unable to reset password for domain user in Entra

Question

unable to reset password for domain user in Entra

Dan D 0

I have tried over the past two weeks to reset a user password, and my user tried just today, as did I, as we were on a Teams call. The error states, "We're sorry, we're not able to reset this user's password right now. This may be due to temporary issues on our end. Please wait a few minutes and try again."

I've waited many minutes and am now seeking assistance. Thank you

Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-05-09T01:33:57.8+00:00

Hello Dan D,

Could you provide some details about the scenario?

Have you ever able to reset the password or this is the first time

Is this issue for few users or all users

Do you have on-prem environment and if so, please let us know if you have enabled the option "User cannot change password" on your domain controller. If so, he will not be able to change his password

If you don't have on-prem environment, let us know the Identity Provider of he user login which you can see in user's sign-in logs

Did he tried to change password at below url

https://passwordreset.microsoftonline.com/

Have you enabled SSPR in your tenant?

Ref : https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-enable-sspr
Dan D 0 Reputation points

2025-05-09T01:44:30.2566667+00:00

yes, we have been able to reset in the past.

We did have an on-prem server back in 2018, but it's been long dead. Having said that, the scripts that MS provided to decommission on prem servers never worked and Entra still states that there are onprem servers alive for both my and the idea we are trying to change.

I am the global admin and I cannot change the password in the Entra app. This is where the error is surfacing. He is permitted to change his own password and had been able to do it in the past. This domain has been active with E5 services for security and office since 2017.
Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-05-09T10:24:34.2733333+00:00

Hello Dan D,

Please let us know the identifier for the effected user.

You can see it by navigating to Entra ID portal - users -effected user - overview - properties as shown in below screenshot.

As user is able to authenticate now, the identifier shows the name of the tenant.

Have you enabled SSPR in the tenant?

If so, you can add the user to reset the password through SSPR.

I reproduced the scenario by un-installing AD-Connect in which PHS was configured previously. (Connectivity has lost from on-prem to cloud)

Then my synced user is able to authenticate on cloud and then I have enabled MFA for the user.

I enabled SSPR and added this user in the group and added this group to SSPR configuration.

When this user access https://passwordreset.microsoftonline.com he was able to reset the password through MFA.

I request you to try the above method to reset his password.

Please refer below document on SSPR

https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-enable-sspr
Dan D 0 Reputation points

2025-05-09T12:47:47.9566667+00:00

Hello, please see the following related to this user.

Object ID = XXXX-XXXXX-XXXX

Identity = XXXXX.onmicrosoft.com

Yes, SSPR is set for Selected and then Primary. Primary includes AllCompany, which he is a part of. He could reset his own password prior to the full Entra migration.

Which group did you add? I can attempt to make him an admin of a group and see if he can use SSPR - it would at least get us past that, but it doesn't explain why I can't reset his password in Entra as the Global Admin. I should be All Powerful to my domain, if my understanding is correct, once I enabled this level of permission.

Is SSPR now more powerful than the admin resetting passwords on their own?

We have had MFA enabled for years as well, so this should not be an issue unless you tell me to disable and re-enable as a trial.
Dan D 0 Reputation points

2025-05-09T12:51:23.7933333+00:00

As a trial to disconnect the on-prem AD sync, which is not available any longer because this server was decommissioned, as previously explained, I disabled writeback. Now, when as an admin, I try to reset the password, I get this error.

Unfortunately, you cannot reset this user's password because password writeback is not enabled in your tenant.

Learn how to configure password writeback.

Of course, I can re-enable it, but it accurately reports that the sync server is not online, and it will never be. Again, I spent days last year trying to disconnect this server with scripts MS provided, but each and every one was depreciated in the server versions as I tried them and I simply had to decommission the server.
Dan D 0 Reputation points

2025-05-09T12:57:38.92+00:00

on more item. I attempted to use the MFA migration wizard, which will be required by September 30, 2025. Upon launching this migration, this failed as well.
Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-05-13T08:15:22.38+00:00

Hello Dan D,

While configuring SSPR, we cannot add uses directly. We need to add groups in SSPR.

I have created a group and added this test user and configured it.

If the synced user's password is available in cloud (when PHS was configured with Entra-ID Connect) the effected user or any User Admin can change password.

So, I request you to check the sign-in logs of the effected user to verify if he is configured with PHS.

We can see it by navigating to effected user - sign-in logs - Authentication Details - Authentication method detail.

Here my user is already synced to cloud with PHS and then Entra-ID is removed. So, his password is available at cloud and is able to authenticate.

And password-writeback is the option if PTA (pas-through authentication) is enabled in Entra-ID Connect and Domain Controller is in active state. In this scenario, when password-writeback is enabled, user can reset his password from cloud which will replicate on domain controller. If it is not enabled, he cannot reset password from cloud even Domain Controller is available.

I request you to share the sign-in logs through private message to better understand the issue.
Dan D 0 Reputation points

2025-05-13T15:17:50.8833333+00:00

As noted above, I enabled SSPR and then there is a group called Primary, which is selected. Curtis belongs to this group.

Please offer other suggestions. I am not that impressed with this form of help on such a critical issue, btw, but this is not your fault. I will comment on this to Microsoft at a later time and be clear on this issue. Thanks,
Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-05-16T08:03:27.0633333+00:00

Hello Dan D,

As mentioned in my private chat, did you get a chance to check with effected user accessing the below url to reset his password?

https://passwordreset.microsoftonline.com

Please check if the user's immutable ID is cleared by running the below command.

Get-MgUser -UserId "*****@domain.com" | Select-Object DisplayName, UserPrincipalName, OnPremisesImmutableId, OnPremisesSyncEnabled*

Here, if it shows the Immutable ID is null and OnPremisesSycnEnabled is true Entra ID won't let you reset password because it still believes the source of authority is on-premises.

And also I request you to check if you on-premises domain is still verified and stay healthy in your tenant.

If your domain is not verified in the tenant, you should change user upn to your .onmicrosoft domain name.

You can follow the below command to convert your effected user to your native .onmicrosoft.com user account.

Update-MgUser -UserId "@domain.com" -UserPrincipalName "@M365xxxxxxxxx.onmicrosoft.com"
Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-05-19T00:58:06.16+00:00

Hello Dan D,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-05-22T01:50:34.9333333+00:00

Hello Dan D,

We haven’t heard from you on the last response and was just checking back to see if you are able to reset the password for the effected user. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Dan D 0 Reputation points

2025-05-22T16:33:13.74+00:00

Hello, there is no resolution. Curtis just tried minutes ago and continues to receive the error message, 'connectivity problems with your organization.' He can get in with FaceID, but cannot change the password.

This issue could be a very serious one, and could become one, if he loses, or I lose, my password authentication entirely. we have been doing this dance for over a week - could you please escalate this to another level? Thank you
SrideviM 3,980 Reputation points Microsoft External Staff Moderator

2025-05-23T08:06:52.4+00:00

Hello Dan D,

Thanks for the update. I’ve got your case. Let me review the details and get back to you. In the meantime, please share your availability and time zone in the private messages window.

1 answer

Your answer

Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-05-09T01:33:57.8+00:00

Hello Dan D,

Could you provide some details about the scenario?

Have you ever able to reset the password or this is the first time

Is this issue for few users or all users

Do you have on-prem environment and if so, please let us know if you have enabled the option "User cannot change password" on your domain controller. If so, he will not be able to change his password

If you don't have on-prem environment, let us know the Identity Provider of he user login which you can see in user's sign-in logs

Did he tried to change password at below url

https://passwordreset.microsoftonline.com/

Have you enabled SSPR in your tenant?

Ref : https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-enable-sspr
Dan D 0 Reputation points

2025-05-09T01:44:30.2566667+00:00

yes, we have been able to reset in the past.

We did have an on-prem server back in 2018, but it's been long dead. Having said that, the scripts that MS provided to decommission on prem servers never worked and Entra still states that there are onprem servers alive for both my and the idea we are trying to change.

I am the global admin and I cannot change the password in the Entra app. This is where the error is surfacing. He is permitted to change his own password and had been able to do it in the past. This domain has been active with E5 services for security and office since 2017.
Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-05-09T10:24:34.2733333+00:00

Hello Dan D,

Please let us know the identifier for the effected user.

You can see it by navigating to Entra ID portal - users -effected user - overview - properties as shown in below screenshot.

As user is able to authenticate now, the identifier shows the name of the tenant.

Have you enabled SSPR in the tenant?

If so, you can add the user to reset the password through SSPR.

I reproduced the scenario by un-installing AD-Connect in which PHS was configured previously. (Connectivity has lost from on-prem to cloud)

Then my synced user is able to authenticate on cloud and then I have enabled MFA for the user.

I enabled SSPR and added this user in the group and added this group to SSPR configuration.

When this user access https://passwordreset.microsoftonline.com he was able to reset the password through MFA.

I request you to try the above method to reset his password.

Please refer below document on SSPR

https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-enable-sspr
Dan D 0 Reputation points

2025-05-09T12:47:47.9566667+00:00

Hello, please see the following related to this user.

Object ID = XXXX-XXXXX-XXXX

Identity = XXXXX.onmicrosoft.com

Yes, SSPR is set for Selected and then Primary. Primary includes AllCompany, which he is a part of. He could reset his own password prior to the full Entra migration.

Which group did you add? I can attempt to make him an admin of a group and see if he can use SSPR - it would at least get us past that, but it doesn't explain why I can't reset his password in Entra as the Global Admin. I should be All Powerful to my domain, if my understanding is correct, once I enabled this level of permission.

Is SSPR now more powerful than the admin resetting passwords on their own?

We have had MFA enabled for years as well, so this should not be an issue unless you tell me to disable and re-enable as a trial.
Dan D 0 Reputation points

2025-05-09T12:51:23.7933333+00:00

As a trial to disconnect the on-prem AD sync, which is not available any longer because this server was decommissioned, as previously explained, I disabled writeback. Now, when as an admin, I try to reset the password, I get this error.

Unfortunately, you cannot reset this user's password because password writeback is not enabled in your tenant.

Learn how to configure password writeback.

Of course, I can re-enable it, but it accurately reports that the sync server is not online, and it will never be. Again, I spent days last year trying to disconnect this server with scripts MS provided, but each and every one was depreciated in the server versions as I tried them and I simply had to decommission the server.
Dan D 0 Reputation points

2025-05-09T12:57:38.92+00:00

on more item. I attempted to use the MFA migration wizard, which will be required by September 30, 2025. Upon launching this migration, this failed as well.
Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-05-13T08:15:22.38+00:00

Hello Dan D,

While configuring SSPR, we cannot add uses directly. We need to add groups in SSPR.

I have created a group and added this test user and configured it.

If the synced user's password is available in cloud (when PHS was configured with Entra-ID Connect) the effected user or any User Admin can change password.

So, I request you to check the sign-in logs of the effected user to verify if he is configured with PHS.

We can see it by navigating to effected user - sign-in logs - Authentication Details - Authentication method detail.

Here my user is already synced to cloud with PHS and then Entra-ID is removed. So, his password is available at cloud and is able to authenticate.

And password-writeback is the option if PTA (pas-through authentication) is enabled in Entra-ID Connect and Domain Controller is in active state. In this scenario, when password-writeback is enabled, user can reset his password from cloud which will replicate on domain controller. If it is not enabled, he cannot reset password from cloud even Domain Controller is available.

I request you to share the sign-in logs through private message to better understand the issue.
Dan D 0 Reputation points

2025-05-13T15:17:50.8833333+00:00

As noted above, I enabled SSPR and then there is a group called Primary, which is selected. Curtis belongs to this group.

Please offer other suggestions. I am not that impressed with this form of help on such a critical issue, btw, but this is not your fault. I will comment on this to Microsoft at a later time and be clear on this issue. Thanks,
Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-05-16T08:03:27.0633333+00:00

Hello Dan D,

As mentioned in my private chat, did you get a chance to check with effected user accessing the below url to reset his password?

https://passwordreset.microsoftonline.com

Please check if the user's immutable ID is cleared by running the below command.

Get-MgUser -UserId "*****@domain.com" | Select-Object DisplayName, UserPrincipalName, OnPremisesImmutableId, OnPremisesSyncEnabled*

Here, if it shows the Immutable ID is null and OnPremisesSycnEnabled is true Entra ID won't let you reset password because it still believes the source of authority is on-premises.

And also I request you to check if you on-premises domain is still verified and stay healthy in your tenant.

If your domain is not verified in the tenant, you should change user upn to your .onmicrosoft domain name.

You can follow the below command to convert your effected user to your native .onmicrosoft.com user account.

Update-MgUser -UserId "@domain.com" -UserPrincipalName "@M365xxxxxxxxx.onmicrosoft.com"
Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-05-19T00:58:06.16+00:00

Hello Dan D,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-05-22T01:50:34.9333333+00:00

Hello Dan D,

We haven’t heard from you on the last response and was just checking back to see if you are able to reset the password for the effected user. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Dan D 0 Reputation points

2025-05-22T16:33:13.74+00:00

Hello, there is no resolution. Curtis just tried minutes ago and continues to receive the error message, 'connectivity problems with your organization.' He can get in with FaceID, but cannot change the password.

This issue could be a very serious one, and could become one, if he loses, or I lose, my password authentication entirely. we have been doing this dance for over a week - could you please escalate this to another level? Thank you
SrideviM 3,980 Reputation points Microsoft External Staff Moderator

2025-05-23T08:06:52.4+00:00

Hello Dan D,

Thanks for the update. I’ve got your case. Let me review the details and get back to you. In the meantime, please share your availability and time zone in the private messages window.

Answer 1

Hello @Dan D,

Thank you for connecting with me offline.

As we observed, the affected users in your tenant still have the on-premises sync status enabled, which is the primary reason you're unable to reset their passwords from the Azure portal. Since your on-premises Active Directory was decommissioned some time ago, we needed to convert these synced users into cloud-only users.

To achieve this, we followed the steps below using Microsoft Graph Explorer to disable directory synchronization:

Open Microsoft Graph Explorer.
Sign in using a Global Administrator account.
Use the following PATCH request (replace {organization-id} with your actual Tenant ID):

PATCH https://graph.microsoft.com/beta/organization/{organization-id} (Replace org id with Tenant ID)

Navigate to the Modify Permissions tab and grant Organization.ReadWrite.All permission (consent on behalf of the organization).
In the Request Body, enter the following JSON:

{
  "onPremisesSyncEnabled": false
}

Click Run Query.

Note: It may take 4–5 minutes for the changes to reflect in the Azure portal.

User's image

After completing these steps, the synced users were successfully converted to cloud-only users, and you are now able to reset their passwords via the Azure portal.

Share via

unable to reset password for domain user in Entra

1 answer

Your answer