1. Summary
2. What is AAD Connect Health (AADCH) for AD FS?
   1. Benefits of deploying AAD Connect Health for AD FS
3. Using AAD Connect Health to help migrate ADFS apps to Azure AD
   1. Deploying AAD Connect Health for AD FS
   2. Reviewing AD FS Application Activity
   3. Reviewing AD FS Sign-In Activity
   4. Plan and Execute App Migrations
4. Call To Action
5. FAQ
   1. 1. What kind of ADFS apps can I discover with AADCH?
   2. 2. Do I need to install AADCH ADFS Agents on all the ADFS servers?
   3. 3. If I have AADCH for Sync already installed do I need to install the agents for ADFS?
   4. 4. Should I install the AADCH ADFS Agents on ADFS servers if I have not federated AzureAD with ADFS?
   5. 5. If I have multiple AD FS Server farms, should I install the agents on all the farms?
6. Related Links

Summary

The AAD Connect Health capability of Azure Active Directory enables operational insights such as alerts, performance monitoring and usage analytics of your hybrid infrastructure.

While there are several components of AAD Connect Health including Sync, Domain Services the focus of this guide is on the benefits and deploying of the AAD Connect Health agents for ADFS.

What is AAD Connect Health (AADCH) for AD FS?

To enable connectivity of the AD FS infrastructure for AAD Connect Health, lightweight agents are deployed to the AD FS token and proxy servers with auditing enabled to utilize the activity for managing AD FS infrastructure.

Benefits of deploying AAD Connect Health for AD FS

Some of the core benefits of installing the AAD Connect Health agents for AD FS is that it enables capabilities to monitor your AD FS infrastructure and enable insights into the usage of the service.

• Alerts for AD FS
• Usage Analytics for AD FS
• Performance Monitoring for AD FS

In addition, it also enables surfacing of security and sign-in activity related to authentication requests for tokens from the AD FS servers.

• Top 50 Users with failed Username/Password logins
• Risky IP report (public preview)
• Risky IP report workbook
• AD FS sign-ins in Azure AD with Connect Health - preview

  Using AAD Connect Health to help migrate ADFS apps to Azure AD

Once the AADCH agents for ADFS are installed, the AD FS application activity report becomes availiable in the Entra Azure AD portal for you to discover and plan your application migration.

Deploying AAD Connect Health for AD FS

Lightweight agents are downloaded and deployed to the AD FS infrastructure. Please follow the guide on installing the agent for AD FS

Reviewing AD FS Application Activity

Navigating to the Usage & Insights > AD FS application activity section of the portal, you can review the unique user activity for the applications on AD FS for the selected time period.

This allows you to discover, review, and prioritize applications to select for migration to Azure Active Directory as their authentication authority.

By reviewing the migration status details you can determine if there are any additional configuration steps needed to migrate the application to use Azure Active Directory for authentication.

Reviewing AD FS Sign-In Activity

You can review the AD FS activity in the Entra Azure AD portal sign-in logs, or if you have enabled them to be exported via Azure Monitor. This can be useful when creating your custom reports or queries on AD FS application sign-in activity as you plan, and execute your application migrations to Azure AD.

Plan and Execute App Migrations

By installing the AAD Connect Health Agents for ADFS, you now have visibility to the applications in use on your AD FS environment and follow the guidance at https://aka.ms/migrateapps to plan and execute your migration and be able to upgrade the capabilities for applications in your organization.

Call To Action

Complete the following tasks to enable ADFS application insights to help you plan your migration of ADFS applications to Azure AD:

• Install ADFS Connect Health Agents on ADFS Servers to get activity insights
• Review ADFS Activity in Entra Azure AD Portal
• Register ADFS Applications in Azure AD
• Cut Over Application configuration to use Azure Active Directory as IDP

FAQ

1. What kind of ADFS apps can I discover with AADCH?

SAML, WSFed, and OAUTH applications integrated into the supported AD FS servers

2. Do I need to install AADCH ADFS Agents on all the ADFS servers?

The AADCH Agents for AD FS should be installed on each of the token and proxy servers that you look to monitor and collect usage activity from.

3. If I have AADCH for Sync already installed do I need to install the agents for ADFS?

The AAD Connect Health agent for sync is typically installed on the server you have deployed the AAD Connect Sync service. However, this is typically not the same server as your AD FS server, so you will need to plan and implement installing the agents on the desired AD FS servers.

4. Should I install the AADCH ADFS Agents on ADFS servers if I have not federated AzureAD with ADFS?

Yes, even if you have upgraded to using managed authentication for your Azure AD tenant, if you are using AD FS infrastructure for other applications you should deploy the agents to those servers to utilize the activity insights.

5. If I have multiple AD FS Server farms, should I install the agents on all the farms?

Yes, in order to collect the activity insights for the benefits of Azure AD Connect Health for AD FS you can install it on multiple farms.

Related Links

• Monitor AD FS using Azure AD Connect Health
• AD FS application activity report
• How to use AD FS activity report to migrate an application - YouTube Video
• Migrate an AD FS app to Azure