How to troubleshoot Password Management

Important

Are you here because you're having problems signing in? If so, here's how you can change and reset your own password.

If you are having issues with Password Management, we're here to help. Most problems you may run into can be solved with a few simple troubleshooting steps which you can read about below to troubleshoot your deployment:

If you've tried the troubleshooting steps below and are still running into problems, you can post a question on the Azure AD Forums or contact support and we'll take a look at your problem as soon as we can.

Information to include when you need help

If you cannot solve your issue with the guidance below, you can contact our support engineers. When you contact them, it is recommended to include the following information:

  • General description of the error – what exact error message did the user see? If there was no error message, describe the unexpected behavior you noticed, in detail.
  • Page – what page were you on when you saw the error (include the URL)?
  • Date / Time / Timezone – what was the precise date and time you saw the error (include the timezone)?
  • Support Code – what was the support code generated when the user saw the error (to find this, reproduce the error, then click the Support Code link at the bottom of the screen and send the support engineer the GUID that results).

    • If you are on a page without a support code at the bottom, press F12 and search for SID and CID and send those two results to the support engineer.

  • User ID – what was the ID of the user who saw the error (e.g. user@contoso.com)?
  • Information about the user – was the user federated, password hash synced, cloud only? Did the user have an AAD Premium or AAD Basic license assigned?
  • Application Event Log – if you are using Password Writeback and the error is in your on-premises infrastructure, please zip up a copy of your application event log from your Azure AD Connect server and send along with your request.

Including this information will help us to solve your problem as quickly as possible.

Troubleshoot password reset configuration in the Azure Management Portal

If you encounter an error when configuring password reset, you might be able to resolve it by following the troubleshooting steps below:

Error Case

What error does a user see?

Solution

I don’t see the User Password Reset Policy section under the Configure tab in the Azure management portal

The User Password Reset Policy section is not visible on the Configure tab in the Azure Management Portal.

This can occur if you do not have an AAD Premium or AAD Basic license assigned to the admin performing this operation.

To rectify this, assign an AAD Premium or AAD Basic license to the admin account in question by navigating to the Licenses tab and try again.

I don’t see any of the configuration options under the User Password Reset Policy section that are described in the documentation.

The User Password Reset Policy section is visible, but the only flag that appears under it is the Users Enabled for Password Reset flag.

The rest of the UI will appear when you switch the Users Enabled for Password Reset flag to Yes.

I don’t see a particular configuration option.

For example, I do not see the Number of days before a user must confirm their contact data option when I scroll through the User Password Reset Policy section (or other examples of the same issue).

Many elements of UI are hidden until they are needed. Try enabling all the options on the page if you want to see.

See Password Management behavior for more info about all of the controls that are available to you.

I don’t see the Write Back Passwords to On-Premises configuration option

The Write Back Passwords to On-Premises option is not visible under the Configure tab in the Azure Management Portal

This option is only visible if you have downloaded Azure AD Connect and configured Password Writeback. When you have done this, that option appears and allows you to enable or disable writeback from the cloud.

See Enable Password Writeback in Azure AD Connect for more information on how to do this.

Troubleshoot password management reports in the Azure Management Portal

If you encounter an error when using the password management reports, you might be able to resolve it by following the troubleshooting steps below:

Error Case

What error does a user see?

Solution

I don’t see any password management reports

The Password reset activity and Password reset registration activity reports are not visible under the Activity Log reports in the Reports tab.

This can occur if you do not have an AAD Premium or AAD Basic license assigned to the admin performing this operation.

To rectify this, assign an AAD Premium or AAD Basic license to the admin account in question by navigating to the Licenses tab and try again.

User registrations show multiple times

When a user registers alternate email, mobile phone, and security questions, they each show up as separate lines instead of a single line.

Currently, when a user registers, we cannot assume that they will register everything present on the registration page. As a result, we currently log each individual piece of data that is registered as a separate event.

If you want to aggregate this data, you can download the report and open the data as a pivot table in excel to have more flexibility.

Troubleshoot the password reset registration portal

If you encounter an error when registering a user for password reset, you might be able to resolve it by following the troubleshooting steps below:

Error Case

What error does a user see?

Solution

Directory is not enabled for password reset

Your administrator has not enabled you to use this feature.

Switch the Users Enabled for Password Reset flag to Yes and hit Save in the Azure Management Portal directory configuration tab. You must have an Azure AD Premium or Basic License assigned to the admin performing this operation.

User does not have an AAD Premium or AAD Basic license assigned

Your administrator has not enabled you to use this feature.

Assign an Azure AD Premium or Azure AD Basic license to the user under the Licenses tab in the Azure Management Portal. You must have an Azure AD Premium or Basic License assigned to the admin performing this operation.

Error processing request

User sees an error that states:

Error processing request

When attempting to reset a password.

This can be caused by many issues, but generally this error is caused by either a service outage or configuration issue that cannot be resolved.

If you see this error and it is impacting your business, please contact support and we will assist you ASAP. See Information to include when you need help to see what you should provide to the support engineer to aid in a speedy resolution.

Troubleshoot the password reset portal

If you encounter an error when resetting a password for a user, you might be able to resolve it by following the troubleshooting steps below:

Error Case

What error does a user see?

Solution

Directory is not enabled for password reset

Your account is not enabled for password reset

We're sorry, but your administrator has not set up your account for use with this service.

If you'd like, we can contact an administrator in your organization to reset your password for you.

Switch the Users Enabled for Password Reset flag to Yes and hit Save in the Azure Management Portal directory configuration tab. You must have an Azure AD Premium or Basic License assigned to the admin performing this operation.

User does not have an AAD Premium or AAD Basic license assigned

While we cannot reset non-admin account passwords automatically, we can contact your organization's admin to do it for you.

Assign an Azure AD Premium or Azure AD Basic license to the user under the Licenses tab in the Azure Management Portal. You must have an Azure AD Premium or Basic License assigned to the admin performing this operation.

Directory is enabled for password reset, but user has missing or mal-formed authentication information

Your account is not enabled for password reset

We're sorry, but your administrator has not set up your account for use with this service.

If you'd like, we can contact an administrator in your organization to reset your password for you.

Ensure that user has properly formed contact data on file in the directory before proceeding. See What data is used by password reset for information on how to configure authentication information in the directory so that users do not see this error.

Directory is enabled for password reset, but a user only has one piece of contact data on file when policy is set to require two verification steps

Your account is not enabled for password reset

We're sorry, but your administrator has not set up your account for use with this service.

If you'd like, we can contact an administrator in your organization to reset your password for you.

Ensure that user has at least two properly configured contact methods (e.g., both Mobile Phone and Office Phone) before proceeding. See What data is used by password reset for information on how to configure authentication information in the directory so that users do not see this error.

Directory is enabled for password reset, and user is properly configured, but user is unable to be contacted

Oops! We encountered an unexpected error while contacting you.

This could be the result of a temporary service error or misconfigured contact data that we could not properly detect. If the user waits 10 seconds, a try again and “contact your administrator” link appears. Clicking try again will re-dispatch the call, whereas clicking “contact your administrator” will send a form email to user, password, or global admins (in that precedence order) requesting a password reset to be performed for that user account.

User never receives the password reset SMS or phone call

User clicks “text me” or “call me” and then never receives anything.

This could be the result of a mal-formed phone number in the directory. Make sure the phone number is in the format “+ccc xxxyyyzzzzXeeee”. To learn more about formatting phone numbers for use with password reset see What data is used by password reset.

If you require an extension to be routed to the user in question, note that password reset does not support extensions, even if you specify one in the directory (they are stripped before the call is dispatched). Try using a number without an extension, or integrating the extension into the phone number in your PBX.

User never receives password reset email

User clicks “email me” and then never receives anything.

The most common cause for this issue is that the message is rejected by a spam filter. Check your spam, junk, or deleted items folder for the email.

Also ensure that you are checking the right email for the message…lots of people have very similar email addresses and end up checking the wrong inbox for the message. If neither of these options work, it’s also possible that the email address in the directory is malformed, check to make sure the email address is the right one and try again. To learn more about formatting email addresses for use with password reset see What data is used by password reset.

I have set a password reset policy, but when an admin account uses password reset, that policy is not applied

Admin accounts resetting their passwords see the same options enabled for password reset, email and mobile phone, no matter what policy is set under the User Password Reset Policy section of the Configure tab.

The options configured under the User Password Reset Policy section of the Configure tab only apply to end users in your organization.

Microsoft manages and controls the Admin password reset policy in order to ensure the highest level of security

User prevented from attempting password reset too many times in a day

User sees an error stating:

Please use another option.

You've tried to verify your account too many times in the last 1 hour(s). For security reasons, you'll have to wait 24 hour(s) before you can try again.

If you'd like, we can contact an administrator in your organization to reset your password for you.

We implement an automatic throttling mechanism to block users from attempting to reset their passwords too many times in a short period of time. This occurs when:

  1. User attempts to validate a phone number 5 times in one hour.
  2. User attempts to use the security questions gate 5 times in one hour.
  3. User attempts to reset a password for the same user account 5 times in one hour.

To fix this, instruct the user to wait 24 hours after the last attempt, and the user will then be able to reset his or her password.

User sees an error when validating his or her phone number

When attempting to verify a phone to use as an authentication method, the user sees an error stating:

Incorrect phone number specified.

This error occurs when the phone number entered does not match the phone number on file.

Make sure the user is entering the complete phone number, including area and country code, when attempting to use a phone-based method for password reset.

Error processing request

User sees an error that states:

Error processing request

When attempting to reset a password.

This can be caused by many issues, but generally this error is caused by either a service outage or configuration issue that cannot be resolved.

If you see this error and it is impacting your business, please contact support and we will assist you ASAP. See Information to include when you need help to see what you should provide to the support engineer to aid in a speedy resolution.

Troubleshoot Password Writeback

If you encounter an error when enabling, disabling, or using Password Writeback, you might be able to resolve it by following the troubleshooting steps below:

Error Case

What error does a user see?

Solution

General onboarding and startup failures

Password reset service does not start on premises with error 6800 in the Azure AD Connect machine’s application event log.

After onboarding, federated or password hash synced users cannot reset their passwords.

When Password Writeback is enabled, the sync engine will call the writeback library to perform the configuration (onboarding) by talking to the cloud onboarding service. Any errors encountered during onboarding or while starting the WCF endpoint for Password Writeback will result in errors in the Event log in your Azure AD Connect machine’s event log.

During restart of ADSync service, if writeback was configured, the WCF endpoint will be started up. However, if the startup of the endpoint fails, we will simply log event 6800 and let the sync service startup. Presence of this event means that the Password Writeback endpoint was not started up. Event log details for this event (6800) along with event log entries generate by PasswordResetService component will indicate why the endpoint could not be started up. Review these event log errors and try to re-start the Azure AD Connect if Password Writeback still isn’t working. If the problem persists, try to disable and re-enable Password Writeback.

When a user attempts to reset a password or unlock an account with password writeback enabled, the operation fails. In addition, you see an event in the Azure AD Connect event log containing: “Synchronization Engine returned an error hr=800700CE, message=The filename or extension is too long” after the unlock operation occurs.

This can occur if you had upgraded from older versions of Azure AD Connect or DirSync. Upgrading to older versions of Azure AD Connect set a 254 character password for the Azure AD Management Agent account (newer versions will set a 127 character length password). Such long passwords work for AD Connector Import and Export operations but they are not supported by the Unlock operation.

Find the Active Directory account for Azure AD Connect and reset the password to contain no more than 127 characters. Then open Synchronization Service from the Start menu. Navigate to Connectors and find the Active Directory Connector. Select it and click Properties. Navigate to the page Credentials and enter the new password. Select OK to close the page.

Error configuring writeback during Azure AD Connect installation.

At the last step of the Azure AD Connect installation process, you see an error indicating that Password Writeback could not be configured.

The Azure AD Connect Application event log contains error 32009 with text “Error getting auth token”.

This error occurs in the following two cases:

  • You have specified an incorrect password for the global administrator account specified at the beginning of the Azure AD Connect installation process.
  • You have attempted to use a federated user for the global administrator account specified at the beginning of the Azure AD Connect installation process.

To fix this error, please ensure that you are not using a federated account for the global administrator you specified at the beginning of the Azure AD Connect installation process, and that the password specified is correct.

Error configuring writeback during Azure AD Connect installation.

The Azure AD Connect machine event log contains error 32002 thrown by the PasswordResetService.

The error reads: “Error Connecting to ServiceBus, The token provider was unable to provide a security token…”

The root cause of this error is that the password reset service running in your on-premises environment is not able to connect to the service bus endpoint in the cloud. This error is normally normally caused by a firewall rule blocking an outbound connection to a particular port or web address.

Make sure your firewall allows outbound connections for the following:

  • All traffic over TCP 443 (HTTPS)
  • Outbound connections to

Once you have updated these rules, reboot the Azure AD Connect machine and Password Writeback should start working again.

Password Writeback endpoint on-prem not reachable

After working for some time, federated or password hash synced users cannot reset their passwords.

In some rare cases, the Password Writeback service may fail to re-start when Azure AD Connect has re-started. In these cases, first, check whether Password Writeback appears to be enabled on-prem. This can be done using the Azure AD Connect wizard or powershell (See HowTos section above).If the feature appears to be enabled, try enabling or disabling the feature again either through the UI or PowerShell. See “Step 2: Enable Password Writeback on your Directory Sync computer & configure firewall rules” in How to enable/disable Password Writeback for more information on how to do this.

If this doesn’t work, try completely uninstalling and re-installing Azure AD Connect.

Permissions errors

Federated or password hash sync’d users who attempt to reset their passwords see an error after submitting the password indicating there was a service problem.

In addition to this, during password reset operations, you may see an error regarding management agent was denied access in your on premises event logs.

If you see these errors in your event log, confirm that the AD MA account (that was specified in the wizard at the time of configuration) has the necessary permissions for Password Writeback.

NOTE that once this permission is given it can take up to 1 hour for the permissions to trickle down via sdprop background task on the DC.

For password reset to work, the permission needs to be stamped on the security descriptor of the user object whose password is being reset. Until this permission shows up on the user object, password reset will continue to fail with access denied.

Error when configuring Password Writeback from the Azure AD Connect configuration wizard

“Unable to Locate MA” error in Wizard while enabling/disabling Password Writeback

There is a known bug in the released version of Azure AD Connect which manifests in the following situation:

  1. You configure Azure AD Connect for tenant abc.com (Verified domain) using creds . This results in AAD connector with name “abc.com – AAD” being created.
  2. You then then change the AAD creds for the connector (using old sync UI) to (note it’s the same tenant but different domain name).
  3. Now you try to enable/disable Password Writeback. The wizard will construct the name of the connector using the creds, as “abc.onmicrosoft.com – AAD” and pass to the Password Writeback cmdlet. This will fail because there is no connector created with this name.

This has been fixed in our latest builds. If you have an older build, the one workaround is to use the powershell cmdlet to enable/disable the feature. See “Step 2: Enable Password Writeback on your Directory Sync computer & configure firewall rules” in How to enable/disable Password Writeback for more information on how to do this.

Unable to reset password for users in special groups such as Domain Admins / Enterprise Admins etc.

Federated or password hash sync’d users who are part of protected groups and attempt to reset their passwords see an error after submitting the password indicating there was a service problem.

Privileged users in Active Directory are protected using AdminSDHolder. See http://technet.microsoft.com/magazine/2009.09.sdadminholder.aspx for more details.

This means the security descriptors on these objects are periodically checked to match the one specified in AdminSDHolder and are reset if they are different. The additional permissions that are needed for Password Writeback therefore do not trickle to such users. This can result in Password Writeback not working for such users.As a result, we do not support managing passwords for users within these groups because it breaks the AD security model.

Reset operations fails with Object could not be found

Federated or password hash sync’d users who attempt to reset their passwords see an error after submitting the password indicating there was a service problem.

In addition to this, during password reset operations, you may see an error in your event logs from the Azure AD Connect service indicating an “Object could not be found” error.

This error usually indicates that the sync engine is unable to find either the user object in the AAD connector space or the linked MV or AD connector space object.

To troubleshoot this, make sure that the user is indeed synced from on-prem to AAD via the current instance of Azure AD Connect and inspect the state of the objects in the connector spaces and MV. Confirm that the AD CS object is connector to the MV object via the “Microsoft.InfromADUserAccountEnabled.xxx” rule.

Reset operations fails with Multiple matches found eror

Federated or password hash sync’d users who attempt to reset their passwords see an error after submitting the password indicating there was a service problem.

In addition to this, during password reset operations, you may see an error in your event logs from the Azure AD Connect service indicating a “Multiple maches found” error.

This indicates that the sync engine detected that the MV object is connected to more than one AD CS objects via the “Microsoft.InfromADUserAccountEnabled.xxx”. This means that the user has an enabled account in more than one forest.

Currently this scenario is not supported for Password Writeback.

Password operations fail with a configuration error.

Password operations fail with a configuration error. The application event log contains Azure AD Connect error 6329 with text: 0x8023061f (The operation failed because password synchronization is not enabled on this Management Agent.)

This occurs if the Azure AD Connect configuration is changed to add a new AD forest (or to remove and re-add an existing forest) after the Password Writeback feature has already been enabled. Password operations for users in such newly added forests will fail. To fix the problem, disable and re-enable the Password Writeback feature after the forest configuration changes have been completed.

Writing back passwords that have been reset by users works properly, but writing back passwords changed by a user or reset for a user by an administrator fails.

When attempting to reset a password on behalf of a user from the Azure Management Portal, you see a message stating: “The password reset service running in your on-premises environment does not support administrators resetting user passwords. Please upgrade to the latest version of Azure AD Connect to resolve this.”

This occurs when the version of the synchronization engine does not support the particular Password Writeback operation that was used. Versions of Azure AD Connect later than 1.0.0419.0911 support all password management operations, including password reset writeback, password change writeback, and administrator-initiated password reset writeback from the Azure Management Portal.  DirSync versions later than 1.0.6862 support password reset writeback only. To resolve this issue, we highly recommend that you install the latest version of Azure AD Connect or Azure Active Directory Connect. For more information, see Integrating your on-premises identities to resolve this issue and to get the most out of Password Writeback in your organization.

Password Writeback event log error codes

A best practice when troubleshooting issues with Password Writeback is to inspect that Application Event Log on your Azure AD Connect machine. This event log will contain events from two sources of interest for Password Writeback. The PasswordResetService source will describe operations and issues related to the operation of Password Writeback. The ADSync source will describe operations and issues related to setting passwords in your AD environment.

Code

Name / Message

Source

Description

6329

BAIL: MMS(4924) 0x80230619 – “A restriction prevents the password from being changed to the current one specified.”

ADSync

This event occurs when the Password Writeback service attempts to set a password on your local directory which does not meet the password age, history, complexity, or filtering requirements of the domain.

  • If you have a minimum password age, and have recently changed the password within that window of time, you will not be able to change the password again until it reaches the specified age in your domain. For testing purposes, minimum age should be set to 0.
  • If you have password history requirements enabled, then you must select a password that has not been used in the last N times, where N is the password history setting. If you do select a password that has been used in the last N times, then you will see a failure in this case. For testing purposes, history should be set to 0.
  • If you have password complexity requirements, all of them will be enforced when the user attempts to change or reset a password.
  • If you have password filters enabled, and a user selects a password which does not meet the filtering criteria, then the reset or change operation will fail.

HR 8023042

Synchronization Engine returned an error hr=80230402, message=An attempt to get an object failed because there are duplicated entries with the same anchor

ADSync

This event occurs when the same user id is enabled in multiple domains. For example, if you are syncing Account/Resource forests, and have the same user id present and enabled in each, this error may occur.

This error can also occur if you are using a non-unique anchor attribute (like alias or UPN) and two users share that same anchor attribute.

To resolve this issue, ensure that you do not have any duplicated users within your domains and that you are using a unique anchor attribute for each user.

31001

PasswordResetStart

PasswordResetService

This event indicates that the on-premises service detected a password reset request for a federated or password hash sync’d user originating from the cloud. This event is the first event in every password reset writeback operation.

31002

PasswordResetSuccess

PasswordResetService

This event indicates that a user selected a new password during a password reset operation, we determined that this password meets corporate password requirements, and that password has been successfully written back to the local AD environment.

31003

PasswordResetFail

PasswordResetService

This event indicates that a user selected a password, and that password arrived successfully to the on-premises environment, but when we attempted to set the password in the local AD environment, a failure occurred. This can happen for several reasons:

  • The user’s password does not meet the age, history, complexity, or filter requirements for the domain. Try a completely new password to resolve this.
  • The MA service account does not have the appropriate permissions to set the new password on the user account in question.
  • The user’s account is in a protected group, such as domain or enterprise admins, which disallows password set operations.

See Troubleshoot Password Writeback to learn more about what other situtions can cause this error.

31004

OnboardingEventStart

PasswordResetService

This event occurs if you enable Password Writeback with Azure AD Connect and indicates that we started onboarding your organization to the Password Writeback web service.

31005

OnboardingEventSuccess

PasswordResetService

This event indicates the onboarding process was successful and that Password Writeback capability is ready to use.

31006

ChangePasswordStart

PasswordResetService

This event indicates that the on-premises service detected a password change request for a federated or password hash sync’d user originating from the cloud. This event is the first event in every password change writeback operation.

31007

ChangePasswordSuccess

PasswordResetService

This event indicates that a user selected a new password during a password change operation, we determined that this password meets corporate password requirements, and that password has been successfully written back to the local AD environment.

31008

ChangePasswordFail

PasswordResetService

This event indicates that a user selected a password, and that password arrived successfully to the on-premises environment, but when we attempted to set the password in the local AD environment, a failure occurred. This can happen for several reasons:

  • The user’s password does not meet the age, history, complexity, or filter requirements for the domain. Try a completely new password to resolve this.
  • The MA service account does not have the appropriate permissions to set the new password on the user account in question.
  • The user’s account is in a protected group, such as domain or enterprise admins, which disallows password set operations.

See Troubleshoot Password Writeback to learn more about what other situations can cause this error.

31009

ResetUserPasswordByAdminStart

PasswordResetService

The on-premises service detected a password reset request for a federated or password hash sync’d user originating from the administrator on behalf of a user. This event is the first event in every admin-initiated password reset writeback operation.

31010

ResetUserPasswordByAdminSuccess

PasswordResetService

The admin selected a new password during an admin-initiated password reset operation, we determined that this password meets corporate password requirements, and that password has been successfully written back to the local AD environment.

31011

ResetUserPasswordByAdminFail

PasswordResetService

The admin selected a password on behalf of a user, and that password arrived successfully to the on-premises environment, but when we attempted to set the password in the local AD environment, a failure occurred. This can happen for several reasons:

  • The user’s password does not meet the age, history, complexity, or filter requirements for the domain. Try a completely new password to resolve this.
  • The MA service account does not have the appropriate permissions to set the new password on the user account in question.
  • The user’s account is in a protected group, such as domain or enterprise admins, which disallows password set operations.

See Troubleshoot Password Writeback to learn more about what other situtions can cause this error.

31012

OffboardingEventStart

PasswordResetService

This event occurs if you disable Password Writeback with Azure AD Connect and indicates that we started offboarding your organization to the Password Writeback web service.

31013

OffboardingEventSuccess

PasswordResetService

This event indicates the offboarding process was successful and that Password Writeback capability has been successfully disabled.

31014

OffboardingEventFail

PasswordResetService

This event indicates the offboarding process was not successful. This could be due to a permissions error on the cloud or on-premises administrator account specified during configuration, or because you are attempting to use a federated cloud global administrator when disabling Password Writeback. To fix this, check your administrative permissions and that you are not using any federated account while configuring the Password Writeback capability.

31015

WriteBackServiceStarted

PasswordResetService

This event indicates that the Password Writeback service has started successfully and is ready to accept password management requests from the cloud.

31016

WriteBackServiceStopped

PasswordResetService

This event indicates that the Password Writeback service has stopped and that any password management requests from the cloud will not be successful.

31017

AuthTokenSuccess

PasswordResetService

This event indicates that we successfully retrieved an authorization token for the global admin specified during Azure AD Connect setup in order to start the offboarding or onboarding process.

31018

KeyPairCreationSuccess

PasswordResetService

This event indicates that we successfully created the password encryption key that will be used to encrypt passwords from the cloud to be sent to your on-premises environment.

32000

UnknownError

PasswordResetService

This event indicates an unknown error during a password management operation. Look at the exception text in the event for more details. If you are having problems, try disabling and re-enabling Password Writeback. If this does not help, include a copy of your event log along with the tracking id specified insider to your support engineer.

32001

ServiceError

PasswordResetService

This event indicates there was an error connecting to the cloud password reset service, and generally occurs when the on-premises service was unable to connect to the password reset web service.

32002

ServiceBusError

PasswordResetService

This event indicates there was an error connecting to your tenant’s service bus instance. This could happen because you are blocking outbound connections in your on-premises environment. Check your firewall to ensure you allow connections over TCP 443 and to https://ssprsbprodncu-sb.accesscontrol.windows.net/, and try again. If you are still having problems, try disabling and re-enabling Password Writeback.

32003

InPutValidationError

PasswordResetService

This event indicates that the input passed to our web service API was invalid. Try the operation again.

32004

DecryptionError

PasswordResetService

This event indicates that there was an error decrypting the password that arrived from the cloud. This could be because of a decryption key mismatch between the cloud service and your on-premises environment. In order to resolve this, disable and re-enable Password Writeback in your on-premises environment.

32005

ConfigurationError

PasswordResetService

During onboarding, we save tenant-specific information in a configuration file in your on-premises environment. This event indicates there was an error saving this file or that when the service was started there was an error reading the file. To fix this issue, try disabling and re-enabling Password Writeback to force a re-write of this configuration file.

32006

EndPointConfigurationError

PasswordResetService

DEPRECATED – This event is not present in Azure AD Connect, only very early builds of DirSync which supported writeback.

32007

OnBoardingConfigUpdateError

PasswordResetService

During onboarding, we send data from the cloud to the on-premises password reset service. That data is then written to an in-memory file before being sent to the sync service to store this information securely on disk. This event indicates a problem with writing or updating that data in memory. To fix this issue, try disabling and re-enabling Password Writeback to force a re-write of this configuration.

32008

ValidationError

PasswordResetService

This event indicates we received an invalid response from the password reset web service. To fix this issue, try disabling and re-enabling Password Writeback.

32009

AuthTokenError

PasswordResetService

This event indicates that we could not get an authorization token for the global administrator account specified during Azure AD Connect setup. This error can be caused by a bad username or password specified for the global admin account or because the global admin account specified is federated. To fix this issue, re-run configuration with the correct username and password and ensure the administrator is a managed (cloud-only or password-sync’d) account.

32010

CryptoError

PasswordResetService

This event indicates there was an error when generating the password encryption key or decrypting a password that arrives from the cloud service. This error likely indicates an issue with your environment. Look at the details of your event log to learn more and resolve this issue. You may also try disabling and re-enabling the Password Writeback service to resolve this.

32011

OnBoardingServiceError

PasswordResetService

This event indicates that the on-premises service could not properly communicate with the password reset web service to initiate the onboarding process. This may be because of a firewall rule or problem getting an auth token for your tenant. To fix this, ensure that you are not blocking outbound connections over TCP 443 and TCP 9350-9354 or to https://ssprsbprodncu-sb.accesscontrol.windows.net/, and that the AAD admin account you are using to onboard is not federated.

32012

OnBoardingServiceDisableError

PasswordResetService

DEPRECATED – This event is not present in Azure AD Connect, only very early builds of DirSync which supported writeback.

32013

OffBoardingError

PasswordResetService

This event indicates that the on-premises service could not properly communicate with the password reset web service to initiate the offboarding process. This may be because of a firewall rule or problem getting an authorization token for your tenant. To fix this, ensure that you are not blocking outbound connections over 443 or to https://ssprsbprodncu-sb.accesscontrol.windows.net/, and that the AAD admin account you are using to offboard is not federated.

32014

ServiceBusWarning

PasswordResetService

This event indicates that we had to retry to connect to your tenant’s service bus instance. Under normal conditions, this should not be a concern, but if you see this event many times, consider checking your network connection to service bus, especially if it’s a high latency or low-bandwidth connection.

32015

ReportServiceHealthError

PasswordResetService

In order to monitor the health of your Password Writeback service, we send heartbeat data to our password reset web service every 5 minutes. This event indicates that there was an error when sending this health information back to the cloud web service. This health information does not include an OII or PII data, and is purely a heartbeat and basic service statistics so that we can provide service status information in the cloud.

33001

ADUnKnownError

PasswordResetService

This event indicates that there was an unknown error returned by AD, check the Azure AD Connect server event log for events from the ADSync source for more information about this error.

33002

ADUserNotFoundError

PasswordResetService

This event indicates that the user who is trying to reset or change a password was not found in the on-premises directory. This could occur when the user has been deleted on-premises but not in the cloud, or if there is an issue with sync. Check your sync logs, as well as the last few sync run details for more information.

33003

ADMutliMatchError

PasswordResetService

When a password reset or change request originates from the cloud, we use the cloud anchor specified during the setup process of Azure AD Connect to determine how to link that request back to a user in your on-premises environment. This event indicates that we found two users in your on-premises directory with the same cloud anchor attribute. Check your sync logs, as well as the last few sync run details for more information.

33004

ADPermissionsError

PasswordResetService

This event indicates that the Management Agent service account does not have the appropriate permissions on the account in question to set a new password. Ensure that the MA account in the user’s forest has Reset and Change password permissions on all objects in the forest. For more information on how do to this, see Step 4: Set up the appropriate Active Directory permissions.

33005

ADUserAccountDisabled

PasswordResetService

This event indicates that we attempted to reset or change a password for an account that was disabled on premises. Enable the account and try the operation again.

33006

ADUserAccountLockedOut

PasswordResetService

Event indicates that we attempted to reset or change a password for an account that was locked out on premises. Lockouts can occur when a user has tried a change or reset password operation too many times in a short period. Unlock the account and try the operation again.

33007

ADUserIncorrectPassword

PasswordResetService

This event indicates that the user specified an incorrect current password when performing a password change operation. Specify the correct current password and try again.

33008

ADPasswordPolicyError

PasswordResetService

This event occurs when the Password Writeback service attempts to set a password on your local directory which does not meet the password age, history, complexity, or filtering requirements of the domain.

  • If you have a minimum password age, and have recently changed the password within that window of time, you will not be able to change the password again until it reaches the specified age in your domain. For testing purposes, minimum age should be set to 0.
  • If you have password history requirements enabled, then you must select a password that has not been used in the last N times, where N is the password history setting. If you do select a password that has been used in the last N times, then you will see a failure in this case. For testing purposes, history should be set to 0.
  • If you have password complexity requirements, all of them will be enforced when the user attempts to change or reset a password.
  • If you have password filters enabled, and a user selects a password which does not meet the filtering criteria, then the reset or change operation will fail.

33009

ADConfigurationError

PasswordResetService

This event indicates there was an issue writing a password back to your on-premises directory due to a configuration issue with Active Directory. Check the Azure AD Connect machine’s Application event log for messages from the ADSync service for more information on what error occurred.

34001

ADPasswordPolicyOrPermissionError

PasswordResetService

DEPRECATED – This event is not present in Azure AD Connect, only very early builds of DirSync which supported writeback.

34002

ADNotReachableError

PasswordResetService

DEPRECATED – This event is not present in Azure AD Connect, only very early builds of DirSync which supported writeback.

34003

ADInvalidAnchorError

PasswordResetService

DEPRECATED – This event is not present in Azure AD Connect, only very early builds of DirSync which supported writeback.

Troubleshoot Password Writeback connectivity

If you are experiencing service interruptions with the Password Writeback component of Azure AD Connect, here are some quick steps you can take to resolve this:

In general, we recommend that you execute these steps in the order above in order to recover your service in the most rapid manner.

Restart the Azure AD Connect Sync Service

Restarting the Azure AD Connect Sync Service can help to resolve connectivity issues or other transient issues with the service.

  1. As an administrator, click Start on the server running Azure AD Connect.
  2. Type “services.msc” in the search box and press Enter.
  3. Look for the Microsoft Azure AD Connect entry.
  4. Right-click on the service entry, click Restart, and wait for the operation to complete.

These steps will re-establish your connection with the cloud service and resolve any interruptions you may be experiencing. If restarting the Sync Service does not resolve your issue, we recommend that you try to disable and re-enable the Password Writeback feature as a next step.

Disable and re-enable the Password Writeback feature

Disabling and re-enabling the Password Writeback feature can help to resolve connectivity issues.

  1. As an administrator, open the Azure AD Connect configuration wizard.
  2. On the Connect to Azure AD dialog, enter your Azure AD global admin credentials
  3. On the Connect to AD DS dialog, enter your AD Domain Services admin credentials.
  4. On the Uniquely identifying your users dialog, click the Next button.
  5. On the Optional features dialog, uncheck the Password write-back checkbox.

  6. Click Next through the remaining dialog pages without changing anything until you get to the Ready to configure page.
  7. Ensure that the configure page shows the Password write-back option as disabled and then click the green Configure button to commit your changes.
  8. On the Finished dialog, deselect the Synchronize now option, and then click Finish to close the wizard.
  9. Re-open the Azure AD Connect configuration wizard.
  10. Repeat steps 2-8, except ensure you check the Password write-back option on the Optional features screen to re-enable the service.

These steps will re-establish your connection with our cloud service and resolve any interruptions you may be experiencing.

If disabling and re-enabling the Password Writeback feature does not resolve your issue, we recommend that you try to re-install Azure AD Connect as a next step.

Install the latest Azure AD Connect release

Re-installing the Azure AD Connect package will resolve any configuration issues which may be affecting your ability to either connect to our cloud services or to manage passwords in your local AD environment. We recommend, you perform this step only after attempting the first two steps described above.

  1. Download the latest version of Azure AD Connect here.
  2. Since you have already installed Azure AD Connect, you will only need to perform an in-place upgrade to update your Azure AD Connect installation to the latest version.
  3. Execute the downloaded package and follow the on-screen instructions to update your Azure AD Connect machine. No additional manual steps are required unless you have customized the out of box sync rules, in which case you should back these up before proceeding with upgrade and manually re-deploy them after you are finished.

These steps will re-establish your connection with our cloud service and resolve any interruptions you may be experiencing.

If installing the latest version of the Azure AD Connect server does not resolve your issue, we recommend that you try disabling and re-enabling Password Writeback as a final step after installing the latest sync QFE.

If that does not resolve your issue, then we recommend that you take a look at Troubleshoot Password Writeback and the Azure AD password Management FAQ to see if your issue may be discussed there.

Next steps

Below are links to all of the Azure AD Password Reset documentation pages:

  • Are you here because you're having problems signing in? If so, here's how you can change and reset your own password.
  • How it works - learn about the six different components of the service and what each does
  • Getting started - learn how to allow you users to reset and change their cloud or on-premises passwords
  • Customize - learn how to customize the look & feel and behavior of the service to your organization's needs
  • Best practices - learn how to quickly deploy and effectively manage passwords in your organization
  • Get insights - learn about our integrated reporting capabilities
  • FAQ - get answers to frequently asked questions
  • Learn more - go deep into the technical details of how the service works