Microsoft Entra Connect Monitoring Extension

What are Azure Enterprise Applications and Service Principals?
Azure Enterprise Applications are apps registered via Entra (Azure Active Directory), an Identity and Access Management (IAM) system, to provide secure and orchestrated access. Upon app registration in Entra a service principal, representing a blueprint of the application object, is created. The service principal now represents the local application instance in your tenant or directory, deriving from a global application. As the authorization endpoint, the service principal defines what the application can do in target directories, who can use it, what resources it can access, and so on.

How do they affect your work?
As an IT admin, you want to know if you want to secure any unsecured apps in your tenant. You also want to know for which app registration the application secrets will expire. Preventing the visibility of confidential app registrations will prevent security breaches. If the application secrets expire, non of your users can reach the app, nor will the app itself be operating anymore. Imagine a crucial company-wide app going down, and all services will stop. And your only clue is an end-user support storm pointing to no objective source?

Why you should monitor Service Principals
Monitoring Service Principals of Azure Enterprise Applications helps you keep track of upcoming application secret expiries and check for application compliance. The centralized monitoring of all service principals in a specific tenant is a big advantage in mapping and meeting security policies.

Keep track of Profile Syncs that have different time stamps on both systems.

The NiCE Management Pack automatically detects and alerts you on profiles that are not in sync.
Knowing about such details allows for direct issue resolution, and prevents user complaints.

Entra Connect Export information details per profile are helpful to understand if Entra reaches a corrupt state on the Entra Connect site.

Understand Entra Connect Export changes per Profile, such as Adds, Updates,  Renames, Deletes, Delete Adds, and Failures.

A server in staging mode allows you to make changes to the configuration and preview them. It also allows verification of the running of full import and full synchronization before you go into production mode again. Monitoring for Entra Connect stage failures helps you roll out changes faster and more securely.

Errors may happen during any export. These reach from data mismatch errors, duplicate attributes, data validation failures, deletion access violations, password access violation errors, large objects, or exceeded allowed length, through to existing admin role conflicts.

The NiCE Management Pack helps you keep track of any Entra Connect Profile Export Failures by mapping them into SCOM. You can drill down deeper for advanced problem resolution with a right-click on the alert.

Identifying Entra export details per connector is helpful in understanding if Entra reaches a corrupt state on the Entra Connect site.

The Management Pack traces and graphs out Entra Connect export details per Connector, such as Export Adds, Export Updates, Export Deletes, and the total number of objects synced.

When importing Entra Connect data, there are several change options you want to keep track of. The NiCE Management Pack provides complete insights into Import Stage details such as No Change, Adds, Updates, Renames, Deletes, Delete Adds, and Failures.

Entra Connect Run-Profiles define how to update the data (Full/Delta Import/Sync, and Export). It is, therefore, important to monitor the health and status of Run-Profiles.

Using the Management Pack, you will get graphs on
Last status per Run-Profile
Last run duration per Run-Profile in seconds
Run-Profiles In Sync
Flow failure per Run-Profile

To ease everyday Entra Connect administrators’ lives, the Management Pack has a pre-set Entra Connect Task to Enable and Disable Firewall Rules for Windows Remote Management.