Azure AD Connect Health agent for AD DS. ...
    4. Agent configuration. ...
    5. Azure AD Connect Health with active AD DS replication health monitoring.
    Oct 29, 2016

    Discover More
    How do I check my AD lockout? ›

    Find account lockout source
    1. Log on to the PDC emulator and launch the event viewer.
    2. Expand Windows Logs and select Security.
    3. Now click Filter Current Log in the Actions pane, configure the filter criteria as shown in the screenshot, and click OK. ...
    4. The log will now show account lockout events for the specified user.
    Jan 9, 2023

    See More

    How long does AD replication take? ›

    The default replication interval is 180 minutes, or 3 hours. The minimum interval is 15 minutes. Consider the following criteria to determine how often replication occurs within the schedule window: A small interval decreases latency but increases the amount of wide area network (WAN) traffic.

    View Details
    What are the health alerts in Azure? ›

    Azure Resource Health alerts can notify you in near real-time when these resources have a change in their health status. Creating Resource Health alerts programmatically allow for users to create and customize alerts in bulk.

    View Details
    How does Azure health Check work? ›

    This article uses Health check in the Azure portal to monitor App Service instances. Health check increases your application's availability by rerouting requests away from unhealthy instances, and replacing instances if they remain unhealthy.

    Get More Info Here
    What are the three main functions of Azure monitor? ›

    Collect, analyze, and act on telemetry data from your cloud and hybrid environments.

    Discover More Details
    What are the 4 types of Azure? ›

    Most organizations will use more than one type of storage.
    1. Azure Blob Storage. Blob is one of the most common Azure storage types. ...
    2. Azure Files. Azure Files is Microsoft's managed file storage in the cloud. ...
    3. Azure Queue Storage. ...
    4. Azure Table. ...
    5. Azure Managed Disks.
    Apr 19, 2022

    Learn More Now
    What are the 3 different Azure resources? ›

    In this section, we will explore the three most common types of Azure resources used by MSPs when deploying IT environments: Compute (virtual machines), Storage, and Network.

    Learn More Now
    What are the two features that Azure AD provides? ›

    Azure Active Directory (Azure AD), part of Microsoft Entra, is an enterprise identity service that provides single sign-on, multifactor authentication, and conditional access to guard against 99.9 percent of cybersecurity attacks.

    View More
    Which two events will cause Azure to send alert email notifications? ›

    Activity log alerts are alerts that are based on events written to the Azure Activity Log, such as events about creating, updating, or deleting Azure resources, service health and resource health events, or findings from Azure Advisor and Azure Policy.

    Discover More
    How do I Monitor alerts in Azure? ›

    Create a new alert rule in the Azure portal
    1. In the portal, select Monitor > Alerts.
    2. Open the + Create menu and select Alert rule.
    3. On the Select a resource pane, set the scope for your alert rule. ...
    4. Select Apply.
    5. Select Next: Condition at the bottom of the page.
    May 11, 2023

    Read More
    What is entra Microsoft? ›

    Microsoft Entra is the vision for identity and access that expands beyond identity and access management with new product categories such as cloud infrastructure entitlement management (CIEM) and decentralized identity.

    Continue Reading

    What are the 3 main identity types used in Azure AD? ›

    - [Instructor] The exam may test your knowledge of the identity types available in Azure Active Directory. And for the exam, there are four different identity types that you'll want to be familiar with: the user, service principle, managed identity, and device.

    Read More
    How many types of authentication are there in Azure? ›

    How each authentication method works
    MethodPrimary authenticationSecondary authentication
    Microsoft AuthenticatorYesMFA and SSPR
    Authenticator LiteNoMFA
    FIDO2 security keyYesMFA
    Certificate-based authenticationYesNo
    6 more rows
    Mar 14, 2023

    Continue Reading
    What are the three alert states in Azure Monitor? ›

    Alert severity
    LevelName
    Sev 0Critical
    Sev 1Error
    Sev 2Warning
    Sev 3Informational
    1 more row
    Mar 9, 2023

    Keep Reading
    Can Azure Monitor send alerts to Azure AD? ›

    Some of the key takeaways of Azure Monitor for your AZ-900 exam are, you can send alerts to Azure Active Directory groups and users, and Azure Monitor can trigger alerts based on data in an Azure Log Analytics workspace.

    Read On
    What is the difference between alert and alert processing rules in Azure? ›

    Alert processing rules are different from alert rules. Alert rules generate new alerts, while alert processing rules modify the fired alerts as they're being fired. You can use alert processing rules to add action groups or remove (suppress) action groups from your fired alerts.

    See Details
    How do I check my Azure AD Connect account? ›

    Another way to check the Azure AD Connector account is to sign in to Microsoft 365 admin center. Navigate to Health > Directory sync status. The Directory sync service account shows the Azure AD Connector account.

    Show Me More
    How do I check my Azure firewall health? ›

    For Azure Firewall,
    1. Go to the metrics page under Azure Firewall.
    2. Select the Firewall Health State Metric and click on "New Alert Rule".
    3. Configure the Alert Logic, granularity, and frequency of check per your requirement.
    4. Specify how you would like to be notified about the alert in the Actions.
    Jul 14, 2022

    Know More
    How do I check my current Azure AD Connect configuration? ›

    Open the “Azure AD Connect ” link to the Microsoft Azure Active Directory Connect wizard, found on the desktop or start menu. Select the View current configuration task on the Additional tasks page and click Next.

    Discover More
    How do I check for Azure AD Connect update? ›

    On your Windows Server, click Start > Control Panel > Programs and Features. Under the list of installed programs, look for Microsoft Azure AD connect. Look for the version column to determine the Azure AD Connect version.

    Know More
    How do I check my Azure AD Connect sync errors? ›

    Sign in to the Microsoft 365 admin center with a global administrator account. On the Home page, you'll see the User management card. On the card, choose Sync errors under Azure AD Connect to see the errors on the Directory sync errors page.

    Learn More Now

    What happens if Azure AD Connect goes down? ›

    AAD Connect takes user accounts, and maybe passwords, from your on-premises Active Directory and copies them into Azure Active Directory. If your AAD Connect server goes down, you don't lose any data or very much functionality. There really isn't any need for a high availability configuration for AAD Connect.

    Discover More
    How do I check my Azure AD Connect sync logs? ›

    To view all events that are related to directory synchronization, follow these steps:
    1. Open Event Viewer.
    2. Expand Windows Logs, and then expand Application.
    3. In the Actions pane, select Filter Current Log.
    4. In the Event sources box, select the Directory Synchronization check box.
    5. Select OK.
    May 9, 2022

    Discover More
    How do I check my vulnerabilities in Azure portal? ›

    From the Azure portal, open Defender for Cloud. From Defender for Cloud's menu, open the Recommendations page. Select the recommendation Machines should have a vulnerability assessment solution.

    Explore More
    How do I check my security alerts in Azure portal? ›

    Key points
    1. Configure central security log management.
    2. Enable audit logging for Azure resources.
    3. Collect security logs from operating systems.
    4. Configure security log storage retention.
    5. Enable alerts for anomalous activities.
    Nov 30, 2022

    Continue Reading
    How do I check my Intune ad connector status? ›

    Go to Devices > Windows > Windows enrollment > Intune Connector for Active Directory, and then confirm that the connection status is Active.

    Discover More Details
    What is the command for Azure AD Connect? ›

    Use the following steps to force a remote synchronization of AD and Azure:
    • Use the Enter-PSSession command to connect to your Azure AD Connect server.
    • Perform a delta synchronization using the Start-ADSyncSyncCycle command.
    • Exit the PSSession to kill the connection to your Azure AD Connect server.
    Oct 3, 2022

    Read More
    How do I troubleshoot my Azure AD connector? ›

    Run the troubleshooting task in the wizard

    Start the Azure AD Connect wizard. Go to Additional Tasks > Troubleshoot, and then select Next. On the Troubleshooting page, select Launch to start the troubleshooting menu in PowerShell. In the main menu, select Troubleshoot Object Synchronization.

    Read On
    Does Azure AD Connect update automatically? ›

    Azure AD Connect automatic upgrade is a feature that regularly checks for newer versions of Azure AD Connect. If your server is enabled for automatic upgrade and a newer version is found for which your server is eligible, it will perform an automatic upgrade to that newer version.

    Learn More
    What is the newest version of Azure AD Connect? ›

    14.2. This release is an update release of Azure AD Connect. This version is intended to be used by customers who are running an older version of Windows Server and can't upgrade their server to Windows Server 2016 or newer at this time.

    Discover More Details
    How do I verify my domain in Azure AD Connect? ›

    Verify the domain name with Azure AD
    1. Sign in with a user account that is a global administrator of your Azure AD directory.
    2. Open your directory and select the Domains tab.
    3. Select the domain name that you want to verify and select Verify on the command bar.
    4. Select Verify in the dialog box to complete the verification.
    Feb 1, 2021

    See More

    Videos

    1. Federate ADFS with Azure AD
    (NUAA-TECH Videos)
    2. Learn Microsoft Azure Active Directory in Just 30 Mins (May 2023)
    (Andy Malone MVP)
    3. Microsoft Hybrid Explained! Complete with FULL DEMO
    (Andy Malone MVP)
    4. Secure access and improve efficiency with Microsoft Entra innovations that span Azure | BRK53
    (Microsoft Ignite)
    5. Microsoft Entra Identity & Access Management
    (Synergy Technical)
    6. Migrating ADFS apps to Azure AD | OD26
    (Microsoft Ignite)
    Top Articles
    Latest Posts
    Article information

    Author: Dong Thiel

    Last Updated: 05/14/2023

    Views: 5747

    Rating: 4.9 / 5 (59 voted)

    Reviews: 82% of readers found this page helpful

    Author information

    Name: Dong Thiel

    Birthday: 2001-07-14

    Address: 2865 Kasha Unions, West Corrinne, AK 05708-1071

    Phone: +3512198379449

    Job: Design Planner

    Hobby: Graffiti, Foreign language learning, Gambling, Metalworking, Rowing, Sculling, Sewing

    Introduction: My name is Dong Thiel, I am a brainy, happy, tasty, lively, splendid, talented, cooperative person who loves writing and wants to share my knowledge and understanding with you.