Skip to main content

ENTRA000 - Failed to Connect to Microsoft Graph

Agent error code #ENTRA000 indicates that the agent could not reach Microsoft Graph at https://graph.microsoft.com. The request failed before any authentication or Named Location operation could take place.

This error is distinct from authentication failures (#ENTRA001), authorization failures (#ENTRA002), TLS errors (#ENTRA003), and timeouts (#ENTRA004). It indicates a general connectivity failure such as connection refused or DNS resolution failure.

Common causes include:

  • The agent host cannot resolve graph.microsoft.com or login.microsoftonline.com
  • An outbound proxy or egress firewall is blocking traffic to Microsoft's public API endpoints
  • The agent host has no route to the internet
  • A transient outage at Microsoft. Check the Microsoft 365 Status page

Steps to Resolve

Test Connectivity From the Agent Host

  1. From the host running the Knocknoc agent, run: curl -v https://graph.microsoft.com/v1.0/$metadata
  2. The expected response is HTTP 200 with an OData metadata document
  3. If the command fails with a connection refused or DNS error, fix the underlying network issue before retrying in Knocknoc

Allow Outbound Traffic to Microsoft

The agent needs HTTPS (TCP 443) access to:

  • login.microsoftonline.com (token endpoint)
  • graph.microsoft.com (Named Location API)

Microsoft publishes the full IP range list at Office 365 IP Address and URL web service. For the smallest set of allowlist entries, the Common ID 56 (Microsoft Graph) and ID 125 (Login services) entries are sufficient for Knocknoc.

Configure a Proxy

If the agent host must reach the internet via a forward proxy, set HTTPS_PROXY in the agent's environment so the Go HTTP client picks it up. For full setup, see the Microsoft Entra ID setup guide.

Still Having Issues?

We can help you out, contact us at support@knocknoc.io.

Back to top