Browse all topics
All guidesGlossary
Microsoft Entra (Identity)

Microsoft Entra Connect Health

Connect Health monitors the hybrid-identity infrastructure — Entra Connect, AD FS, and AD DS.

Microsoft Entra Connect Health is the monitoring service for hybrid identity infrastructure — your on-premises Microsoft Entra Connect servers, AD FS if you still run federation, and Active Directory Domain Services. It reports on sync health, authentication patterns, performance, and risk signals via a single Azure portal experience.

What Connect Health monitors

Entra Connect Sync

  • Sync status — last successful sync, errors, conflicts.
  • Object counts and changes — what's flowing each cycle.
  • Bad password attempts — for tenants using Password Hash Sync.
  • Failed exports — objects that didn't sync because of attribute conflicts or policy.
  • Sync engine performance — long-running operations.

AD FS

  • Token issuance rates by application.
  • Failed sign-ins and reasons.
  • Risky IP addresses producing failed sign-ins (early warning of password-spray).
  • Service performance of the AD FS farm.
  • Inventory of AD FS configurations.

AD DS

  • Domain controller health — replication, services, monitoring agents.
  • Privileged accounts and their activity.
  • Risky-trust-relationship detection.
  • Recommendations based on common AD misconfigurations.

Why it matters

For hybrid-identity organisations, Connect Health is the single window into "is identity working?" Without it, you have separate consoles for each component and no aggregated view of cross-component health. With it:

  • Sync failures surface before users notice they've lost access.
  • Password spray attacks detected at AD FS or PHS surface as risky IP patterns.
  • Performance degradation in any component visible before user impact.

Deployment

Connect Health requires agents installed on:

  • The Entra Connect server(s).
  • Each AD FS server, including secondary servers and Web Application Proxies.
  • Each domain controller you want monitored (optional but recommended).

Agents send telemetry to the Connect Health service in Azure. The portal aggregates and presents.

Licensing

Connect Health is part of Microsoft Entra ID P1, included with Microsoft 365 Business Premium, E3, E5, F3, and standalone Entra ID P1. Per-server licensing applies — each monitored server consumes one P1 licence from your pool (typically not an issue for normal tenants).

Long-term direction

For tenants migrating to Entra Cloud Sync instead of Entra Connect, monitoring is built into the Cloud Sync experience natively — Connect Health isn't strictly needed. For tenants still on Entra Connect Sync or AD FS, Connect Health remains the right tool.

The broader trajectory is cloud-only identity — no AD, no AD FS, no Entra Connect. Tenants that reach that endpoint don't need Connect Health at all. Until then, it's an essential operational tool.

Practical advice

  • Deploy agents to every component — gaps create blind spots.
  • Subscribe to alerts so you hear about sync issues before users do.
  • Review the recommendations quarterly — many tenants discover misconfigurations they didn't know about.
  • Use the risky IP signals for AD FS and PHS — they're early warning of brute-force attempts.

For hybrid-identity tenants, Connect Health is the cheap insurance that prevents identity-side outages from being the first thing IT hears about on a Monday morning.