Skip to main content

ENTRA005 - Microsoft Graph API Throttled

Agent error code #ENTRA005 indicates that Microsoft Graph rejected the request with HTTP 429 Too Many Requests. The agent has hit the per-tenant or per-app rate limit on the Conditional Access API.

Microsoft Graph publishes its throttling thresholds at Microsoft Graph throttling guidance. The Conditional Access service is on the same shared quota as the rest of policy management, so heavy use elsewhere in the tenant can also push Knocknoc over the line.

Common causes include:

  • A large number of users granting and revoking access in a short window (e.g. a mass-onboarding event)
  • Another tool in the tenant making frequent Conditional Access changes
  • Multiple Knocknoc agents pointed at the same Entra Named Location

Steps to Resolve

Wait Out the Throttle

Microsoft returns a Retry-After header indicating when to retry. The Knocknoc agent backs off automatically. If grants are not landing, wait a few minutes and confirm in the agent logs that the throttle has cleared.

Audit Other Conditional Access Activity in the Tenant

  1. In the Azure portal, navigate to Microsoft Entra ID > Audit logs
  2. Filter by Category: Policy and Activity: Update conditional access policy / Update named location
  3. Identify any other automation making frequent updates and stagger it

Reduce Update Frequency

If a single Named Location is being updated by multiple Knocknoc agents simultaneously, consider consolidating to a single agent. Knocknoc updates the Named Location's full ipRanges list on every grant/revoke, so concurrent updates compound the throttle pressure.

For the full setup, see the Microsoft Entra ID setup guide.

Still Having Issues?

We can help you out, contact us at support@knocknoc.io.

Back to top