Troubleshoot cocky-service countersign reset in Azure Active Directory

  • Article
  • 13 minutes to read

Azure Active Directory (Azure AD) self-service password reset (SSPR) lets users reset their passwords in the deject.

If you have problems with SSPR, the following troubleshooting steps and common errors may aid. You can as well watch this brusk video on the How to resolve the six about common SSPR terminate-user error letters.

If you tin't notice the answer to your problem, our support teams are ever bachelor to assist you farther.

SSPR configuration in the Azure portal

If you accept problems seeing or configuring SSPR options in the Azure portal, review the following troubleshooting steps:

I don't see the Password reset section nether Azure AD in the Azure portal.

You won't encounter if Countersign reset menu option if yous don't have an Azure AD license assigned to the administrator performing the operation.

To assign a license to the administrator account in question, follow the steps to Assign, verify, and resolve problems with licenses.

I don't see a particular configuration option.

Many elements of the UI are subconscious until they're needed. Make certain the option is enabled earlier you look for the specific configuration options.

I don't see the On-premises integration tab.

On-premises password writeback is only visible if you've downloaded Azure Advertizement Connect and take configured the feature.

For more information, see Getting started with Azure Advert Connect.

SSPR reporting

If you have problems with SSPR reporting in the Azure portal, review the following troubleshooting steps:

I see an hallmark method that I have disabled in the Add together method option in combined registration.

The combined registration takes into account 3 policies to determine what methods are shown in Add method:

  • Self-service password reset
  • MFA
  • Authentication methods

If y'all disable app notifications in SSPR simply enable it in MFA policy, that selection appears in combined registration. For another example, if a user disables Office phone in SSPR, it is even so displayed as an choice if the user has the Phone/Office phone holding set.

I don't run into any countersign management action types in the Self-Service Password Management audit event category.

This tin happen if y'all don't have an Azure AD license assigned to the ambassador performing the operation.

To assign a license to the administrator account in question, follow the steps to Assign, verify, and resolve problems with licenses.

User registrations show multiple times.

When a user registers, we currently log each individual piece of data that'south registered every bit a split event.

If yous want to aggregate this information and have greater flexibility in how you tin can view it, you tin can download the report and open the data as a pivot tabular array in Excel.

SSPR registration portal

If your users have bug registering for SSPR, review the following troubleshooting steps:

The directory isn't enabled for password reset. The user may see an error that reports, "Your ambassador has not enabled y'all to use this feature."

Yous can enable SSPR for all users, no users, or for selected groups of users. Simply i Azure Advertizing group can currently be enabled for SSPR using the Azure portal. Every bit function of a wider deployment of SSPR, nested groups are supported. Make certain that the users in the group(s) you choose have the advisable licenses assigned.

In the Azure portal, modify the Self-service password reset enabled configuration to Selected or All and so select Save.

The user doesn't have an Azure AD license assigned. The user may see an error that reports, "Your administrator has non enabled you to employ this feature."

But one Azure AD group can currently be enabled for SSPR using the Azure portal. As part of a wider deployment of SSPR, nested groups are supported. Make sure that the users in the grouping(s) you choose have the appropriate licenses assigned. Review the previous troubleshooting step to enable SSPR as required.

As well review troubleshooting steps to make sure that the ambassador performing the configuration options has a license assigned. To assign a license to the administrator account in question, follow the steps to Assign, verify, and resolve issues with licenses.

There's an error processing the asking.

Generic SSPR registration errors can be caused by many issues, but generally this error is acquired by either a service outage or a configuration issue. If y'all proceed to come across this generic error when you retry the SSPR registration process, contact Microsoft back up for boosted assist.

SSPR usage

If you or your users accept problems using SSPR, review the following troubleshooting scenarios and resolution steps:

Mistake Solution
The directory isn't enabled for password reset. In the Azure portal, change the Cocky-service password reset enabled configuration to Selected or All and and so select Save.
The user doesn't have an Azure Advertising license assigned. This can happen if you don't have an Azure Advertizing license assigned to the desired user. To assign a license to the ambassador business relationship in question, follow the steps to Assign, verify, and resolve issues with licenses.
The directory is enabled for password reset, just the user has missing or malformed authentication information. Make sure that user has properly formed contact data on file in the directory. For more information, run into Information used by Azure Advert self-service password reset.
The directory is enabled for countersign reset, merely the user has only ane slice of contact data on file when the policy is set up to require two verification methods. Make certain that the user has at to the lowest degree two properly configured contact methods. An example is having both a mobile phone number and an office phone number.
The directory is enabled for password reset and the user is properly configured, simply the user is unable to be contacted. This tin be the result of a temporary service mistake or if there's incorrect contact data that nosotros can't properly detect.

If the user waits 10 seconds, a link is displayed to "Try again" and "Contact your administrator". If the user selects "Try over again," it retries the call. If the user selects "Contact your administrator," it sends a form email to the administrators requesting a countersign reset to be performed for that user account.
The user never receives the password reset SMS or phone telephone call. This tin can exist the result of a malformed telephone number in the directory. Brand sure the phone number is in the format "+1 4251234567".

Countersign reset doesn't support extensions, even if you specify ane in the directory. The extensions are stripped earlier the call is made. Use a number without an extension, or integrate the extension into the phone number in your private branch exchange (PBX).
The user never receives the password reset email. The most common crusade for this problem is that the message is rejected past a spam filter. Check your spam, junk, or deleted items folder for the e-mail.

Also, make sure the user checks the right email account as registered with SSPR.
I've set a password reset policy, but when an admin business relationship uses countersign reset, that policy isn't applied. Microsoft manages and controls the administrator password reset policy to ensure the highest level of security.
The user is prevented from attempting a password reset too many times in a mean solar day. An automated throttling machinery is used to block users from attempting to reset their passwords too many times in a short menstruation of time. Throttling occurs the post-obit scenarios:
  • The user attempts to validate a telephone number 5 times in 1 60 minutes.
  • The user attempts to apply the security questions gate v times in one hour.
  • The user attempts to reset a password for the same user account five times in one hour.
If a user encounters this problem, they must wait 24 hours after the concluding endeavour. The user tin can then reset their password.
The user sees an error when validating their telephone number. This fault occurs when the telephone number entered doesn't match the phone number on file. Make sure the user is entering the consummate phone number, including the surface area and country code, when they endeavor to apply a phone-based method for password reset.
The user sees an fault when using their electronic mail address. If the UPN differs from the chief ProxyAddress/SMTPAddress of the user, the Sign-in to Azure AD with e-mail as an alternate login ID setting must exist enabled for the tenant.
There'due south an error processing the asking. Generic SSPR registration errors can be caused by many problems, but by and large this fault is caused by either a service outage or a configuration effect. If you continue to meet this generic error when you re-try the SSPR registration process, contact Microsoft back up for additional help.
On-premises policy violation The password doesn't meet the on-premises Active Directory password policy. The user must define a password that meets the complexity or strength requirements.
Password doesn't comply with fuzzy policy The password that was used appears in the banned password list and can't exist used. The user must ascertain a countersign that meets or exceeds the banned password list policy.

SSPR errors that a user might run across

The following errors and technical details may be shown to a user as office of the SSPR process. Ofttimes, the mistake isn't something they tin resolve themselves, as the SSPR feature needs to enabled, configured, or registered for their business relationship.

Use the following information to sympathize the trouble and what needs to be corrected on the Azure AD tenant or individual user account.

Error Details Technical details
TenantSSPRFlagDisabled = 9 We're sorry, you can't reset your password at this time because your administrator has disabled password reset for your organization. There is no further action y'all can take to resolve this situation. Please contact your admin and inquire them to enable this feature.

To learn more, see Aid, I forgot my Azure AD password.

 SSPR_0009: Nosotros've detected that password reset has not been enabled by your administrator. Please contact your admin and ask them to enable countersign reset for your arrangement.
WritebackNotEnabled = 10 Nosotros're sorry, you can't reset your password at this time because your administrator has not enabled a necessary service for your organization. There is no further activeness you tin can take to resolve this state of affairs. Please contact your admin and ask them to bank check your organization's configuration.

To learn more most this necessary service, run into Configuring countersign writeback.

 SSPR_0010: We've detected that password writeback has not been enabled. Please contact your admin and ask them to enable password writeback.
SsprNotEnabledInUserPolicy = 11 We're distressing, you tin can't reset your password at this time because your administrator has not configured countersign reset for your organization. At that place is no further action you can take to resolve this state of affairs. Contact your admin and ask them to configure countersign reset.

To learn more than about password reset configuration, run across Quickstart: Azure AD self-service password reset.

 SSPR_0011: Your arrangement has not defined a password reset policy. Please contact your admin and ask them to define a password reset policy.
UserNotLicensed = 12 We're sorry, you tin't reset your countersign at this fourth dimension because required licenses are missing from your arrangement. In that location is no further action yous tin take to resolve this situation. Please contact your admin and inquire them to bank check your license assignment.

To learn more most licensing, see Licensing requirements for Azure Advertizing self-service password reset.

 SSPR_0012: Your organization does not have the required licenses necessary to perform countersign reset. Please contact your admin and ask them to review the license assignments.
UserNotMemberOfScopedAccessGroup = 13 We're lamentable, you tin't reset your password at this fourth dimension because your ambassador has not configured your account to use countersign reset. There is no farther action you can take to resolve this situation. Please contact your admin and enquire them to configure your account for password reset.

To acquire more than about account configuration for password reset, run across Roll out password reset for users.

 SSPR_0013: You are non a fellow member of a group enabled for countersign reset. Contact your admin and request to be added to the grouping.
UserNotProperlyConfigured = fourteen We're deplorable, yous tin can't reset your password at this fourth dimension because necessary information is missing from your business relationship. In that location is no further activeness you can accept to resolve this situation. Please contact you admin and ask them to reset your password for y'all. After y'all accept admission to your account once more, you need to register the necessary information.

To annals information, follow the steps in the Register for self-service password reset article.

 SSPR_0014: Boosted security info is needed to reset your password. To go along, contact your admin and enquire them to reset your password. Later on y'all have access to your account, you can register additional security info at https://aka.ms/ssprsetup. Your admin can add together additional security info to your account by following the steps in Set up and read hallmark data for password reset.
OnPremisesAdminActionRequired = 29 We're sad, we tin't reset your countersign at this time because of a problem with your organization's password reset configuration. There is no further action you tin take to resolve this situation. Please contact your admin and ask them to investigate.

Or

We cannot reset your password at this time because of a problem with your arrangement's password reset configuration. There is no further action you can take to resolve this issue. Please contact your admin and ask them to investigate.

To learn more well-nigh the potential problem, see Troubleshoot password writeback.

 SSPR_0029: We are unable to reset your password due to an error in your on-premises configuration. Please contact your admin and ask them to investigate.
OnPremisesConnectivityError = 30 Nosotros're sorry, nosotros can't reset your password at this time because of connectivity issues to your organization. At that place is no activity to take right now, but the trouble might be resolved if you try over again after. If the problem persists, please contact your admin and inquire them to investigate.

To learn more nearly connectivity problems, run across Troubleshoot countersign writeback connectivity.

 SSPR_0030: We tin't reset your countersign due to a poor connection with your on-premises surround. Contact your admin and ask them to investigate.

If you lot have general questions nearly Azure AD and self-service countersign reset, you tin can ask the community for assistance on the Microsoft Q&A question page for Azure Active Directory. Members of the community include engineers, product managers, MVPs, and fellow It professionals.

If you tin't find the answer to a problem, our support teams are always available to assist you lot farther.

To properly assist you, we ask that you provide as much detail as possible when opening a case. These details include the following:

  • General description of the error: What is the error? What was the behavior that was noticed? How tin nosotros reproduce the error? Provide as much detail equally possible.
  • Page: What page were yous on when you noticed the error? Include the URL if you're able to and a screenshot of the page.
  • Support code: What was the support code that was generated when the user saw the error?

    • To find this code, reproduce the error, then select the Back up lawmaking link at the bottom of the screen and send the support engineer the GUID that results.

      The support code is located at the bottom right of the web browser window.

    • If you're on a page without a support code at the bottom, select F12 and search for the SID and CID and transport those two results to the back up engineer.

  • Date, time, and time zone: Include the precise date and time with the time zone that the mistake occurred.
  • User ID: Who was the user who saw the error? An example is user@contoso.com.
    • Is this a federated user?
    • Is this a pass-through hallmark user?
    • Is this a password-hash-synchronized user?
    • Is this a cloud-only user?
  • Licensing: Does the user take an Azure Advert license assigned?
  • Application result log: If you're using countersign writeback and the error is in your on-bounds infrastructure, include a zipped copy of your application issue log from the Azure Ad Connect server.

Side by side steps

To learn more nearly SSPR, encounter How information technology works: Azure AD self-service password reset or How does self-service password reset writeback work in Azure AD?.