This article groups tips & tricks to help you troubleshoot EntraCP if it’s not working as expected.

Inspect the SharePoint logs

EntraCP records all its activity in the SharePoint logs, under Product / Area “EntraCP”. It records a lot of information and can be managed with PowerShell:

# Show / set the logging level for EntraCP
Get-SPLogLevel| ?{$_.Area -like "EntraCP"}
"EntraCP:*"| Set-SPLogLevel -TraceSeverity Verbose

# Merge EntraCP logs from all SharePoint servers from the last 10 minutes
Merge-SPLogFile -Path "C:\Data\EntraCP_logging.log" -Overwrite -Area "EntraCP" -StartTime (Get-Date).AddMinutes(-10)

You can use ULS Viewer to inspect the logs.

Use the built-in troubleshooting page

EntraCP comes with a built-in troubleshooting page, located in 16\TEMPLATE\ADMIN\EntraCP\TroubleshootEntraCP.aspx.
It is primarily designed to:

  • Validate that the assembly bindings were correctly set in the machine.config file.
  • Test the connection to your Microsoft Entra ID tenant, without using the EntraCP configuration.

It is written entirely with inline code, which means that you can easily modify as you need.
For security reasons, by default it can be called only from the central administration site, but it you can copy the page anywhere under 16\TEMPLATE\LAYOUTS, and you’ll be able to call it from any SharePoint site.

Test the connectivity with Microsoft Graph

EntraCP may fail to connect to Microsoft Graph for various reasons. The PowerShell script below connects to the typical Microsoft Graph endpoints and may be run on the SharePoint servers to test the connectivity (set or remove the proxy settings depending on your configuration):

Invoke-WebRequest -Uri "" -UseBasicParsing [-ProxyUseDefaultCredentials] [-Proxy ""]
Invoke-WebRequest -Uri "" -UseBasicParsing [-ProxyUseDefaultCredentials] [-Proxy ""]

Obtain the access token using PowerShell

This PowerShell script requests an access token to Microsoft Graph, as done by EntraCP (set or remove the proxy settings depending on your configuration):

$clientId = "<CLIENTID>"
$clientSecret = "<CLIENTSECRET>"
$tenantName = "<TENANTNAME>"
$headers = @{ "Content-Type" = "application/x-www-form-urlencoded" }
$body = "grant_type=client_credentials&client_id=$clientId&client_secret=$clientSecret&resource=https%3A//"
$response = Invoke-RestMethod "$tenantName/oauth2/token" -Method "POST" -Headers $headers -Body $body [-ProxyUseDefaultCredentials] [-Proxy ""]
$response | ConvertTo-Json

Inspect the traffic to Microsoft Graph

You can intercept the traffic between EntraCP (running in SharePoint) and Microsoft Graph using Fiddler Classic as a local proxy.
Once Fiddler was installed locally and its root certificate trusted (mandatory), you can intercept the traffic by updating the web.config file of your SharePoint site as below:

    <defaultProxy useDefaultCredentials="True">
        <proxy proxyaddress="http://localhost:8888" bypassonlocal="False" />


To view the traffic in Fiddler, make sure to set the filter to "All Processes" or "Non-Browsers" (in the bottom left).