Share via

Self password reset is not functional

mohamed irfan 0 Reputation points
2025-12-02T01:36:28.2066667+00:00

Hi Support.

We are having an issue with the self password reset in not functioning.

The password had recently has expired prompt for password reset after entering the password came with a error "null error" reset the password from AD. took the below troubleshooting steps

1 Troubleshoot through the AD sync hash for the user - Successful no errors

  1. Settings are accordingly - works for other users
  2. Password writeback health in Azure AD connect.

but not being able to self reset password for the user. Any help will be grateful.

Thanks

Irfan.

Microsoft Security | Microsoft Entra | Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shubham Sharma 3,430 Reputation points Microsoft External Staff Moderator
    2025-12-03T12:23:11.98+00:00

    Hello mohamed irfan

    Thank you for reaching out to Microsoft Q&A.

    You’re facing a Self-Service Password Reset (SSPR) failure with a “null error” after password expiry, even though Azure AD Connect password hash sync and writeback health checks are fine.

    Below are the Root Causes: -

    1.) Password Writeback Connectivity Issues

    Firewall or proxy blocking outbound HTTPS to *.passwordreset.microsoftonline.com or *.servicebus.windows.net.

    TLS 1.2 or .NET Framework not enabled.

    Service Bus token errors indicate connectivity problems.

    2.) Permissions on AD DS Connector Account

    The MSOL_ account used by Azure AD Connect must have Reset Password rights on user objects.

    If permissions are missing, writeback fails silently or throws generic errors.

    3.) On-Premises Password Policy Conflicts

    Minimum password age > 0 or complex policy violations can block resets.

    Temporarily relax policy for troubleshooting.

    4.) Protected Accounts (AdminSDHolder)

    If the user was ever in privileged groups (Domain Admins, etc.), adminCount=1 and inheritance block can prevent writeback

    Steps to resolve: -

    1.) Verify Connectivity: -

    Run PowerShell on the Azure AD Connect server:-

    Test``-NetConnection -ComputerName <namespace>.servicebus.windows.net -Port 443

    Ensure outbound HTTPS to required endpoints is allowed.

    For your reference: - https://learn.microsoft.com/en-us/entra/identity/authentication/troubleshoot-sspr-writeback

    2.)Verify Password Writeback Configuration

    1. In Microsoft Entra Connect, ensure Password Writeback is enabled.
    2. Check the connector account permissions

    Set-ADSyncPasswordWritebackPermissions -ADConnectorAccountName "MSOL_<account>"

    For your reference: https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-enable-sspr-writeback

    3.) Validate Password Policies

    1. Ensure Minimum password age is set to 0 in AD.
    2. Check complexity rules and temporarily relax if needed.

    For your reference: https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/user-prov-sync/password-writeback-general-troubleshooting-steps

    4.) Restart Services and Re-enable Writeback

    Restart ADSync service

    Restart-Service ADSync

    Disable and re-enable Password Writeback in Entra Connect.

    Please let us know if you need any further assistance.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.