Recently, after deploying Azure Self-service Password Reset (SSPR) for a customer, I discovered some odd behavior. After we worked through the error tree, we finally worked out the issue. Since it wasn’t documented yet (many other errors are!) at Microsofts KnowledgeBase, here it is.
In an organization with an on-premises Active Directory environment, you install and configure Azure Active Directory Connect (AAD Connect) to synchronize the environment with Azure Active Directory Premium.
You specify a service account in the on-premises Active Directory for Azure Active Directory Connect and, thus Azure Active Directory Sync. This account is known as the Active Directory Management Agent service account. You enable password write-back in the wizard.
After successful synchronization(s), you enable the Self-service Password Reset (SSPR) functionality in the Azure Active Directory portal.
Now, when people with on-premises Active Directory accounts try to perform a password reset through the MyApps portal, you receive an error:
Your request could not be processed
We're sorry, but we cannot reset your password at this time. Unfortunately, this is due to an unrecoverable issue with your account configuration, so trying again won't work. Please contact your admin to reset your password for you.
However, the Change password functionality in the MyApps portal does change the password successfully.
Additionally, when you check the Azure Active Directory reports via Azure, Active Directory, then your directory name, Reports, and then Password Reset Activity, you see a line stating:
We encountered a problem while resetting the user's on-premises password. Check your sync machine's event log.
On the Windows installation with Azure Active Directory Sync, in the application log in Event Viewer (eventvwr.msc) you find error events with event ID 31003 and specific text ‘Access Denied’.
This issue occurs because the service account in the on-premises Active Directory environment for Azure Active Directory Sync does not have the appropriate rights to reset and/or change the password for the account, belonging to the person trying to reset his/her password.
To correct this issue, perform these steps:
- Log on to an Active Directory Domain Controller, using a domain account with administrative permissions.
- Open Active Directory Users and Computers (dsa.msc).
- In the View Menu option, make sure Advanced Features is turned on.
- In the left panel, right click the object that represents the root of the domain and select Properties from the context menu.
Alternatively, choose the Organizational Unit (OU), containing the user accounts, belonging to persons experiencing the above issue.
- Click on the Security tab.
- Then click Advanced.
- On the Permissions tab, click Add.
- Select the account you want to give permissions to (this is the same account that was specified while setting up sync for that forest).
- In the drop down on the top, select Descendent User objects.
- In the Permission Entry dialog box that shows up, check the box for Reset Password and Change Password.
- Then click Apply/Ok through all the open dialog boxes.
- Close the Active Directory Users and Computers MMC Snap-in.
- Log off.
You experience the ‘Your request could not be completed’ error , when a person tries to use the Azure Self-service Password Reset (SSPR) functionality and the Active Directory Management Agent does not have the Reset Password and/or Change Password rights to the account in the on-premises Active Directory environment.