question

pcfixerjeff avatar image
0 Votes"
pcfixerjeff asked DuncanClay111 commented

Unable to enable password writeback Azure AD Connector - Error Offboarding: AccessDenied, Message: User does not have service onboarding permissions

Hey Team,

I have been struggling with an issue and have not been able to find anything with my google foo that relates to this issue.

I am unable to enabled password writeback within the Azure AD connector, the error that shows in the event log is...

TrackingId: 0a34fa1d-5e2b-4437-9ccc-5f70682e48cd, Error Offboarding: AccessDenied, Message: User does not have service onboarding permissions, Details:

I have followed the enable sspr tutorial to a tee (https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr-writeback?WT.mc_id=Portal-Microsoft_AAD_IAM#configuring-password-writeback), it just won't let me enable writeback in the AD Connect Tool.

I am the AD Administrator for my on-premise domain and the global cloud administrator of AAD. the account running AD Connect is a cloud global administrator (not synced from on-prem, as advised by Microsoft https://docs.microsoft.com/en-us/troubleshoot/azure/active-directory/unable-configure-pwd-writeback-error), I note my time was out by 3 mins but I have fixed that too.

I have googled high and low, but there are no references to this problem. I am hoping someone here may have a solution.

I appreciate any assistance that you can give.

azure-ad-connectazure-ad-sspr
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

pcfixerjeff avatar image
3 Votes"
pcfixerjeff answered DuncanClay111 commented

Hey Team,

I thought I would update, as I was able to solve this by simply enabling Password Writeback via Powershell.

 $ADconnector = (Get-ADSyncConnector | Where-Object {$_.Name -like "*AAD"}).Name
 Set-ADSyncAADPasswordResetConfiguration -Connector $ADconnector -Enable:$True

I can confirm that my users can now reset passwords via sspr and they sync back to on-prem.

I hope that saves someone days of frustration :)

Ta,


· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image amanpreetsingh-msft ·

@pcfixerjeff • Thank you for posting the solution.

1 Vote 1 ·
MattiVesa-4922 avatar image MattiVesa-4922 ·

Thank you, this solved our problem as well.

1 Vote 1 ·
DuncanClay111 avatar image DuncanClay111 ·

Thank you for posting the solution to your own problem, so many people don't. I don't know what causes this. For us it could be because we were replacing an existing AADC server.

0 Votes 0 ·
KevinHsieh-4543 avatar image
1 Vote"
KevinHsieh-4543 answered KevinHsieh-4543 published

Upvote. Worked for us too.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.