[AzureADDS] Service principal alerts updates

Author: iainfoulds

articles/active-directory-domain-services/alert-service-principal.md

@@ -1,115 +1,109 @@
 ---
-title: 'Azure Active Directory Domain Services: Troubleshoot service principals | Microsoft Docs'
-description: Troubleshooting Service Principal configuration for Azure AD Domain Services
+title: Resolve service principal alerts in Azure AD Domain Services | Microsoft Docs
+description: Learn how to troubleshoot service principal configuration alerts for Azure Active Directory Domain Services
 services: active-directory-ds
-documentationcenter: ''
 author: iainfoulds
-manager:
-editor:
+manager: daveba
 
 ms.assetid: f168870c-b43a-4dd6-a13f-5cfadc5edf2c
 ms.service: active-directory
 ms.subservice: domain-services
 ms.workload: identity
-ms.tgt_pltfrm: na
-ms.devlang: na
-ms.topic: conceptual
-ms.date: 05/14/2019
+ms.topic: troubleshooting
+ms.date: 09/20/2019
 ms.author: iainfou
 
 ---
-# Troubleshoot invalid service principal configurations for Azure Active Directory Domain Services
+# Known issues: Service principal alerts in Azure Active Directory Domain Services
 
-This article helps you troubleshoot and resolve service principal-related configuration errors that result in the following alert message:
+[Service principals](../active-directory/develop/app-objects-and-service-principals.md) are applications that the Azure platform uses to manage, update, and maintain an Azure AD DS managed domain. If a service principal is deleted, functionality in the Azure AD DS managed domain is impacted.
 
-## Alert AADDS102: Service Principal not found
+This article helps you troubleshoot and resolve service principal-related configuration alerts.
 
-**Alert message:** *A Service Principal required for Azure AD Domain Services to function properly has been deleted from your Azure AD directory. This configuration impacts Microsoft's ability to monitor, manage, patch, and synchronize your managed domain.*
+## Alert AADDS102: Service principal not found
 
-[Service principals](../active-directory/develop/app-objects-and-service-principals.md) are applications that Microsoft uses to manage, update, and maintain your managed domain. If they are deleted, it breaks Microsoft's ability to service your domain.
+**Alert message**
+*A Service Principal required for Azure AD Domain Services to function properly has been deleted from your Azure AD directory. This configuration impacts Microsoft's ability to monitor, manage, patch, and synchronize your managed domain.*
 
+If a required service principal is deleted, the Azure platform can't perform automated management tasks. The Azure AD DS managed domain may not correctly apply updates or take backups.
 
-## Check for missing service principals
-Use the following steps to determine which service principals need to be recreated:
+### Check for missing service principals
 
-1. Navigate to the [Enterprise Applications - All Applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AllApps) page in the Azure portal.
-2. In the **Show** dropdown, select **All Applications** and click **Apply**.
-3. Using the following table, search for each application ID by pasting the ID into the search box and pressing enter. If the search results are empty, you must recreate the service principal by following the steps in the "resolution" column.
+To check which service principal is missing and needs to be recreated, complete the following steps:
 
-| Application ID | Resolution |
-| :--- | :--- |
-| 2565bd9d-da50-47d4-8b85-4c97f669dc36 | [Recreate a missing service principal with PowerShell](#recreate-a-missing-service-principal-with-powershell) |
-| 443155a6-77f3-45e3-882b-22b3a8d431fb | [Re-register to the Microsoft.AAD namespace](#re-register-to-the-microsoft-aad-namespace-using-the-azure-portal) |
-| abba844e-bc0e-44b0-947a-dc74e5d09022  | [Re-register to the Microsoft.AAD namespace](#re-register-to-the-microsoft-aad-namespace-using-the-azure-portal) |
-| d87dcbc6-a371-462e-88e3-28ad15ec4e64 | [Re-register to the Microsoft.AAD namespace](#re-register-to-the-microsoft-aad-namespace-using-the-azure-portal) |
+1. In the Azure portal, select **Azure Active Directory** from the left-hand navigation menu.
+1. Select **Enterprise applications**. Choose *All applications* from the **Application Type** drop-down menu, then select **Apply**.
+1. Search for each of the application IDs. If no existing application is found, follow the *Resolution* steps to create the service principal or re-register the namespace.
 
-## Recreate a missing Service Principal with PowerShell
-Follow these steps if a service principal with the ID ```2565bd9d-da50-47d4-8b85-4c97f669dc36``` is missing from your Azure AD directory.
+    | Application ID | Resolution |
+    | :--- | :--- |
+    | 2565bd9d-da50-47d4-8b85-4c97f669dc36 | [Recreate a missing service principal](#recreate-a-missing-service-principal) |
+    | 443155a6-77f3-45e3-882b-22b3a8d431fb | [Re-register the Microsoft.AAD namespace](#re-register-to-the-microsoft-aad-namespace) |
+    | abba844e-bc0e-44b0-947a-dc74e5d09022 | [Re-register the Microsoft.AAD namespace](#re-register-to-the-microsoft-aad-namespace) |
+    | d87dcbc6-a371-462e-88e3-28ad15ec4e64 | [Re-register the Microsoft.AAD namespace](#re-register-to-the-microsoft-aad-namespace) |
 
-**Resolution:**
-You need Azure AD PowerShell to complete these steps. For information on installing Azure AD PowerShell, see [this article](https://docs.microsoft.com/powershell/azure/active-directory/install-adv2?view=azureadps-2.0.).
+### Recreate a missing Service Principal
 
-To address this issue, type the following commands in a PowerShell window:
-1. Install the Azure AD PowerShell module and import it.
+If application ID *2565bd9d-da50-47d4-8b85-4c97f669dc36* is missing from your Azure AD directory, use Azure AD PowerShell to complete the following steps. For more information, see [install Azure AD PowerShell](/powershell/azure/active-directory/install-adv2).
+
+1. Install the Azure AD PowerShell module and import it as follows:
 
     ```powershell
     Install-Module AzureAD
     Import-Module AzureAD
     ```
 
-2. Check whether the service principal required for Azure AD Domain Services is missing in your directory by executing the following PowerShell command:
-
-    ```powershell
-    Get-AzureAdServicePrincipal -filter "AppId eq '2565bd9d-da50-47d4-8b85-4c97f669dc36'"
-    ```
-
-3. Create the service principal by typing the following PowerShell command:
+1. Now recreate the service principal using the [New-AzureAdServicePrincipal][New-AzureAdServicePrincipal] cmdlet:
 
     ```powershell
     New-AzureAdServicePrincipal -AppId "2565bd9d-da50-47d4-8b85-4c97f669dc36"
     ```
 
-4. After you have created the missing service principal, wait two hours and check your managed domain's health.
+The Azure AD DS managed domain's health automatically updates itself within two hours and removes the alert.
 
+## Re-register the Microsoft AAD namespace
 
-## Re-register to the Microsoft AAD namespace using the Azure portal
-Follow these steps if a service principal with the ID ```443155a6-77f3-45e3-882b-22b3a8d431fb``` or ```abba844e-bc0e-44b0-947a-dc74e5d09022``` or ```d87dcbc6-a371-462e-88e3-28ad15ec4e64``` is missing from your Azure AD directory.
+If application ID *443155a6-77f3-45e3-882b-22b3a8d431fb*, *abba844e-bc0e-44b0-947a-dc74e5d09022*, or *d87dcbc6-a371-462e-88e3-28ad15ec4e64* is missing from your Azure AD directory, complete the following steps to re-register the *Microsoft.AAD* resource provider:
 
-**Resolution:**
-Use the following steps to restore Domain Services on your directory:
-
-1. Navigate to the [Subscriptions](https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade) page in the Azure portal.
-2. Choose the subscription from the table that is associated with your managed domain
-3. Using the left-hand navigation, choose **Resource Providers**
-4. Search for "Microsoft.AAD" in the table and click **Re-register**
-5. To ensure the alert is resolved, view the health page for your managed domain in two hours.
+1. In the Azure portal, search for and select **Subscriptions**.
+1. Choose the subscription associated with your Azure AD DS managed domain.
+1. From the left-hand navigation, choose **Resource Providers**.
+1. Search for *Microsoft.AAD*, then select **Re-register**.
 
+The Azure AD DS managed domain's health automatically updates itself within two hours and removes the alert.
 
 ## Alert AADDS105: Password synchronization application is out of date
 
-**Alert message:** The service principal with the application ID “d87dcbc6-a371-462e-88e3-28ad15ec4e64” was deleted and then recreated. The recreation leaves behind inconsistent permissions on Azure AD Domain Services resources needed to service your managed domain. Synchronization of passwords on your managed domain could be affected.
+**Alert message**
+*The service principal with the application ID “d87dcbc6-a371-462e-88e3-28ad15ec4e64” was deleted and then recreated. The recreation leaves behind inconsistent permissions on Azure AD Domain Services resources needed to service your managed domain. Synchronization of passwords on your managed domain could be affected.*
+
+Azure AD DS automatically synchronizes user accounts and credentials from Azure AD. If there's a problem with the Azure AD application used for this process, credential synchronization between Azure AD DS and Azure AD fails.
 
+**Resolution**
 
-**Resolution:**
-You need Azure AD PowerShell to complete these steps. For information on installing Azure AD PowerShell, see [this article](https://docs.microsoft.com/powershell/azure/active-directory/install-adv2?view=azureadps-2.0.).
+To recreate the Azure AD application used for credential synchronization, use Azure AD PowerShell to complete the following steps. For more information, see [install Azure AD PowerShell](/powershell/azure/active-directory/install-adv2).
 
-To address this issue, type the following commands in a PowerShell window:
-1. Install the Azure AD PowerShell module and import it.
+1. Install the Azure AD PowerShell module and import it as follows:
 
     ```powershell
     Install-Module AzureAD
     Import-Module AzureAD
     ```
-2. Delete the old application and object using the following PowerShell commands
+
+2. Now delete the old application and object using the following PowerShell cmdlets:
 
     ```powershell
     $app = Get-AzureADApplication -Filter "IdentifierUris eq 'https://sync.aaddc.activedirectory.windowsazure.com'"
     Remove-AzureADApplication -ObjectId $app.ObjectId
     $spObject = Get-AzureADServicePrincipal -Filter "DisplayName eq 'Azure AD Domain Services Sync'"
     Remove-AzureADServicePrincipal -ObjectId $app.ObjectId
     ```
-3. After you have deleted both, the system will remediate itself and recreate the applications needed for password synchronization. To ensure the alert has been remediated, wait two hours and check your domain's health.
 
+After you delete both applications, the Azure platform automatically recreates them and tries to resume password synchronization. The Azure AD DS managed domain's health automatically updates itself within two hours and removes the alert.
+
+## Next steps
+
+If you still have issues, [open an Azure support request][azure-support] for additional troubleshooting assistance.
 
-## Contact Us
-Contact the Azure Active Directory Domain Services product team to [share feedback or for support](contact-us.md).
+<!-- INTERNAL LINKS -->
+[azure-support]: ../active-directory/fundamentals/active-directory-troubleshooting-support-howto.md