ENTRA002 - Microsoft Entra Authorization Failed
Agent error code #ENTRA002 indicates that the agent authenticated to Entra ID successfully but Microsoft Graph rejected the Named Location request with HTTP 403 Forbidden. The app registration is missing the application permission required to read and write Conditional Access policies.
This error is distinct from authentication failures (#ENTRA001), which occur when the credentials themselves are rejected. Error #ENTRA002 means the credentials are valid but the app registration lacks the Policy.ReadWrite.ConditionalAccess permission.
Common causes include:
- The app registration was created without
Policy.ReadWrite.ConditionalAccess - The permission was added but admin consent was never granted
- A different application-level permission (e.g.
Policy.Read.All) was granted instead, which only allows reading - The permission was granted as a delegated permission rather than an application permission. The Knocknoc agent runs as the app itself (client credentials), so only application permissions take effect
Steps to Resolve
Grant the Required Permission
- In the Azure portal, navigate to Microsoft Entra ID > App registrations and open the Knocknoc app
- Click API permissions
- Click + Add a permission > Microsoft Graph > Application permissions
- Search for
Policy.ReadWrite.ConditionalAccessand tick the box - Click Add permissions
Grant Admin Consent
After adding the permission, an Entra admin must consent on behalf of the tenant:
- In the API permissions blade, click Grant admin consent for <tenant>
- Confirm the consent prompt
- The Status column for
Policy.ReadWrite.ConditionalAccessshould change to a green tick
For the full app-registration setup, see the Microsoft Entra ID setup guide.
Verify the Permission Type
- In the same API permissions blade, confirm
Policy.ReadWrite.ConditionalAccessis listed under Application in the Type column, not Delegated - If only the Delegated variant is present, add the Application variant via the steps above. The Delegated permission is unused by Knocknoc
Still Having Issues?
We can help you out, contact us at support@knocknoc.io.