EntraCP

Troubleshooting

This article groups tips & tricks to help you troubleshoot AzureCP if it’s not working as expected.

Inspect the SharePoint logs

AzureCP records all its activity in the SharePoint logs, under Product / Area “AzureCP”. It records a lot of information and can be managed with PowerShell:

# Show the AzureCP logging level
Get-SPLogLevel| ?{$_.Area -like "AzureCP"}
# Set AzureCP logging level
"AzureCP:*"| Set-SPLogLevel -TraceSeverity Verbose
# Merge AzureCP logs from all servers from the past 10 minutes
Merge-SPLogFile -Path "C:\Data\AzureCP_logging.log" -Overwrite -Area "AzureCP" -StartTime (Get-Date).AddMinutes(-10)

You can use ULS Viewer to inspect the logs.

Run Microsoft Graph queries in Postman

You can import the collection below in Postman to replay the typical queries executed by AzureCP:

Open Postman collection for AzureCP

Test connectivity with Azure AD

AzureCP may fail to connect to Azure AD for various reasons. The PowerShell script below connects to the typical Azure endpoints and may be run on the SharePoint servers to test the connectivity (set or remove the proxy settings depending on your configuration):

Invoke-WebRequest -Uri "https://login.windows.net" -UseBasicParsing [-ProxyUseDefaultCredentials] [-Proxy "http://127.0.0.1:8888"]
Invoke-WebRequest -Uri "https://login.microsoftonline.com" -UseBasicParsing [-ProxyUseDefaultCredentials] [-Proxy "http://127.0.0.1:8888"]
Invoke-WebRequest -Uri "https://graph.microsoft.com" -UseBasicParsing [-ProxyUseDefaultCredentials] [-Proxy "http://127.0.0.1:8888"]

Obtain the access token using PowerShell

This PowerShell script requests an access token to Microsoft Graph, as done by AzureCP (set or remove the proxy settings depending on your configuration):

$clientId = "<CLIENTID>"
$clientSecret = "<CLIENTSECRET>"
$tenantName = "<TENANTNAME>.onmicrosoft.com"
$headers = @{ "Content-Type" = "application/x-www-form-urlencoded" }
$body = "grant_type=client_credentials&client_id=$clientId&client_secret=$clientSecret&resource=https%3A//graph.microsoft.com/"
$response = Invoke-RestMethod "https://login.microsoftonline.com/$tenantName/oauth2/token" -Method "POST" -Headers $headers -Body $body [-ProxyUseDefaultCredentials] [-Proxy "http://127.0.0.1:8888"]
$response | ConvertTo-Json

Inspect the traffic to Azure AD

You can intercept and inspect the traffic between AzureCP and Azure AD using Fiddler Classic.
Once Fiddler was installed locally and its root certificate trusted, you can intercept the traffic per web application by updating the web.config:

<system.net>
    <defaultProxy useDefaultCredentials="True">
        <proxy proxyaddress="http://localhost:8888" bypassonlocal="False" />
    </defaultProxy>
</system.net>

Important

To view the traffic in Fiddler, make sure to set the filter to "All Processes" or "Non-Browsers" (in the bottom left).

Last updated on December 13, 2023
Edit this page on GitHub
Prev
Remove
Next
Fix Setup Issues