SSPR Writeback – No PasswordResetService Logs and Error SSPR_0029 Despite Password Writeback Enabled

We are trying to enable and test Self-Service Password Reset (SSPR) writeback for on-premises AD, but are encountering the error:

SSPR_0029: We’re unable to reset your password due to an error in your on-premises configuration.

Environment:

• Microsoft Entra Connect Sync version: 2.5.76.0

Staging mode: False

No Cloud Sync configurations or agents active

Password writeback is checked in Azure AD Connect wizard (toggled off and on again)

Tenant-side SSPR is enabled for our test user group

Sync account confirmed in Connect wizard (genesis\adsync)

Outbound TCP 443 allowed to Microsoft endpoints

Symptoms:

SSPR test from https://passwordreset.microsoftonline.com fails with SSPR_0029

In Entra admin center Audit logs:

Status: failure
Status reason: We encountered a problem while resetting the user's on-premises password. Check your sync machine's event log.

No events are logged under Event Viewer → Applications and Services Logs → Microsoft Azure AD Sync → Operational for PasswordResetService at the time of reset

No PasswordResetService channel present in Event Viewer

What we’ve already checked:

Staging mode is off

No Cloud Sync agents are active

Password writeback re-enabled via Azure AD Connect wizard (Customize synchronization options → Optional Features)

Sync account has domain-level delegated permissions for:

Reset password

  Write lockoutTime
  
  Forced initial sync cycle after configuration change
  
  Verified user is in scope for sync and part of enabled SSPR group in Entra ID
  

Questions for Microsoft:

On build 2.5.76.0, should the PasswordResetService event log always be present if writeback is truly enabled?

Could this be a case where the tenant-side PasswordWriteback flag was never actually registered despite being enabled in the wizard?

Are there any known bugs on 2.5.76.0 where SSPR writeback fails without Cloud Sync, staging mode, or permissions issues?

Is there a way to confirm tenant recognition of writeback capability outside of Get-ADSyncAADCompanyFeature, since this version doesn’t reliably display the flag?

Any guidance on further troubleshooting or confirming that writeback is actually active would be appreciated.We are trying to enable and test Self-Service Password Reset (SSPR) writeback for on-premises AD, but are encountering the error:

SSPR_0029: We’re unable 

Environment:

Microsoft Entra Connect Sync version: 2.5.76.0

Staging mode: False

No Cloud Sync configurations or agents active

Password writeback is checked in Azure AD Connect wizard (toggled off and on again)

Tenant-side SSPR is enabled for our test user group

Sync account confirmed in Connect wizard (genesis\adsync)

Outbound TCP 443 allowed to Microsoft endpoints

Symptoms:

SSPR test from https://passwordreset.microsoftonline.com fails with SSPR_0029

In Entra admin center Audit logs:

Status: failure
Status reason: We encountered a problem 

No events are logged under Event Viewer → Applications and Services Logs → Microsoft Azure AD Sync → Operational for PasswordResetService at the time of reset

No PasswordResetService channel present in Event Viewer

What we’ve already checked:

Staging mode is off

No Cloud Sync agents are active

Password writeback re-enabled via Azure AD Connect wizard (Customize synchronization options → Optional Features)

Sync account has domain-level delegated permissions for:

Reset password

  Write lockoutTime
  
  Forced initial sync cycle after configuration change
  
  Verified user is in scope for sync and part of enabled SSPR group in Entra ID
  

Questions for Microsoft:

On build 2.5.76.0, should the PasswordResetService event log always be present if writeback is truly enabled?

Could this be a case where the tenant-side PasswordWriteback flag was never actually registered despite being enabled in the wizard?

Are there any known bugs on 2.5.76.0 where SSPR writeback fails without Cloud Sync, staging mode, or permissions issues?

Is there a way to confirm tenant recognition of writeback capability outside of Get-ADSyncAADCompanyFeature, since this version doesn’t reliably display the flag?

Any guidance on further troubleshooting or confirming that writeback is actually active would be appreciated.