Thursday, February 28, 2019

SSPR Note From The Field

Hello Everyone!

Today I want to talk about a little issue I found when deploying SSPR at a customer. We enabled write back in AAD Connect, used a test group to start with in Azure AD, set all of our options up, created a new test user on prem and synced it up into the group. 

Everything appeared to be working. 

When we rolled it out to the general population (without forcing enrollment so most of production never even knew something was wrong when it broke) we started seeing some weird behavior on our existing users. When they would go to reset thier password we would get this error in the portal




Except everything did meet the policy. We then traced it back using a few various logs. One place where nothing showed up was in the Synchronization Service app on the AAD Connect server. Where we did see something was in the Azure AD Audit Logs




And the Event Viewer on the AAD Connect server as well


Come to find out most existing accounts had the restriction of 'User cannot change password' set in their account options in Active Directory from some past project that the current admin was not aware of. 



If your running into a similar situation maybe take a look there. This can be fixed either manually, with PowerShell, or as luck would have it this is one of the options you can set when you select multiple user objects in ADUC.

Good luck!