We recently saw an issue with Azure AD self-service password reset (SSPR). It’s been working fine for us for ages, ever since we first configured it using DirSync, but recently users started seeing the following message:
Get back into your account
Please contact your admin
We’ve detected that your user account password is not managed by Microsoft. As a result, we are unable to automatically reset your password.
You will need to contact your admin or helpdesk for any further assistance.
As we’d made no changes, we were obviously concerned!
Initially I took the following steps to try and resolve the issue:
- Ensured that the OS patch levels of the servers (Azure AD Connect, ADFS, WAP) were up-to-date, which they were.
- Upgraded Azure AD Connect to the most recent version. The version we were running was a little behind, but not significantly so. During the upgrade process, the wizard takes you through what you’d normally see if you reconfigure Azure AD Connect and select the ‘customize synchronization options’ task. The optional features selected were still the same as we’d picked the previous time we’d upgraded, and included ‘password writeback’.
Unfortunately none of the steps taken above made any difference.
Looking in the configuration page for Azure AD in the old portal, I noticed that the ‘Password write back service status’ was still set to ‘Not configured’:
Which, bearing in mind I’d just upgraded Azure AD Connect and been through the configuration wizard and seen that this option was ticked, should not as far as I was concerned be the case.
To correct the issue therefore, I took the following steps:
- Launched the configuration of Azure AD Connect and selected the ‘customize synchronization options’ task.
- When presented with the optional features configuration page of the wizard, unticked the ‘password writeback’ option and then completed the configuration.
- Repeated the above steps, but this time ensured that the ‘password writeback’ option was ticked:
Checking the configuration page in the old Azure Portal again, the status of the ‘Password write back service’ is now ‘Configured’ and the correct SSPR prompts are again being displayed to users.