This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 77%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAF%3C/text%3E%3C/svg%3E)
Hi,
We have enabled Entra Connect Sync for our On-Prem DC so we can writeback passwords from Entra ID for SSPR. We have been testing the password writeback and have found that it works on the older password reset page (where you provide the current password along with the new password) at the below URL: https://account.activedirectory.windowsazure.com/ChangePassword.aspx However, as that page illustrates, its being migrated to: https://mysignins.microsoft.com/security-info/password/change Which prompts just for the new password. This seems to work for some accounts but not others, but it isn't easy to establish precisely what might be happening. Event Logs on the server running the Entra Connect App has the below logs:
Error 11/07/2024 21:58:33 ADSync 6329 Server
An unexpected error has occurred during a password set operation. "ERR_: MMS(14388): C:__w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMADoNormalization', 0x2 BAIL: MMS(14388): C:__w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2 BAIL: MMS(14388): C:_w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.) ERR: MMS(14388): C:__w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMARecursiveUserDelete', 0x2 BAIL: MMS(14388): C:__w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2 BAIL: MMS(14388): C:_w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.) ERR: MMS(14388): C:__w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMARecursiveComputerDelete', 0x2 BAIL: MMS(14388): C:__w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2 BAIL: MMS(14388): C:_w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.) ERR: MMS(14388): C:__w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'SkipAdminCountCheck', 0x2 BAIL: MMS(14388): C:__w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2 BAIL: MMS(14388): C:_w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.) BAIL: MMS(14388): admaexport.cpp(3156): 0x80231367 (Requesting user was denied access to perform the operation on a privileged account.): AdminCount restriction 1. BAIL: MMS(14388): admaexport.cpp(3390): 0x80231367 (Requesting user was denied access to perform the operation on a privileged account.) ERR: MMS(14388): ..\ma.cpp(8256): ExportPasswordSet failed with 0x80231367 Azure AD Sync 2.3.8.0"
And then the following:
Error 11/07/2024 21:58:33 PasswordResetService 33004 None
TrackingId: f5b6cb9c-84e0-4616-8b9c-5f81284d11d7, Reason: Synchronization Engine returned an error hr=80231367, message=Requesting user was denied access to perform the operation on a privileged account., Context: cloudAnchor: User_643f8dba-3bb6-48dc-bd00-76ecddbbacb5, SourceAnchorValue: ikMRnZn29kqamQ5bqjeynA==, AdminUpn: user.name@domain.com, UserPrincipalName: user.name@domain.com, ForcePasswordChange: False, Details: Microsoft.CredentialManagement.OnPremisesPasswordReset.Shared.PasswordResetException: Synchronization Engine returned an error hr=80231367, message=Requesting user was denied access to perform the operation on a privileged account. at AADPasswordReset.SynchronizationEngineManagedHandle.ThrowSyncEngineError(Int32 hr) at AADPasswordReset.SynchronizationEngineManagedHandle.ResetPassword(String cloudAnchor, String sourceAnchor, String password, Boolean fForcePasswordChangeAtLogon, Boolean fUnlockAccount, Boolean isSelfServiceOperation) at Microsoft.CredentialManagement.OnPremisesPasswordReset.PasswordResetCredentialManager.ResetUserPasswordByAdmin(String resetUserPasswordByAdminXmlRequestString)
The above was sanitised to remove actual user data. Nonetheless, I have checked and rechecked and reset the permissions for Reset password, Change password, Write lockoutTime, and Write pwdLastSet for the MSOL_*** User account to no avail. As it works on that first password reset page, it seems that things are configured, but clearly, there must be a difference in requirements between the two pages. If anyone else has suggestions on how to approach this it would be appreciated.
Are you sure the on-prem accounts you are attempting to change the passwords for arent members of elevated groups in on-prem AD? That would explain the failures if the permissions were not inherited, see:
https://learn.microsoft.com/en-us/entra/fundamentals/users-reset-password-azure-portal
The account was previously an elevated user but had been reverted to a standard user, so they needed the AdminCount resetting and the permission inheritance enabling again. The user can now reset their password on either page.