ADFS 3.0 Security Audit Log Event ID’s
Event ID 324:
The Federation Service could not authorize token issuance for caller ‘defined’ to relying party ‘defined’.
Event ID 411
Token validation failed. See inner exception for more details.
Event ID 413:
An error occurred during processing of a token request. The data in this event may have the identity of the caller (application) that made this request. The data includes an Activity ID that you can cross-reference to error or warning events to help diagnose the problem that caused this error.
Event ID 500:
More information for the event entry with Instance ‘Error’. There may be more events with the same Instance ID with more information.
Event ID 501:
More information for the event entry with Instance ‘Error’.
There may be more events with the same Instance ID with more information. Other common event IDs such as error 364 or error 342 are only showing one user is trying to do authentication with ADFS but enters incorrect username or password, so it is not critical on the ADFS service level.
On the services aspects, we can monitor the ADFS services on the ADFS server and WAP server (if we have).
For the ADFS health monitoring, we can also monitor this endpoint and ensure it is returning 200 code:
https://<enter ur federation service fqdn>/adfs/ls/idpinitiatedsignon.aspx