Troubleshooting
This article groups tips & tricks to help you troubleshoot EntraCP if it’s not working as expected.
Inspect the SharePoint logs
EntraCP records all its activity in the SharePoint logs, under Product / Area “EntraCP”. It records a lot of information and can be managed with PowerShell:
# Show / set the logging level for EntraCP
Get-SPLogLevel| ?{$_.Area -like "EntraCP"}
"EntraCP:*"| Set-SPLogLevel -TraceSeverity Verbose
# Merge EntraCP logs from all SharePoint servers from the last 10 minutes
Merge-SPLogFile -Path "C:\Data\EntraCP_logging.log" -Overwrite -Area "EntraCP" -StartTime (Get-Date).AddMinutes(-10)
You can use ULS Viewer to inspect the logs.
Use the built-in troubleshooting page
EntraCP comes with a built-in troubleshooting page, located in 16\TEMPLATE\ADMIN\EntraCP\TroubleshootEntraCP.aspx
.
It is primarily designed to:
- Validate that the assembly bindings were correctly set in the
machine.config
file. - Test the connectivity to Microsoft Entra ID and Graph.
It is written in inline code, so you can edit it in a simple notepad.
For security reasons, by default it can be called only from the central administration, but you can copy it anywhere under 16\TEMPLATE\LAYOUTS
, to call it from a regular SharePoint site, or from a specific server.
Test the connectivity with Microsoft Graph
EntraCP may fail to connect to Microsoft Graph for various reasons. The PowerShell script below connects to the typical Microsoft Graph endpoints and may be run on the SharePoint servers to test the connectivity (set or remove the proxy settings depending on your configuration):
Invoke-WebRequest -Uri "https://login.microsoftonline.com" -UseBasicParsing [-ProxyUseDefaultCredentials] [-Proxy "http://127.0.0.1:8888"]
Invoke-WebRequest -Uri "https://graph.microsoft.com" -UseBasicParsing [-ProxyUseDefaultCredentials] [-Proxy "http://127.0.0.1:8888"]
Obtain the access token using PowerShell
This PowerShell script requests an access token to Microsoft Graph, as done by EntraCP (set or remove the proxy settings depending on your configuration):
$clientId = "<CLIENTID>"
$clientSecret = "<CLIENTSECRET>"
$tenantName = "<TENANTNAME>.onmicrosoft.com"
$headers = @{ "Content-Type" = "application/x-www-form-urlencoded" }
$body = "grant_type=client_credentials&client_id=$clientId&client_secret=$clientSecret&resource=https%3A//graph.microsoft.com/"
$response = Invoke-RestMethod "https://login.microsoftonline.com/$tenantName/oauth2/token" -Method "POST" -Headers $headers -Body $body [-ProxyUseDefaultCredentials] [-Proxy "http://127.0.0.1:8888"]
$response | ConvertTo-Json
Inspect the traffic to Microsoft Graph
You can intercept the traffic between EntraCP (running in SharePoint) and Microsoft Graph using Fiddler Classic as a local proxy.
Once Fiddler was installed locally and its root certificate trusted (mandatory), you can intercept the traffic by updating the web.config file of your SharePoint site as below:
<system.net>
<defaultProxy useDefaultCredentials="True">
<proxy proxyaddress="http://localhost:8888" bypassonlocal="False" />
</defaultProxy>
</system.net>
Important
To view the traffic in Fiddler, make sure to set the filter to "All Processes" or "Non-Browsers" (in the bottom left).