Skip to main content

ENTRA001 - Microsoft Entra Authentication Failed

Agent error code #ENTRA001 indicates that the Microsoft identity platform rejected the credentials provided by the agent during the client-credentials token request. The login endpoint returned an invalid_client or equivalent error.

This error is distinct from authorization failures (#ENTRA002), which occur when the credentials are valid but the app registration lacks the required Microsoft Graph permission. Error #ENTRA001 means the Tenant ID, Client ID, or Client Secret itself was not accepted.

Common causes include:

  • The Tenant ID, Client ID, or Client Secret in the Knocknoc backend has a typo or trailing whitespace
  • The Client Secret has expired (Entra ID secrets have a maximum lifetime of two years)
  • The Client Secret was rotated in Entra ID and the Knocknoc backend was not updated
  • The app registration was deleted or moved to a different tenant
  • The Client Secret value was confused with the Secret ID (the latter is a GUID, not the credential itself)

Steps to Resolve

Verify the Three IDs in Knocknoc

  1. In the Knocknoc admin interface, open the backend configuration for the affected Entra Knoc
  2. Re-enter the Tenant ID, Client ID, and Client Secret from the Entra ID app registration
  3. Confirm the Client Secret is the long opaque value, not the short Secret ID GUID
  4. Save and wait for the next grant operation

For the full app-registration setup, see the Microsoft Entra ID setup guide.

Check the Client Secret Expiry

  1. In the Azure portal, navigate to Microsoft Entra ID > App registrations and open the Knocknoc app
  2. Click Certificates & secrets
  3. In the Client secrets table, confirm the secret used by Knocknoc has not expired

Rotate the Client Secret

If the existing secret cannot be verified or has expired:

  1. In the same Certificates & secrets blade, click + New client secret
  2. Give it a description, choose an expiry, and click Add
  3. Copy the Value (not the Secret ID) immediately. Entra only shows it once
  4. Update the Client Secret in the Knocknoc backend configuration

Still Having Issues?

We can help you out, contact us at support@knocknoc.io.

Back to top