SSPR issue: Multiple Domains

Corndog 1 Reputation point
2021-12-13T11:17:47.67+00:00

Hoping someone can help...here's my scenario...

Domain-A: I have a hybrid AD setup, with Domain Controllers running on Azure VMs syncing to Azure AD via AD Connect, I've enabled SSPR and password-writeback following the online tutorials (https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr-writeback) . All was working as expected as I was able to reset user's passwords via the portal...until I introduced Domain B.

Domain-B: Is the same as Domain A, another hybrid AD setup, with DCs running in Azure syncing to Azure AD. Again I've enabled SSPR and password-writeback.

Domain-A is now returning the error "Unfortunately, you cannot reset this user's password due to a policy or error in your on-premises environment" when trying a password reset, whilst Domain-B is working as expected. Nothing changed in Domain-A, I've been over all the relevant settings (double checking the Azure AD Connect MSOL account settings, etc) and cannot figure why it is failing. In Azure I have a SSPR-Group account which contains 'AllUser' groups for Domain-A and Domain-B.

I cannot see errors on the DC or the VM running AD Connect. Am I hitting a license limitation? The account has a Azure AD Premium P2 license.

In the Password Reset Audit logs, I see a reason of "ADAdminActionRequired" against the password reset attempts.

Any pointers much appreciated.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,111 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Siva-kumar-selvaraj 15,651 Reputation points
    2021-12-14T05:04:14.823+00:00

    Hello @Corndog ,

    We appreciate you sharing your findings here and value your time.

    I've converted your comment to an answer, and I'd like to request that you accept it, since it will benefit others in the community who experiencing similar issue. Thanks

    I was trying to use an unsupported config with two sync servers with one Azure AD tenant (https://learn.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies#multiple-forests-multiple-sync-servers-to-one-azure-ad-tenant) . I reverted to one sync server for the two domains and SSPR/password writeback is working as expected.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.