Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
Active Directory password reset
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 95%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Abdulsalam
0
Reputation points
We are facing an issue with resetting user passwords via Microsoft Graph API in a hybrid identity environment (Entra ID + on‑premises Active Directory).
Problem Description
When a user’s password is reset using Microsoft Graph API, the password is successfully updated in Entra ID. However, the password is not written back to on‑premises Active Directory, as the user is still able to authenticate using the old password against on‑prem resources.
In contrast, when the same user performs a password reset through Self‑Service Password Reset (SSPR), the password is correctly updated in both Entra ID and on‑prem AD, which confirms that password writeback is enabled and functioning.
Then tried below api
- Admin‑initiated Graph API:
POST /users/{id}/authentication/methods/{passwordMethodId}/resetPassword
But it popup below error
Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access
Note : I created new service user and provide required role as well.
Microsoft Security | Microsoft Entra | Microsoft Entra ID
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 99%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Rukmini 40,575 Reputation points Microsoft External Staff Moderator2026-05-25T13:06:45.33+00:00 Hello Abdulsalam
In hybrid setups, graph password reset does not trigger on-premises AD password writeback; it just modifies the Entra ID cloud password. This is what's expected.
Only SSPR flow via Entra Password Reset service or direct on-premises AD reset are supported for password writeback to on-premises Active Directory; the Microsoft Graph API is not. Conditional access for privileged authentication procedures is the cause of the MFA problem, which has nothing to do with writeback.
Let me know if any further queries - feel free to reach out!
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 44%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPK%3C/text%3E%3C/svg%3E)
Precious Kejie Obi 0 Reputation points2026-05-25T13:59:58.1333333+00:00 Hey Abdulsalam,
Hybrid identity setups can be incredibly finicky when it comes to password management. Since you are using the Microsoft Graph API to reset passwords, the issue usually boils down to how permissions and writeback are configured between Entra ID and your on-premises AD.
A few things you'll want to double-check:
Password Writeback Status: Is Password Writeback actually enabled and running smoothly in Microsoft Entra Connect? If it’s turned off or throwing sync errors, Graph API will update the cloud object, but the change will never make it back to your on-premises domain controller.
The Sync Account Permissions: Take a look at the on-premises MSOL_ account (or the custom service account you use for Entra Connect). It needs explicit "Reset Password" and "Write lockoutTime" permissions on the user objects in your local AD. If the target users are in an OU that isn't inheriting these permissions, the writeback will silently fail.
Admin SDHolder / Protected Groups: Are the users experiencing this issue members of protected on-premises groups (like Domain Admins, Account Operators, etc.)? Local AD automatically breaks permission inheritance for these accounts every hour. If that's the case, Entra Connect loses its rights to write the password back.
Could you share a bit more of the error log or let us know if the reset fails entirely, or if it just updates in the cloud but not on-prem? That might help us narrow it down.
-
Abdulsalam 0 Reputation points
2026-05-25T16:18:04.11+00:00 @Rukmini you mean we cant use this graph api as well right . earlier I used PATCH method {
passwordProfile: { password: newPassword, forceChangePasswordNextSignIn: true, },}; by applying client id and client secret to generate access token. It reset the password but while changing the password it shows invalid password.. it looks password is not sync with on-prem. but while resetting the password using SSPR. it got sync with on-prem.
coming to below error while using delegate permission to hit the api POST /users/{id}/authentication/methods/{passwordMethodId}/resetPassword. i created one admin account but while hitting api it expects MFA challenge .
@Precious Kejie Obi above is my error.
Sign in to comment
Sign in to answer