none
Azure AD Password Reset Fails - ADAdminActionRequired ( Writeback & Pass Through AuthN Mode ) RRS feed

  • Question

  • When i try to reset password for on-prem account from azure ad, it fails with reason stating -ADAdminActionRequired

    This is happening inconsistently for few accounts. Any solution would be appreciated.

    Thanks in Advance

    Friday, July 5, 2019 10:46 AM

All replies

  • Hey, can you please provide a screenshot of the error you're getting? And can you please provide some context in regards to "resetting password for on-prem account from aad"? 

    And you say that it happens inconsistently, does that mean it works sometimes for X accounts, but sometimes it doesn't work properly for X accounts? 

    Or does it not work for Y accounts, but you have a different subsection of X accounts where the password reset is working? 

    As there are some settings that need to be configured for password-writeback,

    Please see : https://serverfault.com/questions/912967/password-reset-not-working-because-password-writeback-not-working-in-portal-azur

    https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-writeback

    Please let us know if there are anymore questions within the scope of this thread or please remember to mark a response as answer. 

    Friday, July 5, 2019 9:30 PM
    Moderator
  • Hi Frank,

    Here is the context. 

    User XYZ -xyz@org.onmicrosoft.com can able to reset password using SSPR Portal

    When Global admin abc@org.onmicrosoft.com tries to reset password for the same user XYZ, it throws below error in event log. Although i gave full permission to ADDS account (MSOL_Account). 


     Reason: Synchronization Engine returned an error hr=80231367, message=Requesting user was denied access to perform the operation on a privileged account., Context: cloudAnchor: User_d487c11a-f5fe-4165-810e-c3e87ae3cb90, SourceAnchorValue: XxuQivjj1EKd7L017h+taw==, AdminUpn: abc@org.onmicrosoft.com, UserPrincipalName: xyz@org.onmicrosoft.com, Details: Microsoft.CredentialManagement.OnPremisesPasswordReset.Shared.PasswordResetException: Synchronization Engine returned an error hr=80231367, message=Requesting user was denied access to perform the operation on a privileged account.
       at AADPasswordReset.SynchronizationEngineManagedHandle.ThrowSyncEngineError(Int32 hr)
       at AADPasswordReset.SynchronizationEngineManagedHandle.ResetPassword(String cloudAnchor, String sourceAnchor, String password, Boolean fForcePasswordChangeAtLogon, Boolean fUnlockAccount, Boolean isSelfServiceOperation)
       at Microsoft.CredentialManagement.OnPremisesPasswordReset.PasswordResetCredentialManager.ResetUserPasswordByAdmin(String resetUserPasswordByAdminXmlRequestString)

    Thanks,

    Manoj

    Monday, July 8, 2019 1:09 PM
  • I see, is this account synced from an on-premise scenario? Can you check your password writeback permissions in AAD Connect to make sure that all your permissions are properly configured? 

    See this doc : https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-writeback

    Tuesday, July 9, 2019 8:42 PM
    Moderator
  • We have already enabled permissions for the account specified in AADC as provided in the link https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-writeback . However, what we have observed in our environment is that the permissions of this account does not get inherited to few users or gets overwritten and specific user accounts are unable to reset their password’s and error message says “Your organization has not enabled this feature”.  we would like to understand why is this issue specific to few users and any possible solution or pointers would be greatly helpful. 

    Wednesday, July 10, 2019 9:06 AM
  • There is probably either something custom about these accounts or they don't have a writeback configuration setting enabled. My suggestion is to file a support ticket as your environment is custom to you and there isn't much we can do other than to suggest looking through the event logs of the on-prem to see if any issues related to the SSPR popped up. 

    Please go ahead and file a support ticket with Microsoft to continue looking into this issue, I apologize for the inconvenience, in addition to that please remember to mark a response as answer and if there are any more issues within the scope of this thread please let me know.

    Wednesday, July 10, 2019 11:16 PM
    Moderator
  • I'm following up on this, please remember to mark one of the responses as answer if your question has been answered. If not please let us know if there are anymore questions.
    Friday, July 12, 2019 12:15 AM
    Moderator
  • I'm following up on this, please remember to mark one of the responses as answer if your question has been answered. If not please let us know if there are anymore questions.

    Thanks!

    Friday, July 12, 2019 9:43 PM
    Moderator