Unit 9: Manage Microsoft Entra Connect Health

1. Overview

Once Microsoft Entra Connect Health is deployed, administrators must actively manage and maintain it to ensure consistent monitoring of identity components such as AD FS, AD DS, and Entra Connect Sync.

This unit focuses on:

• Managing alerts and notifications.
• Configuring access permissions via Azure Role-Based Access Control (RBAC).
• Removing outdated servers or services from monitoring.
• Using diagnostic tools to resolve sync errors directly from the portal.

Think of this as the day-to-day operations layer of Connect Health — it’s how admins keep hybrid identity healthy and auditable after setup.

2. Enabling and Managing Email Notifications

By default, Connect Health can send email alerts when:

• A new issue is detected (e.g., a failed sync or certificate expiration).
• An existing issue is resolved.

These notifications ensure that admins are immediately aware of identity issues without having to log into the portal.

Steps to Enable or Configure Notifications

• In the Microsoft Entra admin center, go to Identity → Connect Health → Alerts.
• Select Notification Settings from the top bar.
• Toggle Email Notifications: ON.
• Choose:
• Notify all global administrators (recommended).
• Or specify additional recipients manually (e.g., ITSupport@contoso.com).
• Click Save.

Note: Notification settings only apply after saving, and you can remove recipients anytime by selecting and deleting their email entry.

Notification Behavior Changes

Microsoft optimized email notifications to reduce noise:

• Instead of a separate email for each error, admins now receive a daily digest summarizing all errors detected in the last 24 hours.
• This keeps alerts manageable and easier to track across large environments.

Example: If ten sync errors occur during the day, the admin receives one summary email instead of ten separate ones.

3. Managing and Deleting Servers or Service Instances

Sometimes, monitored servers (e.g., decommissioned AD FS nodes) or service instances (e.g., test environments) must be removed from Connect Health.

Important Considerations Before Deletion

• Removing a server stops data collection and monitoring for that node.
• The Health Agent remains installed — you must manually uninstall it to prevent log errors.
• Historical data is retained temporarily, then deleted according to Azure data retention policy.
• To resume monitoring the same server, uninstall and reinstall the agent to re-register it.

4. Deleting a Server from Connect Health

Steps

• Open Microsoft Entra admin center → Identity → Connect Health → Servers.
• Select the server name to remove.
• From the Action bar, click Delete.
• Confirm by typing the server name in the confirmation box.
• Select Delete to finalize.

This process stops telemetry uploads from that specific machine and removes it from the dashboard.

5. Deleting a Service Instance

A service instance represents a logical group, such as an AD FS farm or Entra Connect configuration. Deleting it removes all monitored servers that belong to that instance from Connect Health.

Steps

• Navigate to Identity → Connect Health → Service Instances.
• Select the instance (e.g., sts.contoso.com for AD FS).
• Click Delete.
• Type the name to confirm.
• Select Delete again.

Result:

• The service instance and its aggregated data are removed.
• Health Agents remain installed but will show errors until unregistered or reinstalled.

6. Managing Access with Azure Role-Based Access Control (RBAC)

Connect Health integrates with Azure RBAC, which allows you to control who can view or manage health data. This follows the principle of least privilege — granting only the necessary access to specific users or groups.

Built-in Roles

7. Access Scope Levels

You can assign roles at two levels:

If a user has access at either level, they can view the respective instance in the portal.

8. Granting Access in Connect Health

Steps

• Open Microsoft Entra admin center → Connect Health.
• Under Configuration, select Users.
• Click Add.
• Choose the appropriate role (Owner, Contributor, Reader).
• Search for the user or group name and select it.
• Click Select → OK to confirm.

The user or group appears in the access list immediately.

Note: The Invite Users feature is not supported in Connect Health — users must already exist in your Microsoft Entra tenant.

Example:

Contoso’s IT team has:

• A Global Admin (Owner) overseeing all instances.
• A Regional AD FS admin (Contributor) responsible for only sts.europe.contoso.com.
• A Helpdesk analyst (Reader) allowed to view alerts but not edit settings.

9. Sharing and Pinning Dashboards

After granting access, you can help users access the portal more easily:

• Open the desired dashboard (e.g., “AD FS Health Overview”).
• Select Pin to dashboard (📌 icon).
• Choose the main or shared dashboard.
• Users can now access Connect Health directly from their Microsoft Entra home page.

This is particularly useful for service owners or NOC teams monitoring real-time authentication health.

10. Removing Users or Groups

If a user or group no longer needs access:

• Open Configuration → Users in the Connect Health portal.
• Select the user or group.
• Click Remove.
• Confirm the deletion.

This immediately revokes their permissions from Connect Health (though not other Entra services).

11. Diagnosing and Remediating Duplicate Attribute Sync Errors

One of the most powerful management features of Connect Health is self-service diagnostics for synchronization errors, particularly duplicated attributes.

Overview

When you see sync errors like:

• AttributeValueMustBeUnique
• QuarantinedAttributeValueMustBeUnique

these indicate duplicate UPNs, proxyAddresses, or SIP addresses across users.

Connect Health introduces a diagnose and fix feature that allows admins to detect and repair these errors directly from the portal.

How It Works

• Connect Health detects a sync error and displays it in the Sync Errors section.
• Each error entry shows a Diagnose status such as:
• Not Started → Diagnostics not run yet.
• Manual Fix Required → Error requires manual AD-side correction.
• Pending Sync → A fix has been applied; awaiting next sync cycle.
• Admin clicks Diagnose to begin.
• The wizard asks guided questions to determine whether:
• The issue is due to a duplicate value.
• The affected object is orphaned (no longer has a valid source anchor).
• If eligible, Connect Health automatically applies the fix by clearing the conflict in Microsoft Entra ID.
• The portal updates the error’s status after the next sync.

Example Scenario

• Two users, Joe Jackson and Joe James, both have Joe.J@contoso.com.
• Connect Health shows a QuarantinedAttributeValueMustBeUnique error.
• The admin clicks Diagnose → Apply Fix.
• Connect Health identifies the orphaned cloud object and removes the duplicate value automatically.
• After the next sync, the conflict resolves, and both objects sync cleanly.

12. Benefits of Self-Service Sync Diagnostics

• Reduced dependency on PowerShell or manual data corrections.
• Faster resolution time for common attribute conflicts.
• Improved visibility into which attributes or users are affected.
• Error trend analysis – helps identify recurring sync hygiene problems.

13. Real-World Example

Scenario: A multinational enterprise merges with another company. During sync setup, several duplicate proxy addresses appear (e.g., alex@contoso.com already exists in alex@fabrikam.com).

Using Connect Health:

• Admin views sync errors in the portal.
• Runs diagnostics on each duplicated attribute conflict.
• Identifies that certain objects in Contoso were orphaned after migration.
• Applies automatic fixes through the Apply Fix option.
• After one sync cycle, all user objects successfully merge and duplicates disappear.

Result: What would normally take hours of PowerShell cleanup is resolved from the Connect Health interface.

14. Best Practices for Connect Health Management

15. Exam Tips

• Email alerts are on by default but configurable per service.
• Daily digest replaces one-email-per-error behavior.
• Deleting a server stops monitoring but doesn’t uninstall the agent.
• Deleting a service instance removes all aggregated data.
• RBAC roles:
• Owner – Full control (includes access management).
• Contributor – Edit settings, no access management.
• Reader – View-only access.
• Access scopes: all instances or per-instance.
• Invite Users not supported — only existing Entra accounts.
• Diagnostics in Connect Health fix duplicate attribute sync errors like UPN or proxyAddress conflicts.

16. Summary

Managing Microsoft Entra Connect Health effectively ensures continuous visibility and control over hybrid identity infrastructure. Through alerts, RBAC, and diagnostic automation, administrators can:

• Detect and resolve sync issues proactively.
• Control who has monitoring access.
• Keep monitoring data accurate and secure.
• Prevent disruptions in authentication and synchronization.

By operationalizing Connect Health, organizations maintain a stable, secure, and well-audited hybrid identity environment that aligns with enterprise governance and exam best practices.

✅ Module 3 Complete: Implement and Manage Hybrid Identity You now have detailed understanding of:

• Hybrid identity concepts and topologies.
• Entra Connect configuration, authentication methods (PHS, PTA, Federation).
• Synchronization design and troubleshooting.
• Connect Health setup, management, and diagnostics.