Skip to main content

ENTRA054 - Invalid or Unexpected Response from Microsoft Graph

Agent error code #ENTRA054 indicates that Microsoft Graph returned a 2xx status, but the response body did not match the expected schema. The agent could not decode the Named Location response or the OAuth token response.

This error is rare. It usually points at something sitting between the agent and Microsoft Graph rather than a problem with the agent itself.

Common causes include:

  • A TLS-intercepting proxy that injects an HTML error page in place of the JSON body
  • A captive portal returning a redirect page when the agent host is on an unauthenticated network
  • A transient corruption from an upstream proxy stripping or rewriting bytes
  • An unannounced schema change at Microsoft Graph (extremely rare for the v1.0 endpoint)

Steps to Resolve

Inspect the Raw Response

Look in the agent log for the body of the response that failed to parse. If it contains HTML, an XML SOAP fault, or any text other than the expected JSON object, something in the network path is replacing the response.

Bypass the Proxy for Microsoft Endpoints

If a forward proxy is in the path:

  1. Add login.microsoftonline.com and graph.microsoft.com to the proxy bypass list, or
  2. Confirm the proxy is not running deep-packet-inspection on these hosts, or
  3. Test temporarily without the proxy by unsetting HTTPS_PROXY in the agent environment

Check the Network for Captive Portals

If the agent host is on a guest or hotel network, it may be intercepting HTTPS with a portal page. Move the agent to a network where outbound HTTPS to Microsoft works unmodified.

For the full setup, see the Microsoft Entra ID setup guide.

Still Having Issues?

We can help you out, contact us at support@knocknoc.io.

Back to top