SSPR can be enabled for all users or selected AD groups. Password write back must be enabled in Azure AD Connect (installed on the domain controller) synchronization options and the steps, to do so, are shown in the following screenshots.ĭo not miss to enable below two settings in the Azure Active Directory -> Users blade. We would like to add that Enterprise Mobility + Security E3 or A3 (E5 or A5), Microsoft 365 E3 or A3 (E5 or A5) and Microsoft 365 F1 will meet this prerequisite as well. Required premium licensing and more details can be found in the below Microsoft article: Self-service password reset (SSPR) in Azure Active Directory – things to knowįor SSPR to work properly in the hybrid environment, the password on-prem writeback feature is mandatory. Our advice is to add this service to monitoring for easier troubleshooting. So, investigate that first and confirm that the “Microsoft Azure AD Sync” service is running all the time. Please wait a few minutes and try again".Īs described in the error, this issue can be due to an issue on the Azure end, but more likely it is related to Azure AD connect 'health'. This may be due to temporary issues on our end. " We're sorry, we're not able to reset this user's password right now. If not password resets will not be allowed.
For some reason, even removing the user account from any of the protected groups, the attribute may still stay at “1” and must be changed to “” or “0”. The fourth, and most tricky one if the user account was ever added to Administrators, Account Operators or other protected groups ( ), this will add “adminCount” attribute value as “1” on the user’s AD account object. Thirdly, for obvious reasons – "User cannot change password" must be unchecked in the AD user account options. Not sure if all “Read/write all properties” are mandatory or could be more granular, but these are created as default, which does not apply to “Reset Password” permission unfortunately. Secondly, check if the Azure AD Connect MSOL account (MSOL_************) has “Reset Password” permission on the specific user AD object, or inherits it from domain security properties.
Please review your on-premises policy to ensure that it is setup correctly".įirst, make sure new password meets GPO or local policies password requirements.įirstly, pay attention to the “Minimum password age” attrubute.If it is not “0 days”, it means that it is not possible to reset the password twice that same day. "Unfortunately, you cannot reset this user's password because your on-premises policy does not allow it. “Unfortunately, you cannot reset this user's password due to a policy or error in your on-premises environment” or Let’s split the article into two sections – password reset via Azure portal and self-service password reset (SSPR).Ĭommon issues when resetting user password via Azure portal In this article we will assume we have a hybrid environment, which means Azure AD + domain controller (Azure hosted VM or on-prem). Administrator efforts to resolve these issues usually take way longer than expected. Internet articles and forums suggest various fixes for these, but often these solutions are confusing, not needed at all or not in depth enough. In this Blog we want to focus on a few specific user password reset issues, which we have continuously seen over time. There is a lot of information on the web regarding Azure AD password reset, setup and related issues.
0 kommentar(er)
