Today I want to talk about a little issue I found when deploying SSPR at a customer. We enabled write back in AAD Connect, used a test group to start with in Azure AD, set all of our options up, created a new test user on prem and synced it up into the group.
Everything appeared to be working.
When we rolled it out to the general population (without forcing enrollment so most of production never even knew something was wrong when it broke) we started seeing some weird behavior on our existing users. When they would go to reset thier password we would get this error in the portal
And the Event Viewer on the AAD Connect server as well
Come to find out most existing accounts had the restriction of 'User cannot change password' set in their account options in Active Directory from some past project that the current admin was not aware of.
If your running into a similar situation maybe take a look there. This can be fixed either manually, with PowerShell, or as luck would have it this is one of the options you can set when you select multiple user objects in ADUC.
Good luck!