This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 14.000000000000002%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGE%3C/text%3E%3C/svg%3E)
I am setting up SSPR in my hybrid Entra environment. When an on premise user tried to change their password, they get all the way through the process. Finally they get a vague answer about their organization not supporting this feature.
I have walked through numerous articles which all direct me to the same items in Entra where I appear to have everything set up correctly. Then I came to this article: https://learn.microsoft.com/en-us/entra/identity/authentication/troubleshoot-sspr-writeback Midway down this page it shows you how to view the permissions of the Entra AD User's permissions to see if the correct feature are enabled. What the article does not do is tell you how to fix them.
Another article shows possibly how to fix this, but also wants a Permission to be set for the user named "unexpire password". However, this Permission option is not available. https://github.com/MicrosoftDocs/azure-docs/issues/55262
Any ideas?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 45%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAV%3C/text%3E%3C/svg%3E)
Hello @Greg Ernest
We haven’t heard from you on the last response can you please share the screenshot when an on-premise user tried to change their password. and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Hi, the required perms for the Entra Sync account are here:
At an individual account level, security inheritance would need to be enabled.
You can also troubleshoot and set the perms with these Powershell commands
https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/reference-connect-adsyncconfig
I have tried the above. No luck. I also am having trouble with my Windows Hello PIN. I'm not sure if that's related. If I login to myaccount.microsoft.com, I can add all kinds of security device types. This doesn't seem to help either.
Hi @Greg Ernest
can you please share the screenshot when an on-premise user tried to change their password.
Hi @Greg Ernest
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Hi @Greg Ernest
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
I cannot get a screenshot as the error happens outside of the Windows desktop environment. I am not even signed in when this happens. I will try a picture from my phone when I am next in the office.
I will test again when I return to the office.