How can I monitor Entra Connect Health Sync?

o monitor Entra Connect Health Sync events and receive more granular or instant notifications (especially for sync failures, or issues with Self-Service Password Reset (SSPR)), there are several approaches you can take beyond the summary emails provided by the Microsoft Entra portal. Here's how you can set up more detailed monitoring and alerts:

. Integrating with Azure Monitor

To enhance the alerting process, integrate Entra Connect Health with Azure Monitor to get more granular control over notifications:

• Set up Azure Monitor Logs: Entra Connect Health sends logs to Azure Monitor, which you can use to set up detailed alerts based on various sync events.
  • Go to Azure Portal > Monitor > Logs.
  • Use the Log Analytics workspace where Entra Connect sends its telemetry data.
  • You can query the logs using Kusto Query Language (KQL) to filter sync issues and failures related to SSPR and other sync operations.
  • AzureADSyncError
    | where TimeGenerated > ago(1h)
    | where ErrorCode == "sync_error"
• • • Create an Alert Rule in Azure Monitor based on the results of your queries. These alerts can notify you via email, SMS, or through a Webhook to take actions such as invoking a Power Automate flow or triggering an Azure Function.

  3. Using PowerShell for More Custom Alerts

  If you want more customized monitoring and alerts outside of Azure Monitor, you can use PowerShell scripts to monitor Entra Connect Health and trigger alerts when specific failures occur:

  • Using PowerShell to Check Sync Status: The Get-ADSyncRunProfile cmdlet can be used to monitor sync activities. Combine this with a scheduled task to periodically check the sync status and send alerts.
  • Example PowerShell script to check sync status and send an email alert:
  • $SyncStatus = Get-ADSyncRunProfile
    if ($SyncStatus.RunStatus -ne "Success") {
        Send-MailMessage -To "email address removed for privacy reasons" -From "email address removed for privacy reasons" -Subject "Entra Connect Sync Failure" -Body "There was a failure in the Entra Connect Sync process." -SmtpServer "smtp.domain.com"
    }
• • Automate PowerShell with Task Scheduler: Use Windows Task Scheduler to run the PowerShell script at regular intervals (e.g., every 5 or 10 minutes) to detect any sync issues and send an email immediately.

  4. Integrating with Microsoft Teams (Optional)

  You can set up more immediate notification methods by integrating with Microsoft Teams:

  • Set up an Azure Monitor alert to send notifications directly to a Microsoft Teams channel when a sync failure occurs.
  • Use a Webhook from Azure Monitor to post alerts into your Teams channel or use Power Automate to trigger actions when a failure occurs, such as sending an instant Teams notification.

  5. Review and Set Up Advanced Alerting for SSPR Issues

  If you're particularly concerned about SSPR (Self-Service Password Reset) failures, ensure you're specifically monitoring for those events within Entra Connect Health:

  • In the Azure AD portal, ensure SSPR logs are being captured and that you're monitoring those events.
  • You can set up separate alerts for SSPR failures within Azure AD logs to be more proactive in identifying any disruptions.
    • Go to Azure AD > Security > Monitoring > Audit logs > Filter by event category for SSPR.
    • Set up an Azure Monitor Alert to get notifications when a significant number of failures are recorded.

  6. Using a Third-Party SIEM Tool

  If you're looking for a more robust and centralized monitoring solution, consider integrating Entra Connect Health with a SIEM (Security Information and Event Management) tool like Splunk or SentinelOne. These tools can give you greater control over log management, failure detection, and alerting.