25,129 questions
This fixed mine - just disable and then re-enable in the Azure AD Connect wizard. Note the steps in the article are outdated, but it's pretty easy to follow along.
Password reset | On-premises integration Option not available
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 48%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
AFB_Admin
1
Reputation point
Password reset | On-premises integration Option not available
Have enabled Azure AD Connector onprem. Accounts have been synchronized to the cloud successfully. Followed ALL steps in this article https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr-writeback?WT.mc_id=Portal-Microsoft_AAD_IAM#configuring-password-writeback but when I get to "Enable password writeback for SSPR" portion, options are 'grayed out' & there is a warning/notice stating "No agents have been detected. Install a sync agent and set up your sync engine before enabling password writeback.". The article that I am pointed to is the same one I used to set up the rest. Anyone else run into this?
Microsoft Security | Microsoft Entra | Microsoft Entra ID
5 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 5%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
John Meredith 5 Reputation points2023-01-18T16:48:09.7633333+00:00 -
Homer Sibayan 366 Reputation points2023-08-24T08:29:58.3166667+00:00 This solution works on mine too. if the feature is already disabled then enable it in Azure AD Configuration wizard. Enable Password Writeback
Sign in to comment -
-
AmanpreetSingh-MSFT 56,871 Reputation points Moderator2021-10-28T08:25:18.91+00:00 Hi @AFB_Admin • Thank you for reaching out.
I suspect the issue is due to Network Connectivity, where your corporate firewall or proxy device might be blocking access to required endpoints.
Invoke-WebRequest -Uri https://ssprdedicatedsbprodscu.servicebus.windows.net -Verbose
If there is no connectivity issue, check if Microsoft Azure AD Sync service is running. Try restarting the service as well. If you still face any issues, try disabling and re-enabling the password writeback feature.
Also, check the application event logs and look for ADSync in the source to get more details about the error.
Read more: Troubleshoot self-service password reset writeback in Azure Active Directory
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
-
AFB_Admin 1 Reputation point
2021-11-02T00:45:39.657+00:00 Thank you for this - I tried it & got the following returned. Seems like this is a result that indicates it should be working?
Invoke-WebRequest -Uri https://ssprdedicatedsbprodscu.servicebus.windows.net -Verbose
VERBOSE: GET https://ssprdedicatedsbprodscu.servicebus.windows.net/ with 0-byte payload
VERBOSE: received -1-byte response of content type application/atom+xml;type=feed;charset=utf-8StatusCode : 200
StatusDescription : OK
Content : <feed xmlns="http://www.w3.org/2005/Atom"><title type="text">Publicly Listed
Services</title><subtitle type="text">This is the list of publicly-listed services currently
available.</subtitle><id>uuid:...
RawContent : HTTP/1.1 200 OK
Transfer-Encoding: chunked
Strict-Transport-Security: max-age=31536000
Content-Type: application/atom+xml;type=feed;charset=utf-8
Date: Tue, 02 Nov 2021 00:39:09 GMT
Server: Micro...
Forms : {}
Headers : {[Transfer-Encoding, chunked], [Strict-Transport-Security, max-age=31536000], [Content-Type,
application/atom+xml;type=feed;charset=utf-8], [Date, Tue, 02 Nov 2021 00:39:09 GMT]...}
Images : {}
InputFields : {}
Links : {}
ParsedHtml : System.__ComObject
RawContentLength : 333Please advise, thank you again!
-
AmanpreetSingh-MSFT 56,871 Reputation points Moderator
2021-11-02T12:49:25.46+00:00 Yes, 200 OK means good. You should try following the other troubleshooting steps as mentioned in my answer above.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
JonesB 1 Reputation point2021-11-03T21:53:15.163+00:00 I'm experiencing exactly the same with a customer tenant.
Upgraded Azure AD Connect, set the correct permissions and followed the guide.
Checked the connections, checked TCP timeouts (needs to be allowed 2-3minutes of idle connections), and everything seems to be in order.
But still the enable button is greyed out. -
AFB_Admin 1 Reputation point
2021-11-08T01:48:29.227+00:00 Unfortunately, I looked through your troubleshooting link, check the application log and cannot find a corresponding error. The ONLY error I see in the application log is a warning (ADSync source), ID 6100, that states, "The management agent 'DOMAINNAME' step execution completed on run profile "Export" with errors. That error is not listed on your troubleshooting list. All of the "PasswordResetService" entries are informational only and one (31042) actually states, "TrackingId: 631faff6-82f0-4e37-9323-33432fd413b3, Password writeback service is in a healthy state. All serviceHosts for service bus endpoints are in running state, Details: Version: 5.0.922.0". Any other suggestions? Based on the addtional comments, this seems to be a common issue?
-
JonesB 1 Reputation point
2021-11-14T21:35:39.29+00:00 I figured mine out, and it was a silly mistake on my part.
Tenant did not have Azure AD Premium, only free. Once enabled with premium it enabled the options right away.
It still gives me an error that it cannot communicate with the sync agent, but it's tested successfully anyway.
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 62%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
AustralianTechie 1 Reputation point2021-11-04T07:06:52.367+00:00 We are also seeing this issue. It doesn't appear to a connectivity issue. Restarting the services and re-configuring writeback doesn't help.
Any thoughts please?
-
JonesB 1 Reputation point
2021-11-14T21:36:16.49+00:00 My error was that the tenant did not have Azure AD Premium enabled. Can that be your case aswell?
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 60%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
Brownmattc 6 Reputation points2021-12-17T21:50:57.037+00:00 I am having this same issue. We have Azure AD Premium 2. I tried disabling and re-enabling password writeback to no avail.
I am seeing the following in the application log on the server that runs AD Connect:
Error 31034 from PasswordResetService:
Endpoint <GUID> offline. Relay must be created at this address before using the binding with IsDynamic set to falsefollowed by Warning 32014 with the same information.