Welcome to Langenile

[email protected]
Contact Us

Category Archives: Exams of Microsoft

  1. Home / 
  2. Archive by category "Exams of Microsoft"
Jul 31, 2024
Managing and monitoring Microsoft 365 license allocations– Planning and Managing Azure AD Identities

If identity is the foundation for security in the Microsoft 365 platform, licensing is the entitlement engine that is used to grant identities access to the tools and applications.

Every Microsoft 365 service is tied to a license—whether that’s individual product licenses for Exchange Online or SharePoint Online or bundled offerings such as Microsoft 365 E3, which include multiple services.

In Microsoft terminology, there are a number of key terms to be aware of:

  • Licensing plans: In broad terms, a licensing plan is any purchased licensing item. For example, standalone Exchange Online P2 and Microsoft 365 E3 are both examples of licensing plans.
  • Services: Also known as service plans, these are the individual services that exist inside of a licensing plan. For example, Exchange Online P2 has a single Exchange Online P2 service plan, while Microsoft 365 E3 has an Exchange Online service plan, a Microsoft 365 Apps service plan, a SharePoint Online service plan, and so on.
  • Licenses: This is the actual number of individual license plans of a particular type that you have purchased. For example, If you have 5 subscriptions to Exchange Online P2 and 5 subscriptions to Microsoft 365 E3, you have 10 licenses (or 5 each of Exchange Online P2 and Microsoft 365 E3). Licenses are frequently mapped 1:1 with users or service principals, though some users may have more than one license plan associated with them.
  • SkuPartNumber: When reviewing licensing in PowerShell, the SkuPartNumber is the keyword that maps to a licensing plan. For example, Office 365 E3 is represented by the ENTERPRISEPACK SkuPartNumber.
  • AccountSkuId: The AccountSkuId is the combination of your tenant name (such as Contoso) and the SkuPartNumber or licensing plan. For example, the Office 365 E3 licensing plan belonging to the contoso.onmicrosoft.com tenant has an AccountSkuId of contoso:ENTERPRISEPACK.
  • ConsumedUnits: Consumed units represent the number of items in a licensing plan that you have assigned to users. For example, if you have assigned a Microsoft 365 E3 licensing plan to three users, you have three ConsumedUnits of the Microsoft 365 E3 licensing plan. If reviewing licensing from the Azure AD portal, this field is sometimes displayed as Assigned.
  • ActiveUnits: Number of units that you have purchased for a particular licensing plan. If reviewing licensing from the Azure AD portal, this field is sometimes displayed as Total.
  • WarningUnits: Number of units that you haven’t renewed purchasing for in a particular license plan. These units will be expired after the 30-day grace period. If reviewing licensing in the Azure AD portal, this field is also sometimes displayed as Expiring soon.

You can easily view purchased licensing plan details in the Microsoft 365 admin center under Billing | Licenses:

Figure 5.22 – License details in the Microsoft 365 admin center

You can assign licenses in many ways:

  • Through the Licenses page in the Microsoft 365 admin center (Microsoft 365 admin center | Billing | Licenses)
  • In the properties of a user on the Active users page in the Microsoft 365 admin center (Microsoft 365 admin center | Users | Active Users | User properties)
  • To users through the Licenses page in the Azure AD portal (Azure AD Portal | Azure AD | Licenses | Licensed users)
  • To users through the User properties page in the Azure AD portal (Azure AD Portal | Azure AD | Users | User properties)
  • To groups through group-based licensing (Azure AD Portal | Azure AD | Licenses | Licensed groups)
  • Through PowerShell cmdlets such as Set-MsolUserLicense

Each licensing method provides you with similar options for assigning license plans to users, including assigning multiple license plans or selectively enabling service plans inside an individual license plan.

For example, in the Microsoft 365 admin center, you can view and modify a user’s licenses on the Licenses and apps tab of their profile.

Figure 5.23 – User license management

As you can see in Figure 5.23, the user has the Office 365 E5 licensing plan enabled as well as individual services such as Common Data Service, Common Data Service for Teams, and Customer Lockbox, while the Azure Rights Management service plan for this licensing plan is disabled.

More Details
May 21, 2024
The Microsoft 365 admin center– Planning and Managing Azure AD Identities

For most Azure AD group administration use cases, you’ll probably use the Microsoft 365 admin center. To configure groups in the Microsoft 365 admin center, follow these steps:

  1. Navigate to the Microsoft 365 admin center (https://admin.microsoft.com). Expand Teams & groups and then select Active teams & groups.

Figure 5.12 – Active teams and groups

  1. Click Add a group.
  2. On the Group type page, select the type of group you wish to create. With the exception of Security groups, all group types will require essentially the same information (non-mail-enabled security groups do not allow you to add owners or members in the workflow, though they can be added later). If you select a Microsoft 365 group as your group type, you’ll also have the option at the end of the wizard to create a Microsoft Teams team from the group.

Figure 5.13 – Choose a group type

  1. On the Basics page, enter a name and an optional description for the group, and then click Next.
  2. On the Owners page, click Assign owners to assign at least a single owner. Microsoft recommends having at least two owners (in case one leaves the organization or is absent for a period of time). The owner cannot be an external guest. Click Next when finished.
  3. On the Members page, click Add members. This is an optional step. Click Next to proceed.
  4. On the Settings page, configure settings for the group and then click Next:
    • For distribution groups and mail-enabled security groups, this includes an email address.
    • For Microsoft 365 and security groups, this includes assigning Azure AD roles. The option does not appear for mail-enabled security groups, though it can be added later.
    • For distribution groups, this includes the ability for users outside the org to email the groups (Microsoft 365 groups must have this setting configured manually in the Exchange properties for the group object afterward).
    • For Microsoft 365 groups, you can also configure privacy settings (either Public or Private). Public groups can be browsed and joined by anyone while private groups require an owner to add additional members.
    • Also for Microsoft 365 groups, you can choose to convert the group into a team, though users must have a Teams license assigned to access the group.
  5. On the Finish page, review the settings and click Create group.
    After the group has been created, you can modify its settings in either the Microsoft 365 admin center or Azure AD portal, as shown in Figure 5.14:

Figure 5.14 – Modifying the settings of a Microsoft 365 group
As you can see in Figure 5.14, Microsoft 365 groups have some additional properties (such as determining whether to send copies of emails received by the group mailbox to individual team mailboxes or associate them with a sensitivity label).

More Details
Jan 23, 2024
Creating and managing cloud users– Planning and Managing Azure AD Identities

From an Azure AD perspective, cloud users are the easiest type of object to understand and manage. When you create an Azure AD or Microsoft 365 tenant, one of the first things you set up is your administrator user identity (in the form of [email protected]). This identity is stored in the Azure AD directory partition for your Microsoft 365 tenant. When we talk about Azure AD cloud users, we’re talking about users whose primary source of identity is in Azure AD.

Exam tip

Cloud users can be assigned to any domain that is verified in the Microsoft 365 tenant with a single caveat—the domain must be in managed mode. If a domain has been federated (such as with AD FS or PingFederate), users can only be assigned that domain when they are provisioned in the on-premises system.

The initial domain (or tenant domain) will always be a cloud-only domain since Azure AD will always be the source of authority for it. When you add domains to a tenant, the domains are initially configured as managed—that is, Azure AD is used to manage the identity store.

One benefit of configuring cloud-only users is that there is no dependency on any other infrastructure or identity service. For many small organizations, cloud-only identity is the perfect solution because it requires no hardware or software investment other than a Microsoft 365 subscription. Correspondingly, a drawback of cloud-only users is the lack of integration with on-premises directory solutions.

Exam tip

As a best practice, Microsoft recommends maintaining at least one cloud-only account in case you lose access to any on-premises environment.

The easiest way to provision cloud users is through the Microsoft 365 admin center (https://admin.microsoft.com). To configure a user, expand Users, select Active Users, and then click Add a user. The wizard, shown in Figure 5.1, will prompt you to configure an account.

Figure 5.1 – Adding a new cloud user

You can configure the name properties for a user as well as assign them any licenses and a location through the Add a user wizard’s workflow, as shown in Figure 5.2:

Figure 5.2 – Assign product licenses page

On the Optional settings page, you can also configure additional properties such as security roles, job title and department, addresses, and phone numbers, as shown in Figure 5.3.

Figure 5.3 – Add a user profile information

You can also add users through the Azure AD portal (https://aad.portal.azure.com). The Azure AD portal is arranged much differently from the Microsoft 365 admin center, due largely to the number of different types of resources and services that can be managed there. There are several differences in managing users and objects between the two interfaces; the Microsoft 365 admin center is a much more menu-driven experience, prompting administrators to configure common options and features inside the provisioning workflow.

Once you’ve logged in to the Azure AD portal, select Users and then select New user. The interface, shown in Figure 5.4, offers the opportunity to populate similar fields to those in the admin center.

Figure 5.4 – Creating a user through the Azure AD portal

Most organizations that are using Azure from a cloud-only identity perspective will likely provision objects inside the Microsoft 365 admin center.

More Details
Sep 22, 2023
Installing the provisioning agent– Implementing and Managing Identity Synchronization with Azure AD

To begin installing Azure AD Connect cloud sync, follow these steps:

  1. Log on to a server where you wish to install the Azure AD Connect cloud sync provisioning agent.
  2. Navigate to the Azure portal (https://portal.azure.com) and select Active Directory | Azure AD Connect.

Figure 4.25 – Azure AD Connect in the Azure portal

  1. From the navigation menu, select Cloud sync.
  2. Under Monitor, select Agents.
  3. Select Download on-premises agent.

Figure 4.26 – Download on-premises agent for Azure AD Connect cloud sync

  1. On the Azure AD Provisioning Agent flyout, select Accept terms & download to begin the download.
  2. Open the AADConnectProvisioningAgentSetup.exe file to begin the installation.
  3. Agree to the licensing terms and click Install to deploy the Microsoft Azure AD Connect provisioning package.
  4. After the software installation is complete, the configuration wizard will launch. Click Next on the splash page to begin the configuration.
  5. On the Select Extension page, choose the HR-driven provisioning (Workday and SuccessFactors) / Azure AD Connect Cloud Sync radio button and click Next.

Figure 4.27 – The Azure AD Connect cloud sync Select Extension page

  1. On the Connect Azure AD page, click Authenticate to sign in to Azure AD.
  2. On the Configure Service Account page, select the Create gMSA radio button to instruct the setup process to provision a new gMSA in the format of DOMAIN\provAgentgMSA. Enter either a Domain Administrator or Enterprise Administrator credential and click Next.

Figure 4.28 – Configuring an Azure AD Connect cloud sync service account
CREATING A CUSTOM GMSA
You can also create a gMSA if desired. The custom service account will need to be delegated permissions to read all properties on all User, inetOrgPerson, computer, device, Group, foreignSecurityPrincipal, and Contact objects, as well as being able to create and delete user objects. For more information, see https://learn.microsoft.com/en-us/azure/active-directory/cloud-sync/how-to-prerequisites?tabs=public-cloud#custom-gmsa-account.

  1. On the Connect Active Directory page, click Add Directory and provide the domain credentials to add the directory to the configuration. When finished, click Next.

Figure 4.29 – Adding a directory to Azure AD Connect cloud sync

  1. Review the details on the Agent configuration page and click Confirm to deploy the provisioning agent. When finished, click Exit.

After the agent has been deployed, you will need to continue in the Azure AD portal.

More Details
Aug 15, 2023
Azure AD Connect Health for AD FS– Implementing and Managing Identity Synchronization with Azure AD

In addition to gathering and reporting information for your on-premises Active Directory and synchronization services, Azure AD Connect Health also supports AD FS.
To get the most out of Azure AD Connect Health for AD FS, you’ll need to enable auditing, which involves three steps:

  1. Ensure that the AD FS farm service account has been granted the Generate security audits right in the security policy (Local Policies | User Rights Assignment | Generate security audits).
  2. From an elevated command prompt, run the following command: auditpol.exe /set /subcategory:{0CCE9222-69AE-11D9-BED3-505054503030} /failure:enable /success:enable.
  3. On the AD FS primary farm server, open an elevated PowerShell prompt and run the following command: Set-AdfsProperties -AuditLevel Verbose.
    Then, you can deploy the agents to your servers.
    After deploying the agents to your federation and proxy servers, you will see information reported in the Azure AD Connect Health portal under Active Directory Federation Services, as shown in Figure 4.21:

Figure 4.21 – Azure AD Connect Health for AD FS
In addition to diagnostic information, the health services for AD FS can also provide usage analytics and performance monitoring, as well as failed logins and information regarding risky sign-ins.

Figure 4.22 – Azure AD Connect Health for AD FS
Azure AD Connect Health is a valuable premium service that can help keep you on top of the health and performance aspects of your hybrid identity deployment.
Troubleshooting Azure AD Connect synchronization
While things normally operate smoothly, there may be times when objects become misconfigured or services go offline unexpectedly. You can troubleshoot common issues with Azure AD Connect’s built-in troubleshooting tools.
To launch the troubleshooting tool, follow these steps:

  1. Launch the Azure AD Connect configuration tool on the desktop of the server where Azure AD Connect is installed.
  2. Click Configure.
  3. On the Additional tasks page, select Troubleshoot and then click Next.
  4. On the Welcome to AADConnect Troubleshooting page, select Launch.

Figure 4.23 – Launching the AADConnect Troubleshooting tool

  1. Select the appropriate troubleshooting options from the menu shown in Figure 4.24:

Figure 4.24 – The AADConnect Troubleshooting menu
The AADConnect Troubleshooting tool provides several specific troubleshooters, such as diagnosing attribute or group membership synchronization, password hash synchronization, as well as service account permissions.
Most object or attribute troubleshooting routines will require the object’s DN to continue.
FURTHER READING
For more information on the tests that can be performed by the AADConnect Troubleshooting tool, see https://learn.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-objectsync.
Configuring and managing directory synchronization by using Azure AD Connect cloud sync
Azure AD Connect cloud sync is a new synchronization platform that allows you to manage directory synchronization from the Azure portal. Depending on your organization’s goals and environments, Azure AD Connect cloud sync can be a lightweight, flexible option that allows you to begin directory synchronization quickly.
EXAM TIP
To perform the installation, you’ll need either a Domain Administrator or Enterprise Administrator credential to the on-premises Active Directory forest so that the installer can create the group Managed Service Account (gMSA). You’ll also need an account that has either the Global Administrator or Hybrid Identity Administrator role in Azure AD.
Microsoft recommends configuring a unique identity in Azure AD with the Hybrid Identity Administrator role for Azure AD Connect cloud sync.

More Details
Jul 24, 2023
Password hash synchronization– Planning Identity Synchronization

Password hash synchronization (commonly referred to as PHS) is the Microsoft-recommended identity solution. In addition to synchronizing the core identity object data, PHS also synchronizes password hash values to the account objects in Azure AD. This ensures that users can use the same password to access local Active Directory resources, as well as Azure AD services.

Further reading

The security behind Azure AD Password Hash Synchronization is complex, involving multiple hashing algorithms. For a deeper understanding of how Password Hash Synchronization protects user data, see https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization.

When a user logs in to a tenant that has PHS configured, every part of the authentication takes place in Azure AD. This is advantageous because the organization has no reliance on the availability of any on-premises infrastructure for ongoing authentication. Once an identity and its password hash have been synchronized, the on-premises directory isn’t needed until the on-premises object is updated again (such as an additional email address, a change in the display name, or a new password).

In addition, PHS enables an advanced Azure AD Premium P2 security feature: leaked credential detection. With this feature, Microsoft continuously checks various dark websites for organizational identity data that may have been compromised.

As mentioned in the Accounts and security section, password hash synchronization requires the service account to have the Replicating Directory Changes and Replicating Directory Changes All rights in the on-premises directory.

Password hash synchronization is a cloud authentication solution.

Pass-through authentication

Similar to password hash synchronization, pass-through authentication (PTA) relies on synchronizing objects to Azure AD. Unlike PHS, however, the actual password validation happens on-premises. PTA relies upon an agent installed on-premises, which periodically checks Azure for an authentication request.

When Azure AD Connect is configured with PTA, a secure channel is established between the Azure Service Bus and the lightweight PTA agent. For redundancy, you can deploy multiple PTA agents in your environment.

Note

From a networking perspective, Azure AD Connect’s communication is outbound only to the Azure Service Bus. Unlike federation, PTA does not require inbound connectivity.

When a user requests access to an Azure AD resource, the logon request is stored on the Azure Service Bus. This request is encrypted with the public key of each of the PTA agents. The agents check the Service Bus for a request, bring the request back on-premises, decrypt it with the agent’s private key, and then process the request against an on-premises domain controller. The result of the validation (either success or failure) is then sent back to the Azure Service Bus, where Azure AD retrieves the response and then either grants or denies the logon request.

PTA is a potential solution for organizations that want as much benefit from cloud authentication as possible but may have organizational requirements for on-premises credential validation or the enforcement of Active Directory logon hours.

Due to its on-premises password validation component, if none of the on-premises authentication agents can connect to both the Azure Service Bus and local Active Directory, users will be unable to log in.

Microsoft categorized PTA as a cloud authentication solution.

More Details
Jun 4, 2023
Federation– Planning Identity Synchronization

With federated identity solutions, Azure AD is configured to refer authentication requests to an on-premises service to validate login data. When a federated user attempts to log on to an Azure AD resource, Azure AD redirects the login session to an organization-managed web service. Users then enter their credentials in this organization-managed application, which, in turn, validates the logon details against the on-premises directory.

Some organizations may require federated identity due to specific regulations, the need to use smartcard-based login, or third-party multi-factor authentication products. Due to its on-premises password validation component, if on-premises services (such as federation farm servers, load balancers, web application proxy servers, or domain controllers) are unavailable, users will be unable to log in to Azure AD.

You can use the following flowchart to understand which solution is appropriate for you:

`

Figure 3.6 – Authentication selection decision flowchart

Once you have selected an identity and authentication mechanism for your tenant, you can begin preparing your environment for hybrid authentication. Regardless of the method selected for authenticating hybrid identity, Azure AD Connect can be used to configure it.

Summary

In this chapter, you learned how to plan for a hybrid identity deployment, including choosing an authentication method (such as password hash sync, pass-through authentication, or federation) and understanding the various requirements and capabilities of identity synchronization tools. You also learned the basic terminology associated with the Azure AD Connect synchronization engine.

In the next chapter, we will begin configuring Azure AD Connect.

Knowledge check

In this section, we’ll test your knowledge of some key elements from this chapter.

Questions

Answer the following questions:

  1. Which two authentication or sign-in methods validate user passwords on-premises?
    • Password hash synchronization
    • Pass-through authentication
    • Federation
    • Hybrid identity
  1. Which two rights are necessary for password hash synchronization?
    • Replicating Directory Changes
    • Replicating Directory Changes Password
    • Replicating Directory Changes All
    • Replicating Directory Changes Advanced
  2. Which feature, service, or component is a consolidated view of all objects from the connected systems?
    • Connector space
    • sourceAnchor
    • Connected system
    • Metaverse
  3. You have 75,000 objects in your Active Directory environment and need to recommend a solution for Azure AD Connect. You should recommend the simplest option that supports your environment.
    • An Azure AD Connect server with local SQL Server Express
    • An Azure AD Connect server with local or remote SQL Server Analysis Services
    • Azure AD Connect with database stored in a local or remote standalone SQL server
    • Azure AD Connect configured with WID database
  4. Azure AD Connect setup can configure which two federation services?
    • Azure Active Directory Federation Services
    • Active Directory Federation Services
    • OKTA Federation Services
    • PingFederate

Answers

The following are the answers to this chapter’s questions:

  1. B: Pass-through authentication; C: Federation
  2. A: Replicating Directory Changes; C: Replicating Directory Changes All
  3. D: Metaverse
  4. A: Azure AD Connect with local SQL Server Express
  5. B: Active Directory Federation Services; D: PingFederate
More Details
Mar 15, 2023
Configuring Azure AD Connect filters– Implementing and Managing Identity Synchronization with Azure AD

If you need to exclude objects from Azure AD Connect’s synchronization scope, you can do so through a number of different methods:
• Domain and organizational unit-based filtering
• Group-based filtering
• Attribute-based filtering
Let’s quickly examine these.


Domain and organizational unit-based filtering
With this method, you can deselect large portions of your directory by modifying the list of domains or organizational units that are selected for synchronization. While there are several ways to do this, the easiest way is through the Azure AD Connect setup and configuration tool:

  1. To launch the Azure AD Connect configuration tool, double-click the Azure AD Connect icon on the desktop of the server where Azure AD Connect is installed. After it launches, click Configure.
  2. On the Additional tasks page, select Customize synchronization options and then click Next.

Figure 4.8 – The Additional tasks page

  1. On the Connect to Azure AD page, enter a credential with either the Global Administrator or Hybrid Identity Administrator role and click Next.
  2. On the Connect your directories page, click Next.
  3. On the Domain and OU filtering page, select the Sync selected domains and OUs radio button, and then select or clear objects to include or exclude from synchronization.

Figure 4.9 – The Azure AD Connect Domain and OU filtering page

  1. Click Next.
  2. On the Optional features page, click Next.
  3. On the Ready to configure page, click Configure.
    After synchronization completes, verify that only objects from in-scope organizational units or domains are present in Azure AD.
    Group-based filtering
    Azure AD Connect only supports the configuration of group-based filtering if you choose to customize the Azure AD Connect setup. It is not available if you perform an express installation.
    That being said, if you’ve chosen a custom installation, you can choose to limit the synchronization scope to a single group. On the Filter users and devices page of the configuration wizard, select the Synchronize selected radio button and then enter the name or distinguished name (DN) of a group that contains the users and devices to be synchronized.

Figure 4.10 – The Filter users and devices page
With group-based filtering, only direct members of the group are synchronized. Users, groups, contacts, or devices nested inside other groups are not resolved or synchronized.
Microsoft recommends group-based filtering for piloting purposes only.

More Details
Feb 7, 2023
Attribute-based filtering– Implementing and Managing Identity Synchronization with Azure AD

Another way to filter objects to Azure AD is through the use of an attribute filter. This advanced method requires creating a custom synchronization rule in the Azure AD Connect Synchronization Rules Editor.
To create an attribute-based filtering rule, select an attribute that isn’t currently being used by your organization for another purpose. You can use this attribute as a scoping filter to exclude objects.
The following procedure can be used to create a simple filtering rule:

  1. On the server running Azure AD Connect, launch the Synchronization Rules Editor.
  2. Under Direction, select Inbound, and then click Add new rule.

Figure 4.11 – Synchronization Rules Editor

  1. Provide a name and a description for the rule.
  2. Under Connected System, select the object that represents your on-premises Active Directory forest.
  3. Under Connected System Object Type, select user.
  4. Under Metaverse Object Type, select person.
  5. Under Link Type, select Join.
  6. In the Precedence text field, enter an unused number (such as 50). Click Next.

Figure 4.12 – Creating a new inbound synchronization rule

  1. On the Scoping filter page, click Add group and then click Add clause.
  2. Under Attribute, select extensionAttribute1 (or whichever unused attribute you have selected).
  3. Under Operator, select EQUAL.
  4. In the Value text field, enter NOSYNC and then click Next.

Figure 4.13 – Configuring a scoping filter for extensionAttribute1

  1. On the Join rules page, click Next without adding any parameters.
  2. On the Transformations page, click Add transformation.
  3. Under FlowType, select Constant.
  4. Under Target Attribute, select cloudFiltered.
  5. In the Source text field, enter the value True. Click Add transformation.

Figure 4.14 – Adding a transformation for the cloudFiltered attribute

  1. Acknowledge the warning that a full import will be required by clicking OK.

Figure 4.15 – The warning for full import and synchronization
After modifying a synchronization rule, a full import and full synchronization is required. You don’t have to perform any special steps, however; Azure AD Connect is aware of the update and will automatically perform the necessary full imports and synchronizations.
Monitoring synchronization by using Azure AD Connect Health
Azure AD Connect Health is a premium feature of the Azure AD license. Azure AD Connect Health has separate agent features for Azure AD Connect, Azure AD Health for Directory Services, and Azure AD Health for Active Directory Federation Services (AD FS).

More Details
Jan 4, 2023
Azure AD Connect Health– Implementing and Managing Identity Synchronization with Azure AD

You can see the Azure AD Connect Health portal at https://aka.ms/aadconnecthealth. From there, you will be able to view basic details about your environment as well as obtain agent installation packages. See Figure 4.16.

Figure 4.16 – Azure AD Connect Health
While the Azure AD Connect Health agent for sync is included in the Azure AD Connect installation, the health agents for DS and AD FS are separate installations and must be downloaded separately:
• Azure AD Connect Health Agent for DS: https://go.microsoft.com/fwlink/?LinkID=820540
• Azure AD Connect Health Agent for AD FS: https://go.microsoft.com/fwlink/?LinkID=518973
If you do not have AD FS deployed in your environment, you do not need to deploy the AD FS agents.
Azure AD Connect Health for sync
The core health product, Azure AD Connect Health for sync, shows the current health of your synchronization environment, including object synchronization problems and data-related errors.
You can view the health status and identified errors by selecting Sync errors under Azure Active Directory Connect (Sync) on the Azure AD Connect Health portal (https://aka.ms/aadconnecthealth).

Figure 4.17 – Azure AD Connect Health sync errors
Selecting an error type will allow you to drill down into individual errors. In the example in Figure 4.18, Azure AD Connect Health has detected two objects with the same address:

Figure 4.18 – Azure AD Connect Health error details
You can use this information to identify and troubleshoot on-premises objects.
Azure AD Connect Health for Directory Services
Microsoft recommends deploying Azure AD Connect Health for Directory Services agents on all domain controllers you want to monitor, or at least one for each domain.
The Azure AD Connect Health agent deployment is relatively straightforward, asking only for a credential to complete the installation. Once the installation has completed, you can review details about your domain controller health in the Azure AD Connect Health portal at https://aka.ms/aadconnecthealth.
On the Azure AD Connect Health page, under Active Directory Domain Services, select AD DS services, as shown in Figure 4.19, and then select a domain to view the details.

Figure 4.19 – Azure AD Connect Health AD DS services
The health services agents display a variety of details about the environment, including replication errors, LDAP bind operations, NTLM authentication operations, and Kerberos authentication operations.

Figure 4.20 – The Azure AD Connect Health for AD Directory Services details page
Errors that are detected here should be resolved in your on-premises Active Directory environment.

More Details