- article
Azure Active Directory (Azure AD) self-service password reset (SSPR) allows users to reset their passwords in the cloud.
If you're having trouble using SSPR, the troubleshooting steps and common errors below may help. This short film is also available online.How to resolve the six most common SSPR end-user error messages。
If you can't find an answer to your question,Our support team is here for youTo help you more.
SSPR configuration in the Azure portal
If you have issues viewing or configuring SSPR options in the Azure portal, please review the following troubleshooting steps:
I did not seereset PasswordAzure AD section in the Azure portal.
you won't seereset PasswordSelect the menu option if there is no Azure AD license assigned to the administrator performing the operation.
Follow the instructions to assign a license to a specific administrator accountAssign, validate, and troubleshoot licenses。
I don't see a specific configuration option.
Many user interface elements are hidden when needed. Make sure this option is enabled before searching for a specific configuration option.
I did not seelocal integrationPato.
Local password override is only visible when Azure AD Connect is downloaded and configured.
For more information, seeIntroduction to Azure AD Connect。
SSPR report
If you have issues using SSPR reports in the Azure portal, please review the following troubleshooting steps:
I see that I have disabled an authentication method in the add method option under combined registration.
The linked registry considers three strategies to determine which methods appear inadd a method:
If you disabled app notifications in SSPR but enabled them in MFA policy, this option will appear in linked registrations. Another example, if the user disables theOffice PhoneIn SSPR it still appears as an option if the user hasOffice PhoneSet of phone properties.
I don't see any kind of password management operations in the file.Self-Service Password ManagementAudit event category.
This can happen if the administrator performing the action has not been assigned an Azure AD license.
Follow the instructions to assign a license to a specific administrator accountAssign, validate, and troubleshoot licenses。
User records are displayed multiple times.
When a user signs up, we currently log each recorded data as a separate event.
If you want to aggregate this data and view it more flexibly, you can download the report and open the data as a pivot table in Excel.
SSPR Registration Portal
If your users are having trouble enrolling in SSPR, please review the following troubleshooting steps:
This directory does not allow password resets. Users may see an error message: "Your administrator does not allow you to use this feature."
You can enable SSPR for all users, no users, or selected user groups. Currently, Azure AD groups can only be enabled for SSPR using the Azure portal. Nested groups are supported as part of a wider SSPR implementation. Make sure the users in the selected group have the correct license.
In the Azure portal, make changes to the file.Self-service password reset enabledconfigured aschoose onelubricantallthen chooserescue。
No Azure AD license assigned to the user. Users may see an error message: "Your administrator does not allow you to use this feature."
Currently, Azure AD groups can only be enabled for SSPR using the Azure portal. Nested groups are supported as part of a wider SSPR implementation. Make sure the users in the selected group have the correct license. Review the previous troubleshooting steps to enable SSPR if necessary.
Also review the troubleshooting steps to ensure that the administrator running the configure option has permission. Follow the instructions to assign a license to a specific administrator accountAssign, validate, and troubleshoot licenses。
An error occurred while processing your request.
General SSPR registry errors can be caused by a variety of issues, but generally this error is caused by a service outage or configuration issue. If you continue to see this generic error when retrying the SSPR registration process,Contact Microsoft Supportfor more help.
Use SSPR
If you or your users experience issues with SSPR, review the following troubleshooting steps and scenarios:
| mistake | solution |
|---|---|
| This directory does not allow password resets. | In the Azure portal, make changes to the file.Self-service password reset enabledconfigured aschoose onelubricantallthen chooserescue。 |
| No Azure AD license assigned to the user. | This can happen if you don't have an Azure AD license assigned to the requesting user. Follow the instructions to assign a license to a specific administrator accountAssign, validate, and troubleshoot licenses。 |
| The directory has password reset enabled, but the user's credentials are missing or malformed. | Make sure the user has properly created contact information in the directory file. For more information, seeData used by Azure AD self-service password reset。 |
| The directory allows password resets, but when the policy is set to require two authentication methods, only one contact information is in the user's profile. | Make sure the user has at least two contact methods configured correctly. An example is having a mobile phone number at the same timeIOffice phone number. |
| The directory has password reset enabled and the user is properly configured, but cannot be contacted. | This could be due to a temporary service error or incorrect contact information that we were unable to detect correctly. If the user waits 10 seconds, a "Retry" and "Contact Admin" link will be displayed. If the user selects "Retry", the connection is retried. If the user selects the "Contact Admin" option, it will send an email to the admin asking them to reset the password for that user account. |
| Users will never receive a text message or phone call asking them to reset their password. | This could be caused by an incorrect phone number in the phone book. Make sure the phone number is in the format "+1 4251234567". Password reset does not support extensions, even if you specify them in the directory. The extension number will be removed before placing the call. Use numbers without extensions or integrate extensions with phone numbers in a telephone branch exchange (PBX). |
| Users never receive password reset emails. | The most common cause of this problem is spam filters rejecting messages. Please check your Junk, Junk, or Deleted folders for any emails. Please also ensure that user verification is registered with the correct email account in SSPR. |
| I have a password reset policy set up, but when the admin account uses password reset, the policy is not applied. | Microsoft manages and controls administrator password reset policies to ensure the highest level of security. |
| Users should not attempt too many password resets per day. | An automatic throttling mechanism prevents users from making too many password reset attempts in a short period of time. Current limiting occurs in the following scenarios:
|
| The user sees an error while verifying the phone number. | This error occurs when the phone number entered does not match the phone number on file. When attempting a mobile phone password reset method, make sure the user enters the entire phone number, including the area code and country code. |
| Users see errors when using their email addresses. | If the UPN is different from the user's primary ProxyAddress/SMTPAddress, thenSign in to Azure AD using your email address as an alternate login IDThis setting must be enabled for the tenant. |
| An error occurred while processing your request. | General SSPR registry errors can be caused by a variety of issues, but generally this error is caused by a service outage or configuration issue. If you continue to see this generic error when retrying the SSPR registration process,Contact Microsoft Supportfor more help. |
| Violation of local rules. | The password does not comply with the local Active Directory password policy. Users must define passwords that meet complexity or strength requirements. |
| Password does not comply with obfuscation policy | The password you used will appear in the file.list of forbidden passwordsand cannot be used. Users must define passwords that meet or exceed the forbidden password list policy. |
SSPR Errors Visible to Users
As part of the SSPR process, the following errors and technical details may be displayed to the user. Often, they cannot fix the error themselves because SSPR must be enabled, configured, or registered to their account.
Use the following information to understand issues and what needs to be fixed in your Azure AD tenant or individual user accounts.
| mistake | detail | technical details |
|---|---|---|
| NajemcaSSPRFlagDisabled = 9 | Sorry, you cannot reset your password at this time because your administrator has disabled password reset for your organization. There is nothing else you can do to resolve this situation. Please contact your administrator and ask them to enable this feature. For more information, seeHelp, I forgot my Azure AD password。 | SSPR_0009: We detected that password reset is not enabled by the administrator. Please contact your administrator and ask them to enable password reset for your organization. |
| write not enabled = 10 | Sorry, you cannot reset your password at this time because your administrator has not enabled the required service for your organization. There is nothing else you can do to resolve this situation. Please contact your administrator and ask them to verify your organization's settings. For more information on this essential service, seeset password override。 | SSPR_0010: We detected that password rewrite is not enabled. Please contact your administrator and ask them to enable password rewrite. |
| SsprNotEnabledInUserPolicy = 11 | Sorry, you cannot reset your password at this time because your administrator has not set up password reset for your organization. There is nothing else you can do to resolve this situation. Please contact your administrator and ask them to set up a password reset. For more information on how to set up password reset, seeQuickstart: Azure AD self-service password reset。 | SSPR_0011: Your organization has not defined a password reset policy. Please contact your administrator and ask them to define a password reset policy. |
| Unlicensed users = 12 | Sorry, you cannot reset your password at this time because your organization lacks the required licenses. There is nothing else you can do to resolve this situation. Please contact your administrator and ask them to verify the license assignment. For more information on licenses, seeLicensing requirements for Azure AD self-service password reset。 | SSPR_0012: Your organization does not have the license required to reset the password. Please contact your administrator and ask them to verify your license assignment. |
| UsuarioNotMemberOfScopedAccessGroup = 13 | Sorry, you cannot reset your password at this time because your administrator has not set up your account for password reset. There is nothing else you can do to resolve this situation. Please contact your administrator and ask them to set up your account to reset your password. For more information on how to set up your account to reset your password , seeEnter user password reset。 | SSPR_0013: Not a member of the password reset group. Contact an administrator and request to be added to this group. |
| Usuario not properly configured = 14 | Sorry, you cannot reset your password at this time because your account is missing required information. There is nothing else you can do to resolve this situation. Please contact your administrator and request a password reset. After accessing your account again, you will need to register the necessary data. To log information, follow the steps belowSign up for self-service password resetarticle. | SSPR_0014: Additional security information is required to reset your password. To continue, please contact your administrator and request a password reset. After accessing your account, you can register additional security information at the following address:https://aka.ms/ssprsetup. Your administrator can add additional security information to your account by following these stepsSet and read your credentials to reset password。 |
| Required Action OnPremisesAdminAction = 29 | Sorry, we are unable to reset your password at this time due to a problem with your organization's password reset settings. There is nothing else you can do to resolve this situation. Contact the administrator and request an investigation. lubricant Due to an issue with your organization's password reset settings, we are unable to reset your password at this time. There is nothing else you can do to resolve this issue. Contact the administrator and request an investigation. For more information on possible problems, seePassword Rewrite Troubleshooting。 | SSPR_0029: We were unable to reset your password due to a local configuration error. Contact the administrator and request an investigation. |
| Local Area Connection Error = 30 | Sorry, we are unable to reset your password at this time due to connectivity issues with your organization. No action can be taken at this time, but if you try again later, the problem may be resolved. If the problem persists, please contact your administrator and ask them to investigate the problem. For more information on connection issues , seeTroubleshooting Password Rewrite Connections。 | SSPR_0030: We were unable to reset your password due to a poor connection to your local environment. Please contact your administrator and ask them to investigate the issue. |
Azure AD Forum
If you have general questions about Azure AD and self-service password reset, you can ask the community for help.. Community members include engineers, product managers, MVPs, and other IT professionals.
If you can't find an answer to your question, our support team is always available to assist you further.
In order to assist you properly, please provide as much detail as possible when opening a case. These details include:
- Error overview: What's wrong? What behaviors were noticed? How can we reproduce the error? Please provide as many details as possible.
- side: Which page were you on when you noticed the error? If possible, please attach the URL and a screenshot of the page.
- support code: What is the support code generated when a user sees an error?
To find this code, reproduce the error, then select the filesupport codeThe link is at the bottom of the screen and sends the GUID you got to your support engineer.
If you are on a page without a support code at the bottom, select F12, find the SID and CID, and send both results to your support engineer.
- date, time and time zone: Enter the exact date and timewith time zoneAn error occurred.
- User ID: Who is the user who noticed the bug? An example isużytkownik@contoso.com。
- Is this a federated user?
- Is this a pass-through authentication user?
- Are users and password hashes in sync?
- Are you a pure cloud user?
- license: Does the user have an Azure AD license assigned?
- application event log- Include a zipped copy of the application event log from the Azure AD Connect server if you are using password override and the error occurs locally.
Next step
For more information on SSPR, seeHow it works: Azure AD self-service password resetlubricantHow does Azure AD password reset self-service writeback work?。