Troubleshooting: Agent cannot connect to Graph API

Description

When performing an operation against the Graph API, the operation fails due to a connectivity issue.

Symptom

Operations against the Graph API fail due to a connectivity issue.

Resolution

The following PowerShell can be used to ensure the service can be accessed.

In the following command, replace {tenantDomain} with the tenant domain as configured in the agent. This should be executed on the server on which Identity Broker is installed.

Invoke-WebRequest -Uri "https://graph.windows.net/{tenantDomain}/users?api-version=1.6"

If the service is accessible from the execution location Invoke-WebRequest should return an error from the service indicating a connection was successfully made without the correct authentication information.

Invoke-WebRequest : {"odata.error":{"code":"Authentication_MissingOrMalformed","message":{"lang":"en","value":"Access Token missing or malformed."},"values":null}}
At line:1 char:1
+ Invoke-WebRequest -Uri "https://graph.windows.net/{tenantDomain} ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc
   eption
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

Any other response indicates a networking/firewall issue. Ensure that the Identity Broker service has HTTPS access to the graph.windows.net domain and is not being blocked or filtered.

Is this article helpful for you?