Hoping someone can help...here's my scenario...
Domain-A: I have a hybrid AD setup, with Domain Controllers running on Azure VMs syncing to Azure AD via AD Connect, I've enabled SSPR and password-writeback following the online tutorials (https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr-writeback) . All was working as expected as I was able to reset user's passwords via the portal...until I introduced Domain B.
Domain-B: Is the same as Domain A, another hybrid AD setup, with DCs running in Azure syncing to Azure AD. Again I've enabled SSPR and password-writeback.
Domain-A is now returning the error "Unfortunately, you cannot reset this user's password due to a policy or error in your on-premises environment" when trying a password reset, whilst Domain-B is working as expected. Nothing changed in Domain-A, I've been over all the relevant settings (double checking the Azure AD Connect MSOL account settings, etc) and cannot figure why it is failing. In Azure I have a SSPR-Group account which contains 'AllUser' groups for Domain-A and Domain-B.
I cannot see errors on the DC or the VM running AD Connect. Am I hitting a license limitation? The account has a Azure AD Premium P2 license.
In the Password Reset Audit logs, I see a reason of "ADAdminActionRequired" against the password reset attempts.
Any pointers much appreciated.