question

TimReynolds-2903 avatar image
0 Votes"
TimReynolds-2903 asked JamesTran-MSFT commented

Self Service Password Reset (SSPR) not changing password to to On Prem password policy

I am new to SSPR. I use Azure AD Connect to synchronize users from On-Prem AD to Azure. That has been working for years. I am setting SSPR up for our school and have gotten to the point where I am testing my first user. During SSPR setup, I require registration and two forms of verification to make the change. SSPR takes me through both verification stages and allows me to get to the screen where I am typing in and verifying my new password and when I hit "OK", it says:
"This password does not meet the length, complexity, age, or history requirements of your corporate password policy."
It is my understanding that On-Prem AD policies override Azure password policies. I have changed the account password in On-Prem AD to the same password that I have been trying to change it to in SSPR and it takes it just fine. I am going through online troubleshooting ideas, but I don't know why SSPR is saying that it doesn't meet the policy requirements.

Thanks in advance for your help.

windows-group-policyazure-ad-sspr
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JamesTran-MSFT avatar image JamesTran-MSFT ·

@TimReynolds-2903
Thank you for following up on this!

I believe @ZollnerD was referring to - if the minimum password age was set to "14" (days) for example, the GPO setting will prevent you from changing the user's password before the 14-day mark, which is why you would receive "This password does not meet the length...". However, since your minimum password age is set to 0 (which is correct), this shouldn't be the reason why SSPR failed. For more info.
174234-image.png

From the error and since password Age isn't an issue, can you make sure the new password you tried to set meets your corporate password policy for length, complexity, and history?


Additional Links:
Password Policy
Password must meet complexity requirements


If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

0 Votes 0 ·
image.png (14.1 KiB)

1 Answer

ZollnerD avatar image
1 Vote"
ZollnerD answered TimReynolds-2903 commented

The normal gotcha for this that I've seen is age - is there a GPO setting that specifies a minimum age of a password? If it's set, it will stop successive password changes within a certain time period. If you are administratively changing it (vs the user changing it), or if the user object is flagged as "Change password on next login" in AD, the minimum age requirement will be ignored, which may lead to any inconsistency you're observing.

· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JamesTran-MSFT avatar image JamesTran-MSFT ·

@TimReynolds-2903
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

0 Votes 0 ·
TimReynolds-2903 avatar image TimReynolds-2903 JamesTran-MSFT ·

I wanted to add some information regarding the answer below:
I do have an on-prem Default Domain Policy with a minimum password age set to "0" and a maximum age at "180". Do I set the miniumum to something else?
In addition, I remember two passwords, complexity is required, password length is 8. I have the setting for "Store passwords using reversible encryption" as disabled.
Thanks!

0 Votes 0 ·
TimReynolds-2903 avatar image TimReynolds-2903 JamesTran-MSFT ·

IIt is still not resolved.

0 Votes 0 ·