Office 365 Azure AD Password Writeback Errors

Issue

Password writeback has been enabled as an optional feature in Azure AD Connect.  When trying to change a password in Office 365 for a newly created account (created the same day in local AD), the following error is thrown up:

“This password does not meet the length, complexity, age, or history requirements of your corporate password policy.”

PassChangeError

Investigation

When the password change fails, the following error event is logged in the Application log on the AD Domain Controller.

Log Name: Application
Source: PasswordResetService
Event ID: 33008
Level: Error
Computer: x500dc01v.x500.local
Description:
TrackingId: 2291a914-3fa9-4eea-911b-bd83fa9f8398, Reason: Synchronization Engine returned an error hr=80230619, message=A restriction prevents the password from being changed to the current one specified., Context: cloudAnchor: User_607cb053-78f6-42b8-b287-47452679f422, SourceAnchorValue: hIlcCMnOmkC75m8sgqXCeA==, UserPrincipalName: SteveITPSTest1@x500.co.uk, Details: Microsoft.CredentialManagement.OnPremisesPasswordReset.Shared.PasswordResetException: Synchronization Engine returned an error hr=80230619, message=A restriction prevents the password from being changed to the current one specified.
at AADPasswordReset.SynchronizationEngineManagedHandle.ThrowSyncEngineError(Int32 hr)
at AADPasswordReset.SynchronizationEngineManagedHandle.ChangePassword(String cloudAnchor, String sourceAnchor, String oldPassword, String newPassword)
at Microsoft.CredentialManagement.OnPremisesPasswordReset.PasswordResetCredentialManager.ChangePassword(String changePasswordXMLRequestString)

This is being caused by the Minimum password age policy setting that in this instance is defined in the Default Domain GPO.  This setting determines the period of time (in days) that a password can be used before a user is permitted to change it.

The minimum password age is set to 1 day.  

MinPassAge1

Resolution

Change the value to 0, allowing passwords to be changed immediately.

MinPassAge0

The password change is now successful from Office 365.

The following information event is logged in the Application log on the AD Domain Controller.

Log Name: Application
Source: PasswordResetService
Event ID: 31007
Level: Information
Computer: x500dc01v.x500.local
Description:
TrackingId: 4cede863-5428-4323-b9a2-68a72c331a7e, ChangePasswordSuccess, Details: Context: cloudAnchor: User_607cb053-78f6-42b8-b287-47452679f422, SourceAnchorValue: hIlcCMnOmkC75m8sgqXCeA==, UserPrincipalName: SteveITPSTest1@x500.co.uk

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s