Share via

SSPR_0029: Your organization hasn’t properly set up the on-premises configuration for password reset.

Orlando Paulino 0 Reputation points
2025-01-28T18:24:40.1266667+00:00

Getting the following error message when trying to test the Self Service Password Reset. SSPR_0029: Your organization hasn’t properly set up the on-premises configuration for password reset.

Microsoft Security | Microsoft Entra | Microsoft Entra ID

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andy David - MVP 157.9K Reputation points MVP Volunteer Moderator
    2025-01-28T19:13:00.8866667+00:00
    0 comments
  2. Abiola Akinbade 29,645 Reputation points Volunteer Moderator
    2025-01-29T08:25:29.65+00:00

    Hello Orlando Paulino,

    Thanks for your question.Also see: https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/user-prov-sync/password-writeback-error-code-sspr-0029

    This will help you to troubleshoot if you have correctly setup SSPR.

    You can mark it 'Accept Answer' and 'Upvote' if this helped you

    Regards,

    Abiola

    0 comments
  3. Raja Pothuraju 24,710 Reputation points Microsoft External Staff Moderator
    2025-02-05T19:51:43.9066667+00:00

    Hello @Orlando Paulino,

    Thank you for your feedback.

    Based on the information you provided; I understand that you are trying to reset your password by clicking "Can't access your account" on the sign-in page and following the "Forgot Password" flow. After completing all the required verification steps (e.g., alternate email, phone, etc.), the Windows AD administrator attempts to set a new password, but the process fails with the generic error SSPR_0029. Below is the complete error message:

    Error Details:
You can't reset your own password because password reset isn't properly set up for your organization.

You must contact your administrator to both reset your password and to investigate the problem.

Hide additional details
SSPR_0029: Your organization hasn't properly set up the on-premises configuration for password reset.

If you're an administrator, you can get more information from the Troubleshoot password writeback article. If you're not an administrator, you can provide this information when you contact your administrator.

    For security reasons a Windows AD account that belongs (or belonged) to on-premises AD protected group(s) cannot use SSPR+Password Writeback to reset his/her on-premises password using the flow "Forgot my password"

    In order to determine if a user is or was member of a protected group you can check the if the on-premises AD user object has the AdminCount attribute set:

    image-20201104170330823 When a user account is added to a Protected Group there's a background task that runs every 60 minutes in AD (SDProp ) that will make the following changes on the account:

    • Set adminCount = 1
    • Disable Inheritance of the AD permissions
    • Overwrite all AD permissions as set in the AdminSDHolder object

    As a result, Password Writeback (by default) does not have sufficient permissions to change or reset passwords for such accounts, which is why you are encountering this error.

    For a complete list of all Protected Groups by Domain Controller OS version, visitProtected Groups

    More Information

    How does self-service password reset writeback work in Azure Active Directory?

    User's image

    If you’d like to discuss this issue in more detail offline, please feel free to email me at [AzCommunity@microsoft.com] with the subject line "Attn: Pothurajur" and include a link to this thread for reference.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.