Sometimes, users face issue while resetting their password via SSPR (Self Service Password Reset). In this post we will see one of the error while changing the password via SSPR. This is a hybrid environment and password hash sync is used.
First step is to check audit logs for users who is facing issue while resetting the password.
You can access the password reset audit logs via Microsoft Entra admin center. Under Protection>Password Reset>Audit Logs.
Filter the results for your target user and see the failure reasons. There could be multiple reasons
PasswordPolicyError
Error Event ID: 33008
Error Message: Synchronization Engine returned an error hr=80230619, message=A restriction prevents the password from being changed to the current one specified.
PasswordDoesnotComplyFuzzyPolicy
“PasswordDoesnotComplyFuzzyPolicy” indicates that the password you chose violated a security policy enforced by the system. This policy is likely in place to prevent weak or easily guessed passwords.
There are two main reasons you might see this error:
- Banned Password List: The password you selected might be on a list of banned passwords. This list typically contains common passwords, dictionary words, and other easily guessed phrases.
- Similar to a Previous Password: Your password might be too similar to a password you’ve used before. Some systems disallow using recent passwords again to improve security.
Here’s what you can do to fix the issue:
- Choose a Stronger Password: Make sure your password includes a mix of uppercase and lowercase letters, numbers, and symbols. Avoid using personal information, dictionary words, or easily guessable phrases.
- Try a Different Password: If you’re unsure why the specific password was rejected, try creating a completely different one following strong password practices.
Troubleshooting via AADConnect Troubleshooter
There are two main built-in tools for troubleshooting AAD Connect:
- Microsoft Entra Connect Sync Troubleshooter: This PowerShell-based troubleshooter diagnoses specific object synchronization issues. You can launch it from the Microsoft Entra Connect wizard itself. It helps identify problems like UPN mismatches, filtering issues, and limitations due to linked mailboxes or dynamic groups.
- Microsoft Entra Connect Health: This built-in dashboard provides an overview of the health of your AAD Connect installation. It can surface errors related to sync, configuration, and connectivity.
Microsoft Entra Connect Sync Troubleshooter can help to resolve the issue with Password sync. Administrator can follow below steps to fix sync issues with an object.
Step 1: Launch Azure AD connect and click configure.
Step 2: Click on Troubleshoot and hit next button.
Step 3: Click on Launch button to launch the Azure AD connect Troubleshooting Tool.
Step 4: Select the Option 2 as we want to troubleshoot the password hash synchronization.
First it will check the connector health and after that you need to enter user distinguished name.
Conclusion
In this post we have seen some common errors in Password Reset audit windows. We have also provided the possible troubleshooting methods. In case it does not work for your environment, feel free to write in comment box.