PasswordResetService ended with an error but the password was changed

Milan 56 Reputation points

I encountered a strange behaviour in the PasswordResetService. We have a Hybrid AAD configuration with the AAD Premium P1 licenses. We have enabled the password writeback in our AAD Connect. I checked the permissions required in our AAD Connect sync account (Reset password, Write lockoutTime, Write pwdLastSet). I checked the SSPR configuration too and everything is okay.
In the real situation when our user want to change his password through his M365 profile or when our user want to reset his password through the SSPR, it's just not working. After approx. 20 seconds our users receive the error: We could not change your password. I checked the AAD audit logs and found this error:
Status Reason: OnPremisesConnectivityFailure
So I went to the server where is our AAD Connect installed and I checked the Application logs. I found logs from the ResetPasswordService and there is no error. In the Application logs i can see these statuses from the ResetPasswordService:
ChangePasswordRequestStart (with a username)
ChangePasswordSuccess, Details: Context: cloudAnchor (with a username)

I don't know what to do or how to solve this. I think the error which is shown to our user after clicking on the Submit button is just Timeout (TimeoutException) or the information about PasswordChange in our AD DS is not delivered back to AAD - to the user.
Any ideas?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,292 questions
{count} vote

2 answers

Sort by: Most helpful
  1. James Hamil 21,386 Reputation points Microsoft Employee

    Hi @Milan , please perform the following steps and let me know if it resolves your issue:

    1. Restart the Azure AD Connect Sync service on the machine where the AD Connect is installed.
    2. Check the connector's permissions: make sure the account you are using is an admin with the highest possible permissions on premises, and is a member of the enterprise admin group in your AAD and has the reset password permissions that are required for the password writeback to work.
    3. Ensure Network Connectivity. Check if the following addresses are allowed for outbound HTTPS access:
    4. Disable and re-enable the password writeback option from the Azure AD Connect Configuration wizard

    If this answer helped you please mark it as "Verified" so other users may reference it.

    Thank you,

    1 person found this answer helpful.

  2. Ben Reisinger 1 Reputation point

    Had the same issue today. This was the solution:

    Check if the passwort writeback is done by Cloud Sync or ADDConnect (at our environment it was CloudSync):
    In the customers environment the Cloud Sync Configuration was not configured properly - so we deleted it.
    After a resync, Azure automatically changed from Cloud Sync to ADDConnect and everything worked fine.
    Can be vice versa

    0 comments No comments