Primary User Is Required! Please Try Again
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Troubleshoot cocky-service countersign reset in Azure Active Directory
Azure Active Directory (Azure Advert) self-service countersign reset (SSPR) lets users reset their passwords in the cloud.
If you lot have problems with SSPR, the following troubleshooting steps and common errors may help. You can likewise watch this short video on the How to resolve the 6 most mutual SSPR end-user mistake messages.
If you can't find the respond to your problem, our back up teams are always bachelor to aid yous farther.
SSPR configuration in the Azure portal
If yous have issues seeing or configuring SSPR options in the Azure portal, review the post-obit troubleshooting steps:
I don't come across the Countersign reset section under Azure Ad in the Azure portal.
You won't see if Password reset menu selection if you lot don't have an Azure Advertising license assigned to the administrator performing the operation.
To assign a license to the administrator account in question, follow the steps to Assign, verify, and resolve problems with licenses.
I don't come across a particular configuration option.
Many elements of the UI are subconscious until they're needed. Make sure the option is enabled before you wait for the specific configuration options.
I don't see the On-premises integration tab.
On-premises password writeback is only visible if you've downloaded Azure AD Connect and have configured the characteristic.
For more data, run across Getting started with Azure AD Connect.
SSPR reporting
If you take issues with SSPR reporting in the Azure portal, review the following troubleshooting steps:
I meet an hallmark method that I take disabled in the Add together method option in combined registration.
The combined registration takes into account three policies to decide what methods are shown in Add method:
- Self-service countersign reset
- MFA
- Authentication methods
If you disable app notifications in SSPR but enable information technology in MFA policy, that option appears in combined registration. For another example, if a user disables Function telephone in SSPR, it is notwithstanding displayed every bit an option if the user has the Phone/Function phone property set.
I don't run into any countersign management activity types in the Cocky-Service Password Management audit upshot category.
This can happen if you don't take an Azure Advert license assigned to the administrator performing the operation.
To assign a license to the administrator account in question, follow the steps to Assign, verify, and resolve problems with licenses.
User registrations show multiple times.
When a user registers, we currently log each private piece of data that'southward registered as a separate issue.
If you lot want to aggregate this data and take greater flexibility in how yous tin view it, you tin can download the study and open up the data as a pivot table in Excel.
SSPR registration portal
If your users accept problems registering for SSPR, review the following troubleshooting steps:
The directory isn't enabled for password reset. The user may see an error that reports, "Your administrator has not enabled you to use this characteristic."
You tin can enable SSPR for all users, no users, or for selected groups of users. Only 1 Azure AD group can currently exist enabled for SSPR using the Azure portal. As office of a wider deployment of SSPR, nested groups are supported. Brand certain that the users in the grouping(s) you choose accept the appropriate licenses assigned.
In the Azure portal, alter the Self-service password reset enabled configuration to Selected or All and then select Salve.
The user doesn't have an Azure Advertisement license assigned. The user may run across an error that reports, "Your ambassador has not enabled you to use this characteristic."
Only one Azure Advert group can currently exist enabled for SSPR using the Azure portal. Every bit part of a wider deployment of SSPR, nested groups are supported. Brand certain that the users in the grouping(due south) yous choose have the appropriate licenses assigned. Review the previous troubleshooting pace to enable SSPR as required.
Also review troubleshooting steps to make certain that the administrator performing the configuration options has a license assigned. To assign a license to the administrator account in question, follow the steps to Assign, verify, and resolve problems with licenses.
There's an error processing the request.
Generic SSPR registration errors tin be caused by many problems, simply by and large this fault is caused by either a service outage or a configuration consequence. If yous go along to run into this generic mistake when you retry the SSPR registration process, contact Microsoft support for additional aid.
SSPR usage
If you or your users have issues using SSPR, review the following troubleshooting scenarios and resolution steps:
| Mistake | Solution |
|---|---|
| The directory isn't enabled for password reset. | In the Azure portal, change the Cocky-service password reset enabled configuration to Selected or All and and then select Salvage. |
| The user doesn't accept an Azure AD license assigned. | This tin happen if yous don't have an Azure AD license assigned to the desired user. To assign a license to the administrator account in question, follow the steps to Assign, verify, and resolve issues with licenses. |
| The directory is enabled for password reset, simply the user has missing or malformed authentication data. | Make sure that user has properly formed contact data on file in the directory. For more data, see Information used past Azure Advertizement self-service password reset. |
| The directory is enabled for password reset, merely the user has simply i piece of contact information on file when the policy is set to require two verification methods. | Make sure that the user has at least 2 properly configured contact methods. An example is having both a mobile phone number and an office telephone number. |
| The directory is enabled for countersign reset and the user is properly configured, but the user is unable to be contacted. | This tin can be the result of a temporary service error or if there's wrong contact data that nosotros tin can't properly find. If the user waits ten seconds, a link is displayed to "Endeavour again" and "Contact your administrator". If the user selects "Endeavor once again," information technology retries the call. If the user selects "Contact your administrator," it sends a form email to the administrators requesting a password reset to exist performed for that user business relationship. |
| The user never receives the password reset SMS or telephone call. | This tin can be the result of a malformed telephone number in the directory. Make sure the phone number is in the format "+1 4251234567". Password reset doesn't support extensions, fifty-fifty if yous specify 1 in the directory. The extensions are stripped before the call is made. Use a number without an extension, or integrate the extension into the phone number in your private branch exchange (PBX). |
| The user never receives the password reset electronic mail. | The virtually common cause for this problem is that the bulletin is rejected past a spam filter. Check your spam, junk, or deleted items binder for the email. Likewise, brand sure the user checks the correct email business relationship as registered with SSPR. |
| I've set a countersign reset policy, but when an admin account uses password reset, that policy isn't practical. | Microsoft manages and controls the administrator password reset policy to ensure the highest level of security. |
| The user is prevented from attempting a password reset besides many times in a day. | An automated throttling mechanism is used to block users from attempting to reset their passwords too many times in a short period of time. Throttling occurs the following scenarios:
|
| The user sees an fault when validating their phone number. | This fault occurs when the phone number entered doesn't match the phone number on file. Make sure the user is entering the consummate phone number, including the area and country code, when they effort to use a phone-based method for password reset. |
| The user sees an error when using their email address. | If the UPN differs from the primary ProxyAddress/SMTPAddress of the user, the Sign-in to Azure Advertizement with electronic mail as an alternate login ID setting must be enabled for the tenant. |
| There's an fault processing the request. | Generic SSPR registration errors can exist caused by many issues, simply generally this error is caused by either a service outage or a configuration effect. If you proceed to see this generic fault when you re-try the SSPR registration process, contact Microsoft back up for additional help. |
| On-premises policy violation | The password doesn't see the on-premises Agile Directory password policy. The user must define a password that meets the complication or strength requirements. |
| Password doesn't comply with fuzzy policy | The password that was used appears in the banned countersign list and can't be used. The user must define a password that meets or exceeds the banned password list policy. |
SSPR errors that a user might see
The following errors and technical details may be shown to a user equally part of the SSPR process. Frequently, the error isn't something they tin can resolve themselves, equally the SSPR feature needs to enabled, configured, or registered for their business relationship.
Employ the following information to sympathize the problem and what needs to be corrected on the Azure AD tenant or individual user account.
| Mistake | Details | Technical details |
|---|---|---|
| TenantSSPRFlagDisabled = ix | We're sorry, you can't reset your password at this time because your administrator has disabled countersign reset for your organization. There is no further action yous can take to resolve this situation. Delight contact your admin and ask them to enable this characteristic. To larn more, meet Help, I forgot my Azure Advertizing password. | SSPR_0009: We've detected that password reset has not been enabled by your administrator. Please contact your admin and enquire them to enable password reset for your organization. |
| WritebackNotEnabled = x | We're pitiful, yous can't reset your password at this fourth dimension because your administrator has not enabled a necessary service for your organisation. There is no further action you can take to resolve this situation. Delight contact your admin and ask them to check your system'southward configuration. To learn more most this necessary service, meet Configuring password writeback. | SSPR_0010: We've detected that password writeback has non been enabled. Please contact your admin and ask them to enable password writeback. |
| SsprNotEnabledInUserPolicy = 11 | We're sorry, you can't reset your countersign at this fourth dimension because your administrator has not configured password reset for your organization. There is no further action yous can take to resolve this situation. Contact your admin and ask them to configure password reset. To learn more than about password reset configuration, see Quickstart: Azure AD cocky-service password reset. | SSPR_0011: Your organization has not divers a password reset policy. Please contact your admin and ask them to define a password reset policy. |
| UserNotLicensed = 12 | We're sorry, you can't reset your countersign at this time because required licenses are missing from your arrangement. At that place is no further action y'all can take to resolve this situation. Please contact your admin and ask them to check your license assignment. To learn more nigh licensing, see Licensing requirements for Azure AD self-service countersign reset. | SSPR_0012: Your organization does not have the required licenses necessary to perform password reset. Please contact your admin and ask them to review the license assignments. |
| UserNotMemberOfScopedAccessGroup = 13 | We're sorry, you can't reset your password at this time because your administrator has not configured your account to use password reset. There is no further action you can accept to resolve this situation. Delight contact your admin and ask them to configure your account for password reset. To acquire more than most account configuration for password reset, see Scroll out password reset for users. | SSPR_0013: You are not a member of a group enabled for password reset. Contact your admin and asking to be added to the group. |
| UserNotProperlyConfigured = 14 | We're lamentable, you can't reset your password at this time because necessary information is missing from your account. At that place is no farther action you can take to resolve this state of affairs. Delight contact you lot admin and ask them to reset your password for you lot. Afterwards you have access to your account over again, you need to register the necessary data. To register data, follow the steps in the Annals for self-service countersign reset article. | SSPR_0014: Additional security info is needed to reset your password. To proceed, contact your admin and ask them to reset your countersign. Later you lot have access to your business relationship, you lot can annals additional security info at https://aka.ms/ssprsetup. Your admin can add together additional security info to your account by post-obit the steps in Fix and read authentication information for password reset. |
| OnPremisesAdminActionRequired = 29 | We're sorry, nosotros tin can't reset your password at this time because of a problem with your organization'south countersign reset configuration. There is no further activity you tin can take to resolve this situation. Delight contact your admin and ask them to investigate. Or Nosotros cannot reset your password at this time because of a trouble with your organization'south password reset configuration. There is no further action you tin take to resolve this consequence. Please contact your admin and ask them to investigate. To acquire more than about the potential problem, run into Troubleshoot password writeback. | SSPR_0029: We are unable to reset your password due to an error in your on-bounds configuration. Please contact your admin and enquire them to investigate. |
| OnPremisesConnectivityError = 30 | Nosotros're sorry, we can't reset your password at this fourth dimension because of connectivity problems to your arrangement. There is no activeness to have right now, but the problem might be resolved if you try over again later. If the problem persists, delight contact your admin and ask them to investigate. To learn more about connectivity issues, see Troubleshoot password writeback connectivity. | SSPR_0030: We tin can't reset your password due to a poor connectedness with your on-premises environs. Contact your admin and ask them to investigate. |
If yous have general questions about Azure Advertisement and self-service password reset, you can ask the customs for assistance on the Microsoft Q&A question page for Azure Agile Directory. Members of the community include engineers, production managers, MVPs, and beau It professionals.
If you tin't find the reply to a problem, our support teams are always available to help you farther.
To properly assist yous, we inquire that you provide as much particular as possible when opening a case. These details include the post-obit:
- Full general description of the error: What is the error? What was the behavior that was noticed? How can we reproduce the fault? Provide as much detail every bit possible.
- Page: What page were yous on when you noticed the mistake? Include the URL if you're able to and a screenshot of the folio.
- Back up code: What was the support code that was generated when the user saw the error?
-
To find this lawmaking, reproduce the mistake, then select the Back up lawmaking link at the bottom of the screen and send the back up engineer the GUID that results.
-
If you're on a page without a support code at the lesser, select F12 and search for the SID and CID and send those two results to the support engineer.
-
- Appointment, time, and time zone: Include the precise date and time with the time zone that the mistake occurred.
- User ID: Who was the user who saw the fault? An case is user@contoso.com.
- Is this a federated user?
- Is this a pass-through authentication user?
- Is this a password-hash-synchronized user?
- Is this a cloud-just user?
- Licensing: Does the user have an Azure Advertizement license assigned?
- Application event log: If you're using password writeback and the error is in your on-bounds infrastructure, include a zipped copy of your application event log from the Azure AD Connect server.
Adjacent steps
To learn more than about SSPR, meet How it works: Azure AD self-service password reset or How does self-service password reset writeback work in Azure Advertising?.
Feedback
Submit and view feedback for
Source: https://docs.microsoft.com/en-us/azure/active-directory/authentication/troubleshoot-sspr
Enregistrer un commentaire for "Primary User Is Required! Please Try Again"