Troubleshooting self-service password reset overrides

article
March 16, 2023

Azure Active Directory (Azure AD) self-service password reset (SSPR) allows users to reset their passwords in the cloud. The password rewrite function can be used toAzure AD connectionlubricantcloud syncAllow live cloud password changes to be saved to an existing local directory.

If you are having trouble with SSPR rewriting, the following troubleshooting steps and common errors may help. If you can't find an answer to your question,Our support team is here for youTo help you more.

Connection Troubleshooting

If you're having issues with Azure AD Connect password rewrite, review the following steps that might help resolve the issue. To restore service, we recommend that you perform the following steps in the order presented:

Confirm network connection
Restart the Azure AD Connect sync service
Disable and re-enable password rewrite
Install the latest version of Azure AD Connect
Password Rewrite Troubleshooting

Confirm network connection

The most common points of failure are firewall or proxy port misconfigurations or idle timeouts.

For Azure AD Connect version1.1.443.0that's all,Outbound HTTPSNeed to visit the following address:

*.contraseñareset.microsoftonline.com
*.servicebus.windows.net

bluegovernment endpoint:

*.contraseñareset.microsoftonline.us
*.servicebus.usgovcloudapi.net

If you need more details, seeList of Microsoft Azure public cloud service tags and IP ranges。

For Azure GOV, see sectionList of Microsoft Azure IP Address Ranges and Service Tags for US Government Cloud。

These documents are updated weekly.

To determine if URL and port access is restricted in your environment, run the following cmdlet:

Test-NetConnection - Computer Name ssprdedicatedsbprodscu.servicebus.windows.net - Port 443

Or run the following command:

Invoke-WebRequest -Uri https://ssprdedicatedsbprodscu.servicebus.windows.net -Verbose

For more information, seeConnection prerequisites for Azure AD Connect。

Restart the Azure AD Connect sync service

To resolve connectivity or other intermittent service issues, restart the Azure AD Connect Sync service by following these steps:

As an administrator on the server running Azure AD Connect, choosestart。
Enterservice.mscin the search box and selectEnter。
Have a lookMicrosoft Azure AD Synchronizationprohibit.
Right click on the service entry and selectrecoverand wait for the operation to complete.

These steps connect back to Azure AD and should resolve connectivity issues.

If restarting Azure AD Connect Sync doesn't resolve the issue, try disabling password rewrite in the next section and then enabling it again.

Disable and re-enable password rewrite

To continue troubleshooting, follow the steps below to disable password override and then re-enable it:

Open the file as an administrator on the server running Azure AD ConnectAzure AD Connect Setup Wizard。
W.Connect to Azure ADEnter your Azure AD global administrator credentials.
W.Connect to AD DSEnter your local Active Directory Domain Services administrator credentials.
W.The user's unique ID., chooseNextbutton.
W.optional features, clearpassword rewritecheckbox.
chooseNextGo through the rest of the dialog pages without changing anything until you reach theready to setside.
check whetherReady to set up the page.samplepassword rewriteoptions such asleave. choose greenEstablishButton to confirm changes.
W.Completed, clearsync nowoption, then choosefinClose the wizard.
reopenAzure AD Connect Setup Wizard。
Repeat steps 2-8, this time selectingpassword rewriteoptionoptional featurespage to reactivate the service.

These steps connect back to Azure AD and should resolve connectivity issues.

If disabling and re-enabling password rewrite does not resolve the issue, reinstall Azure AD Connect in the next section.

Install the latest version of Azure AD Connect

Reinstalling Azure AD Connect can resolve connectivity and configuration issues between Azure AD and your on-premises Active Directory Domain Services environment. We recommend that you perform this step after completing the steps above to verify connectivity and troubleshoot.

warn

If you have custom sync rules out of the box,Back them up before proceeding with the upgrade, then manually redeploy them when you're done.

Download the latest version of Azure AD Connect fromMicrosoft Download Center。
Since you already have Azure AD Connect installed, perform an in-place upgrade to update your Azure AD Connect installation to the latest version.
Run the downloaded package and follow the on-screen instructions to update Azure AD Connect.

These steps should reconnect to Azure AD and resolve connectivity issues.

If installing the latest version of Azure AD Connect server does not resolve the issue, try disabling and then re-enabling password rewriting as a last step after installing the latest version.

Verify that Azure AD Connect has the necessary permissions

Azure AD Connect requires AD DSreset your passwordPermission to perform password rewriting. To verify that Azure AD Connect has the necessary permissions for a given on-premises AD DS user account, useWindows Effective PermissionsFunction:

Log into the Azure AD Connect server and runSynchronization Service Managerpicked outstart>sync service。
blameConnectorchoose local cardActive Directory Domain Servicesconnector, and selectreal estate。
In the pop-up window, selectConnect to Active Directory forestIzanotuiusernameproperty. This attribute is the AD DS account that Azure AD Connect uses to perform directory synchronization.
In order for Azure AD Connect to perform password rewrite, the AD DS account must have password reset permissions. To verify permissions for this user account, follow the steps below.
Login to your local domain controller and runActive Directory for Users and Computersapplication.
chooseVistaand make sureAdvanced FeaturesThis option is enabled.
Locate the AD DS user account you want to authenticate. Right click on the account name and selectreal estate。
In the popup, go toSafetymark and selectadvanced。
wAdmin Advanced Security Settingspop-up window, go toefficient accessPato.
chooseselect a user, select the AD DS account used by Azure AD Connect, and then selectview active access。
scroll down and searchreset your password. If this entry is selected, the AD DS account has permission to reset the password of the selected Active Directory user account.

Common Password Rewrite Mistakes

The following more specific problems can arise with password rewriting. If you encounter one of these errors, review the suggested solutions and verify that password rewrite is working correctly.

mistake	solution
The password reset service does not start locally. Error 6800 is displayed in the Azure AD Connect team application event log. Once added, users using federated, pass-through, or password hash sync authentication cannot reset their passwords.	When password rewrite is enabled, the sync engine calls the rewrite library to perform the configuration (join) by communicating with the cloud join service. Any errors encountered while connecting or starting a Windows Communication Foundation (WCF) endpoint for password rewrite will result in event logging errors on the Azure AD Connect machine. If writeback is configured when Azure AD Sync (ADSync) is restarted, the WCF endpoint will start. However, if the endpoint does not start, we will log event 6800 and allow the sync service to start. The presence of this event means that the password rewrite endpoint has not been started. The event log details for this 6800 event and the event log entries generated by the PasswordResetService component indicate why the endpoint failed to start. If password rewrite still doesn't work, check these event log errors and try restarting Azure AD Connect. If the problem persists, try disabling and re-enabling password rewrite.
When a user attempts to reset a password or unlock an account with password override enabled, the operation fails. Additionally, after an unlock operation is performed, an event will appear in the Azure AD Connect event log including: "The sync engine returned error hr=800700CE, message=The file name or extension is too long".	Locate the Active Directory account for Azure AD Connect and reset the password to 256 characters or less. then opensync servicezstartmenu. navigationConnectorand findActive Directory Connector. select, then selectreal estate. meetingreferencepage and enter a new password. chooseOKClose the page.
During the last step of the Azure AD Connect installation process, you will receive an error message stating that password rewrite cannot be configured. The Azure AD Connect application event log contains error 32009 with the text "Unable to get authentication token".	This error occurs in the following two situations: The global administrator account password provided at the beginning of the Azure AD Connect setup process was incorrect. Try using a federated user as the global administrator account specified at the beginning of the Azure AD Connect configuration process. To resolve this issue, make sure that you are not using the federated account of the global administrator specified at the beginning of the installation process and that the password provided is correct.
The Azure AD Connect machine event log contains error 32002 reported when running the PasswordResetService service. The error message is "Error connecting to ServiceBus. The token provider cannot provide a security token."	Your on-premises environment cannot connect to the Azure Service Bus cloud endpoint. This error is usually caused by firewall rules blocking outgoing connections to specific ports or Internet addresses. lookConnection prerequisitesto know more information. After updating these rules, restart the Azure AD Connect server and password rewrite should start working again.
After a period of time, users using federation, pass-through authentication, or password hash sync will not be able to reset their passwords.	In rare cases, restarting the password rewrite service may fail after restarting Azure AD Connect. In these cases, first verify that password rewrite is enabled locally. You can authenticate using the Azure AD Connect wizard or PowerShell. If a feature appears to be turned on, try turning it on or off again. If this troubleshooting step doesn't work, try a clean uninstall and reinstall of Azure AD Connect.
Users who use federated, pass-through, or synchronous password hash authentication and try to reset their password will see an error when they try to submit their password. This error indicates a problem with the service. In addition to this issue, during a password reset operation, you might receive an error message stating that the management agent has been denied access to the local event log.	If you see these errors in the event log, verify that the Active Directory Management Agent (ADMA) account that you specified in the wizard during installation has the necessary password override permissions. After this permit is issued, it may take up to an hour for the permit to go through`SD card holder`Background work on a domain controller (DC). In order for password reset to work, permissions must be printed in the security descriptor of the user object whose password is being reset. Until this permission is present on the user object, password resets will continue to fail with an access denied message.
Users using federated, pass-through, or synchronous password authentication attempting to reset their password will see an error after submitting their password. This error indicates a problem with the service. In addition to this issue, you might see an error in the Azure AD Connect event log indicating an "object not found" error during a password reset operation.	This error usually means that the sync engine was unable to find the user object in the Azure AD connector space or the linked Metaverse (MV) object or in the Azure AD connector space. To resolve this issue, ensure that the user is actually synced from on-premises to Azure AD with the current instance of Azure AD Connect, and check the status of the objects in the connector and VM areas. Ensure that the Active Directory Certificate Services (AD CS) object is attached to the VM object using the "Microsoft.InfromADUserAccountEnabled.xxx" rule.
Users using federated, pass-through, or synchronous password authentication attempting to reset their password will see an error after submitting their password. This error indicates a problem with the service. In addition to this issue, you might see an error in the Azure AD Connect event log stating that there was a "Multiple matches found" error during a password reset operation.	This means that the sync engine detected that the MV object is connected to multiple AD CS objects via "Microsoft.InfromADUserAccountEnabled.xxx". This means that a user has an account enabled in multiple forests. This scenario does not support password rewriting.
The password operation failed due to a misconfiguration. The Application event log contains Azure AD Connect error 6329 with the text "0x8023061f (The operation failed because password synchronization is not enabled on this management agent)".	This error can occur if you change the Azure AD Connect configuration to add a new Active Directory forest (or delete and read an existing forest) after enabling password rewrite. Password operation failed for user in newly added forest. To resolve this issue, disable password writeback and then re-enable password writeback after forest configuration changes are complete.
SSPR_0029: We were unable to reset your password due to a local configuration error. Contact the administrator and request an investigation.	Issue: After completing all required steps, password rewrite is enabled, but when trying to change the password, the message "SSPR_0029: Local password reset settings are not configured correctly for your organization" appears. Checking the event logs in the Azure AD Connect system shows that the management agent credentials are denied access. Possible solution: Use RSOP on Azure AD Connect and domain controllers to verify that the "Network access: Restrict clients that can remotely connect to SAM" policy is enabled in Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options enabled. Edit the policy to include the administrative account MSOL_XXXXXXXXXX as an allowed user. For more information, seeTroubleshooting Error SSPR_0029: Your organization has incorrectly configured local password reset settings。

Password Rewrite Event Log Error Codes

A best practice when troubleshooting password rewrite is to check the application event log on the Azure AD Connect machine. This event log contains password rewrite events from two sources. hePassword Reset ServiceThis source describes operations and issues related to password rewrite operations. head syncThis source describes password configuration issues and operations in an Active Directory Domain Services environment.

If the event source is ADSync

the code	name or message	describe
6329	BAIL: MMS(4924) 0x80230619: "A restriction prevents changing the password to the currently specified one."	This event occurs when the password rewrite service attempts to set a password in the local directory that does not meet the domain's password age, history, complexity, or filtering requirements. If you have a password minimum age and you recently changed your password within that time frame, you will not be able to change your password again until the age specified in your domain is reached. For testing purposes, the minimum age should be set to 0. If you have enabled the password history requirement, you will need to select a password that has not been used recently.northwhere is the timenorthis the password history setting. If you choose a last used passwordnorthtimes, then you will see failure in this case. For testing purposes, password history should be set to 0. If you have password complexity requirements, these apply when users try to change or reset their passwords. If you have password filters enabled and the user chooses a password that doesn't match the filter criteria, the reset or change operation will fail.
6329	MMS(3040): admaexport.cpp(2837): The server does not contain an LDAP password policy control.	This issue occurs if the LDAP_SERVER_POLICY_HINTS_OID (1.2.840.113556.1.4.2066) check is not enabled on the domain controller. To use the password rewrite feature, you must enable this check. For this, the domain controller must be on Windows Server 2016 or later.
Human resources 8023042	The sync engine returned error hr=80230402, message=The attempt to get the object failed because there are duplicate entries with the same anchor.	This error occurs when the same user-id is enabled on multiple domains. An example is forest synchronization of accounts and resources, and the same user ID exists and is enabled in each forest. This error can also occur if you use a non-unique anchor attribute (such as an alias or UPN) and two users share the same anchor attribute. To fix this, make sure there are no duplicate users on your domain, and use unique anchor attributes for each user.

the code

name or message

describe

6329

BAIL: MMS(4924) 0x80230619: "A restriction prevents changing the password to the currently specified one."

This event occurs when the password rewrite service attempts to set a password in the local directory that does not meet the domain's password age, history, complexity, or filtering requirements.

If you have a password minimum age and you recently changed your password within that time frame, you will not be able to change your password again until the age specified in your domain is reached. For testing purposes, the minimum age should be set to 0.

If you have enabled the password history requirement, you will need to select a password that has not been used recently.northwhere is the timenorthis the password history setting. If you choose a last used passwordnorthtimes, then you will see failure in this case. For testing purposes, password history should be set to 0.

If you have password complexity requirements, these apply when users try to change or reset their passwords.

If you have password filters enabled and the user chooses a password that doesn't match the filter criteria, the reset or change operation will fail.

6329

MMS(3040): admaexport.cpp(2837): The server does not contain an LDAP password policy control.

This issue occurs if the LDAP_SERVER_POLICY_HINTS_OID (1.2.840.113556.1.4.2066) check is not enabled on the domain controller. To use the password rewrite feature, you must enable this check. For this, the domain controller must be on Windows Server 2016 or later.

Human resources 8023042

The sync engine returned error hr=80230402, message=The attempt to get the object failed because there are duplicate entries with the same anchor.

This error occurs when the same user-id is enabled on multiple domains. An example is forest synchronization of accounts and resources, and the same user ID exists and is enabled in each forest.

This error can also occur if you use a non-unique anchor attribute (such as an alias or UPN) and two users share the same anchor attribute.

To fix this, make sure there are no duplicate users on your domain, and use unique anchor attributes for each user.

If the event source is PasswordResetService

the code	name or message	describe
31001	Password Reset Home	This event indicates that the on-premises service detected a password reset request for a user with federated, pass-through, or cloud-origin password authentication. This event is the first event in every password reset writeback operation.
31002	Password reset successful	This event indicates that the user selected a new password during a password reset operation. We determined that the password meets the requirements for enterprise passwords. Successfully retyped the password in the local Active Directory environment.
31003	Password reset failed	This event means that the user selected a password and the password successfully reached the local environment. However, when we try to set a password in the local Active Directory environment, it fails. This failure can occur for several reasons: The user's password does not meet age, history, complexity, or domain filtering requirements. To resolve this issue, create a new password. The ADMA service account does not have appropriate permissions to set a new password for a given user account. The user account is in a protected group, such as the domain or enterprise administrators group, which prevents the password setting operation.
31004	Onboarding start event	This event can occur if you have enabled password rewrite using Azure AD Connect and we have started deploying your organization to the password rewrite web service.
31005	Merge activity succeeded	This event indicates that the login process was successful and password override is available.
31006	Change Password Home	This event indicates that the on-premises service detected a password change request from a federation pass-through user or a password hash sync user originating from the cloud. This event is the first event that is overridden on every password change.
31007	change password. success	This event means that the user selected a new password during a password change operation, we have determined that the password complies with the corporate password requirements, and the password was successfully re-entered in the local Active Directory environment.
31008	Password modification failed	This event indicates that the user has selected a password and the password has successfully arrived on-premises, but when we try to set the password in the on-premises Active Directory environment, an error occurs. This failure can occur for several reasons: The user's password does not meet age, history, complexity, or domain filtering requirements. To resolve this issue, create a new password. The ADMA service account does not have appropriate permissions to set a new password for a given user account. The user account is in a protected group (such as domain or enterprise administrators), which prevents the password setting operation.
31009	Reset user passwords via the admin home page	Local Services detected a password reset request by an administrator on behalf of a user for a federated user, pass-through authentication, or hash sync user. This event is the first event in any administrator-initiated password reset writeback operation.
31010	Administrator reset user password successfully	An administrator selected a new password during an administrator-initiated password reset operation. We determined that the password meets the requirements for enterprise passwords. Successfully retyped the password in the local Active Directory environment.
31011	User password reset due to administrator error	The administrator chooses the password on behalf of the user. The password has successfully reached the local system. However, when we try to set a password in the local Active Directory environment, it fails. This failure can occur for several reasons: The user's password does not meet age, history, complexity, or domain filtering requirements. Try using a new password to resolve this issue. The ADMA service account does not have appropriate permissions to set a new password for a given user account. The user account is in a protected group (such as domain or enterprise administrators), which prevents the password setting operation.
31012	Uninstall EventoInicio	This event can occur if you disabled password rewrite in Azure AD Connect and indicated that we have started moving your organization to the password rewrite web service.
31013	Off workEvento Éxito	This event indicates that the disconnection process was successful and password rewriting was successfully disabled.
31014	even failed to quit	This event indicates that the disconnection process failed. This could be due to incorrect permissions in the cloud or in the local administrator account specified during installation. This error may also occur if you try to use the federated cloud global administrator when password override is disabled. To resolve this issue, check your administrative privileges and ensure that you are not using a federated account when configuring password override.
31015	Write-back service starts	This event means that the password rewrite service started successfully. You're ready to accept password management requests from the cloud.
31016	Servicio WriteBack service stopped	This event indicates that the password rewrite service has stopped. Any password management requests from the cloud will fail.
31017	Authentication token successful	This event indicates that we successfully retrieved the authorization token for the global administrator specified during Azure AD Connect configuration to initiate the detach or join process.
31018	key pair successful	This event indicates that we have successfully created a password encryption key. This key is used to encrypt passwords sent from the cloud to the on-premises environment.
31019	Service Bus Heartbeat	This event indicates that we successfully sent a request to your tenant's Service Bus instance.
31034	ServiceBus listener error	This event indicates that an error occurred while connecting to the tenant's Service Bus listener. If the error message says "The remote certificate is invalid", verify that the Azure AD Connect server has all the required root certification authorities as described inAzure TLS certificate changes。
31044	Password Reset Service	This event indicates that password rewriting did not work. Service Bus listens for requests on two separate relays for redundancy. Each relay connection is managed by a single service host. The writeback client will return an error if any of the service hosts are not running.
32000	unknown mistake	This event indicates that an unknown error occurred during a password management operation. See the exception text in the event for more details. If you run into issues, try disabling and re-enabling password rewrite. If this doesn't help, please attach a copy of the event log and the tracking ID you provided when you opened the support request.
32001	service error	This event indicates that an error occurred while connecting to the cloud password reset service. This error usually occurs when the local service cannot connect to the password reset web service.
32002	service bus error	This event indicates that an error occurred while connecting to the tenant's Service Bus instance. This can happen if you block outgoing connections in your local environment. Check your firewall to make sure connections over TCP 443 are allowed andhttps://ssprdedicatedsbprodncu.servicebus.windows.net, try again. If you're still having trouble, try disabling and re-enabling password rewrite.
32003	input validation error	This event indicates that invalid input was passed to our web service API. Try the operation again.
32004	decryption error	This event indicates that an error occurred while decrypting the password received from the cloud. This may be caused by a decryption key mismatch between the cloud service and the local environment. To resolve this issue, disable and then re-enable local password override.
32005	Configuration error	During deployment, we save tenant-specific information to configuration files in the local environment. This event indicates that there was an error writing to this file or an error reading the file when starting the service. To resolve this issue, try disabling and re-enabling password rewriting to force rewriting of configuration files.
32007	OnBoardingConfig update error	During onboarding, we send data from the cloud to a local password reset service. This data is then written to an in-memory file and sent to the sync service for safe storage on disk. This event indicates that there was a problem writing or updating this data in memory. To resolve this issue, try disabling and re-enabling password rewriting to force rewriting of this configuration file.
32008	validation error	This event means that we received an invalid response from the password reset web service. To fix this, try disabling and re-enabling password rewrite.
32009	Authentication token error	This event indicates that an authorization token for the global administrator account specified during Azure AD Connect configuration could not be obtained. This error may be caused by an incorrect username or password specified for the global administrator account. This error may also occur if the specified global administrator account is federated. To fix this, run the installer again with the correct username and password, and make sure the administrator is the managed account (cloud or password sync only).
32010	encryption error	This event indicates that an error occurred while generating a password encryption key or decrypting a password received from a cloud service. This error may indicate an environmental problem. Check the event log details for more information on how to resolve this issue. You can also try disabling and re-enabling the password rewrite service.
32011	In-flight service error	This event indicates that the local service was unable to successfully communicate with the password reset web service to initiate the registration process. This can happen with firewall rules or with issues obtaining an authentication token for the tenant. To fix this, make sure you are not blocking outgoing connections over TCP 443 and TCP 9350-9354, orhttps://ssprdedicatedsbprodncu.servicebus.windows.net. Also, make sure that the Azure AD admin account used to join is not a federated account.
32013	wrong boarding	This event indicates that the local service was unable to successfully communicate with the password reset web service to initiate the disconnection process. This can happen with firewall rules or with issues obtaining an authorization token for the tenant. To resolve this issue, make sure you are not blocking outgoing or outgoing 443 calls.https://ssprdedicatedsbprodncu.servicebus.windows.netAnd the Azure Active Directory administrator account used for disconnection is not federated.
32014	service bus warning	This event indicates that we must retry connecting to your tenant's Service Bus instance. Normally this shouldn't be a problem, but if this event occurs multiple times, consider checking your network connection to Service Bus, especially if it's a high latency or low bandwidth connection.
32015	Service Health Error Reporting	To monitor the health of the password rewrite service, we send heartbeat data to the password reset web service every five minutes. This event indicates that an error occurred while sending health information to the cloud web service. This health information does not include any personally identifiable information, just heartbeats and basic service statistics that allow us to share information about the status of our cloud services.
33001	AD unknown error	This event indicates that Active Directory returned an unknown error. For more information, see Azure AD Connect server event log for ADSync source events.
33002	Error AD user not found	This event means that the user attempting to reset or change the password could not be found in the local directory. This error can occur when a user has been deleted locally but not in the cloud. This error may also appear if there is a problem with syncing. For more information, see the sync log and details of the last sync run.
33003	AD multi-mismatch	When a password change or reset request comes from the cloud, we use the cloud anchor specified during Azure AD Connect setup to determine how to link that request to the on-premises user. This event indicates that we found two users with the same cloud anchor properties in your local directory. For more information, see the sync log and details of the last sync run.
33004	Ad permissions error	This event indicates that the Active Directory Management Agent (ADMA) service account does not have appropriate permissions for the account to set a new password. Make sure that the ADMA account in the user's forest has the Reset Password permission on all objects in the forest. For details on how to set permissions, see Step 4: Set Appropriate Active Directory Permissions. This error also occurs when the AdminCount user property is set to 1.
33005	AD user account Wyłączone	This event indicates that we attempted to reset or change the password of a locally disabled account. Please enable the account and try the operation again.
33006	AD user account lockout	This event indicates that we are attempting to reset or change the password of a locally locked account. Lockouts can occur when a user attempts to change or reset a password multiple times within a short period of time. Unlock the account and try the operation again.
33007	AD user password is invalid	This event indicates that the user entered an incorrect current password during a password change operation. Please enter the correct current password and try again.
33008	AD password policy error	This event occurs when the password rewrite service attempts to set a password in the local directory that does not meet the domain's password age, history, complexity, or filtering requirements. If you have a password minimum age and you recently changed your password within that time frame, you will not be able to change your password again until the age specified in your domain is reached. For testing purposes, the minimum age should be set to 0. If you have enabled the password history requirement, you will need to select a password that has not been used recently.northwhere is the timenorthis the password history setting. If you choose a last used passwordnorthtimes, then you will see failure in this case. For testing purposes, password history should be set to 0. If you have password complexity requirements, these apply when users try to change or reset their passwords. If you have password filters enabled and the user chooses a password that doesn't match the filter criteria, the reset or change operation will fail.
33009	Ad setup error	This event indicates that there was a problem writing the password to the local directory due to an Active Directory configuration issue. Check the ADSync messages in the application event log of the Azure AD Connect machine for details about what went wrong.

Azure AD Forum

If you have general questions about Azure AD and self-service password reset, you can ask the community for help.. Community members include engineers, product managers, MVPs, and other IT professionals.

If you can't find an answer to your question, our support team is always available to assist you further.

In order to assist you properly, please provide as much detail as possible when opening a case. These details include:

Error overview: What's wrong? What behaviors were noticed? How can we reproduce the error? Please provide as many details as possible.
side: Which page were you on when you noticed the error? If possible, please attach the URL and a screenshot of the page.
support code: What is the support code generated when a user sees an error?
- To find this code, reproduce the error, then select the filesupport codeThe link is at the bottom of the screen and sends the GUID you got to your support engineer.
- If you are on a page without a support code at the bottom, select F12, find the SID and CID, and send both results to your support engineer.
date, time and time zone: Enter the exact date and timewith time zoneAn error occurred.
User ID: Who is the user who noticed the bug? An example isużytkownik@contoso.com。
- Is this a federated user?
- Is this a pass-through authentication user?
- Are users and password hashes in sync?
- Are you a pure cloud user?
license: Does the user have an Azure AD license assigned?
application event log- Include a zipped copy of the application event log from the Azure AD Connect server if you are using password override and the error occurs locally.

Next step

For more information on SSPR, seeHow it works: Azure AD self-service password resetlubricantHow does Azure AD password reset self-service writeback work?。

Troubleshooting self-service password reset overrides - Microsoft Insider (2023)