MicrosoftDocs
diff --git a/‎articles/active-directory/authentication/active-directory-passwords-troubleshoot.md
Lines changed: 6 additions & 6 deletions b/‎articles/active-directory/authentication/active-directory-passwords-troubleshoot.md
Lines changed: 6 additions & 6 deletions
diff --git a/‎articles/active-directory/authentication/media/tutorial-enable-sspr-writeback/set-ad-ds-permissions-cropped.png
3.13 KB b/‎articles/active-directory/authentication/media/tutorial-enable-sspr-writeback/set-ad-ds-permissions-cropped.png
3.13 KB
diff --git a/‎articles/active-directory/authentication/media/tutorial-enable-sspr-writeback/set-ad-ds-permissions.png
10.9 KB b/‎articles/active-directory/authentication/media/tutorial-enable-sspr-writeback/set-ad-ds-permissions.png
10.9 KB
diff --git a/‎articles/active-directory/authentication/tutorial-enable-sspr-writeback.md
Lines changed: 3 additions & 3 deletions b/‎articles/active-directory/authentication/tutorial-enable-sspr-writeback.md
Lines changed: 3 additions & 3 deletions
@@ -19,15 +19,15 @@ ms.collection: M365-identity-device-management
 ---
 # Troubleshoot self-service password reset
 
-Are you having a problem with Azure Active Directory (Azure AD) self-service password reset (SSPR)? The information that follows can help you to get things working again.
+Are you having a problem with Azure Active Directory (Azure AD) self-service password reset (SSPR)? The following information can help you to get things working again.
 
 ## Troubleshoot self-service password reset errors that a user might see
 
 | Error | Details | Technical details |
 | --- | --- | --- |
 | TenantSSPRFlagDisabled = 9 | We’re sorry, you can't reset your password at this time because your administrator has disabled password reset for your organization. There is no further action you can take to resolve this situation. Please contact your admin and ask them to enable this feature. To learn more, see [Help, I forgot my Azure AD password](https://docs.microsoft.com/azure/active-directory/active-directory-passwords-update-your-own-password#common-problems-and-their-solutions). | SSPR_0009: We've detected that password reset has not been enabled by your administrator. Please contact your admin and ask them to enable password reset for your organization. |
 | WritebackNotEnabled = 10 |We’re sorry, you can't reset your password at this time because your administrator has not enabled a necessary service for your organization. There is no further action you can take to resolve this situation. Please contact your admin and ask them to check your organization’s configuration. To learn more about this necessary service, see [Configuring password writeback](howto-sspr-writeback.md). | SSPR_0010: We've detected that password writeback has not been enabled. Please contact your admin and ask them to enable password writeback. |
-| SsprNotEnabledInUserPolicy = 11 | We’re sorry, you can't reset your password at this time because your administrator has not configured password reset for your organization. There is no further action you can take to resolve this situation. Contact your admin and ask them to configure password reset. To learn more about password reset configuration, see [Quick start: Azure AD self-service password reset](https://docs.microsoft.com/azure/active-directory/active-directory-passwords-getting-started). | SSPR_0011: Your organization has not defined a password reset policy. Please contact your admin and ask them to define a password reset policy. |
+| SsprNotEnabledInUserPolicy = 11 | We’re sorry, you can't reset your password at this time because your administrator has not configured password reset for your organization. There is no further action you can take to resolve this situation. Contact your admin and ask them to configure password reset. To learn more about password reset configuration, see [Quickstart: Azure AD self-service password reset](https://docs.microsoft.com/azure/active-directory/active-directory-passwords-getting-started). | SSPR_0011: Your organization has not defined a password reset policy. Please contact your admin and ask them to define a password reset policy. |
 | UserNotLicensed = 12 | We’re sorry, you can't reset your password at this time because required licenses are missing from your organization. There is no further action you can take to resolve this situation. Please contact your admin and ask them to check your license assignment. To learn more about licensing, see [Licensing requirements for Azure AD self-service password reset](https://docs.microsoft.com/azure/active-directory/active-directory-passwords-licensing). | SSPR_0012: Your organization does not have the required licenses necessary to perform password reset. Please contact your admin and ask them to review the license assignments. |
 | UserNotMemberOfScopedAccessGroup = 13 | We’re sorry, you can't reset your password at this time because your administrator has not configured your account to use password reset. There is no further action you can take to resolve this situation. Please contact your admin and ask them to configure your account for password reset. To learn more about account configuration for password reset, see [Roll out password reset for users](https://docs.microsoft.com/azure/active-directory/active-directory-passwords-best-practices). | SSPR_0013: You are not a member of a group enabled for password reset. Contact your admin and request to be added to the group. |
 | UserNotProperlyConfigured = 14 | We’re sorry, you can't reset your password at this time because necessary information is missing from your account. There is no further action you can take to resolve this situation. Please contact you admin and ask them to reset your password for you. After you have access to your account again, you need to register the necessary information. To register information, follow the steps in the [Register for self-service password reset](https://docs.microsoft.com/azure/active-directory/active-directory-passwords-reset-register) article. | SSPR_0014: Additional security info is needed to reset your password. To proceed, contact your admin and ask them to reset your password. After you have access to your account, you can register additional security info at https://aka.ms/ssprsetup. Your admin can add additional security info to your account by following the steps in [Set and read authentication data for password reset](howto-sspr-authenticationdata.md). |
@@ -112,10 +112,10 @@ A best practice when you troubleshoot problems with password writeback is to ins
 | 31005 | OnboardingEventSuccess | This event indicates that the onboarding process was successful and that the password writeback capability is ready to use. |
 | 31006 | ChangePasswordStart | This event indicates that the on-premises service detected a password change request for a federated, pass-through authentication, or password-hash-synchronized user that originates from the cloud. This event is the first event in every password-change writeback operation. |
 | 31007 | ChangePasswordSuccess | This event indicates that a user selected a new password during a password change operation, we determined that the password meets corporate password requirements, and that the password has been successfully written back to the local Active Directory environment. |
-| 31008 | ChangePasswordFail | This event indicates that a user selected a password and that the password arrived successfully to the on-premises environment, but when we attempted to set the password in the local Active Directory environment, a failure occurred. This failure can happen for several reasons: <br><ul><li>The user’s password does not meet the age, history, complexity, or filter requirements for the domain. To resolve this problem, create a new password.</li><li>The ADMA service account does not have the appropriate permissions to set the new password on the user account in question.</li><li>The user’s account is in a protected group, such as domain or enterprise admins, which disallows password set operations.</li></ul> |
+| 31008 | ChangePasswordFail | This event indicates that a user selected a password and that the password arrived successfully to the on-premises environment, but when we attempted to set the password in the local Active Directory environment, a failure occurred. This failure can happen for several reasons: <br><ul><li>The user’s password does not meet the age, history, complexity, or filter requirements for the domain. To resolve this problem, create a new password.</li><li>The ADMA service account does not have the appropriate permissions to set the new password on the user account in question.</li><li>The user’s account is in a protected group, such as domain or enterprise admins, which disallow password set operations.</li></ul> |
 | 31009 | ResetUserPasswordByAdminStart | The on-premises service detected a password reset request for a federated, pass-through authentication, or password-hash-synchronized user originating from the administrator on behalf of a user. This event is the first event in every password-reset writeback operation that is initiated by an administrator. |
 | 31010 | ResetUserPasswordByAdminSuccess | The admin selected a new password during an admin-initiated password-reset operation. We determined that this password meets corporate password requirements. The password has been successfully written back to the local Active Directory environment. |
-| 31011 | ResetUserPasswordByAdminFail | The admin selected a password on behalf of a user. The password arrived successfully to the on-premises environment. But when we attempted to set the password in the local Active Directory environment, a failure occurred. This failure can happen for several reasons: <br><ul><li>The user’s password does not meet the age, history, complexity, or filter requirements for the domain. Try a new password to resolve this problem.</li><li>The ADMA service account does not have the appropriate permissions to set the new password on the user account in question.</li><li>The user’s account is in a protected group, such as domain or enterprise admins, which disallows password set operations.</li></ul>  |
+| 31011 | ResetUserPasswordByAdminFail | The admin selected a password on behalf of a user. The password arrived successfully to the on-premises environment. But when we attempted to set the password in the local Active Directory environment, a failure occurred. This failure can happen for several reasons: <br><ul><li>The user’s password does not meet the age, history, complexity, or filter requirements for the domain. Try a new password to resolve this problem.</li><li>The ADMA service account does not have the appropriate permissions to set the new password on the user account in question.</li><li>The user’s account is in a protected group, such as domain or enterprise admins, which disallow password set operations.</li></ul>  |
 | 31012 | OffboardingEventStart | This event occurs if you disable password writeback with Azure AD Connect and indicates that we started offboarding your organization to the password writeback web service. |
 | 31013| OffboardingEventSuccess| This event indicates that the offboarding process was successful and that password writeback capability has been successfully disabled. |
 | 31014| OffboardingEventFail| This event indicates that the offboarding process was not successful. This might be due to a permissions error on the cloud or on-premises administrator account specified during configuration. The error can also occur if you're attempting to use a federated cloud global administrator when disabling password writeback. To fix this problem, check your administrative permissions and ensure that you're not using a federated account while configuring the password writeback capability.|
@@ -136,11 +136,11 @@ A best practice when you troubleshoot problems with password writeback is to ins
 | 32011| OnBoardingServiceError| This event indicates that the on-premises service couldn't properly communicate with the password-reset web service to initiate the onboarding process. This can happen as a result of a firewall rule or if there is a problem getting an authentication token for your tenant. To fix this problem, ensure that you're not blocking outbound connections over TCP 443 and TCP 9350-9354 or to https://ssprdedicatedsbprodncu.servicebus.windows.net. Also ensure that the Azure AD admin account you're using to onboard isn't federated.|
 | 32013| OffBoardingError| This event indicates that the on-premises service couldn't properly communicate with the password-reset web service to initiate the offboarding process. This can happen as a result  of a firewall rule or if there is a problem getting an authorization token for your tenant. To fix this problem, ensure that you're not blocking outbound connections over 443 or to https://ssprdedicatedsbprodncu.servicebus.windows.net, and that the Azure Active Directory admin account you're using to offboard isn't federated.|
 | 32014| ServiceBusWarning| This event indicates that we had to retry to connect to your tenant’s Service Bus instance. Under normal conditions, this should not be a concern, but if you see this event many times, consider checking your network connection to Service Bus, especially if it’s a high-latency or low-bandwidth connection.|
-| 32015| ReportServiceHealthError| In order to monitor the health of your password writeback service, we send heartbeat data to our password-reset web service every five minutes. This event indicates that there was an error when sending this health information back to the cloud web service. This health information does not include an object identifiable information (OII) or personally identifiable information (PII) data, and is purely a heartbeat and basic service statistics so that we can provide service status information in the cloud.|
+| 32015| ReportServiceHealthError| In order to monitor the health of your password writeback service, we send heartbeat data to our password-reset web service every five minutes. This event indicates that there was an error when sending this health information back to the cloud web service. This health information does not include any personal data, and is purely a heartbeat and basic service statistics so that we can provide service status information in the cloud.|
 | 33001| ADUnKnownError| This event indicates that there was an unknown error returned by Active Directory. Check the Azure AD Connect server event log for events from the ADSync source for more information.|
 | 33002| ADUserNotFoundError| This event indicates that the user who is trying to reset or change a password was not found in the on-premises directory. This error can occur when the user has been deleted on-premises but not in the cloud. This error can also occur if there is a problem with sync. Check your sync logs and the last few sync run details for more information.|
 | 33003| ADMutliMatchError| When a password reset or change request originates from the cloud, we use the cloud anchor specified during the setup process of Azure AD Connect to determine how to link that request back to a user in your on-premises environment. This event indicates that we found two users in your on-premises directory with the same cloud anchor attribute. Check your sync logs and the last few sync run details for more information.|
-| 33004| ADPermissionsError| This event indicates that the Active Directory Management Agent (ADMA) service account does not have the appropriate permissions on the account in question to set a new password. Ensure that the ADMA account in the user’s forest has reset and change password permissions on all objects in the forest. For more information on how to set the permissions, see Step 4: Set up the appropriate Active Directory permissions. This error could also occur when the user's attribute AdminCount is set to 1.|
+| 33004| ADPermissionsError| This event indicates that the Active Directory Management Agent (ADMA) service account does not have the appropriate permissions on the account in question to set a new password. Ensure that the ADMA account in the user’s forest has reset password permissions on all objects in the forest. For more information on how to set the permissions, see Step 4: Set up the appropriate Active Directory permissions. This error could also occur when the user's attribute AdminCount is set to 1.|
 | 33005| ADUserAccountDisabled| This event indicates that we attempted to reset or change a password for an account that was disabled on-premises. Enable the account and try the operation again.|
 | 33006| ADUserAccountLockedOut| This event indicates that we attempted to reset or change a password for an account that was locked out on-premises. Lockouts can occur when a user has tried a change or reset password operation too many times in a short period. Unlock the account and try the operation again.|
 | 33007| ADUserIncorrectPassword| This event indicates that the user specified an incorrect current password when performing a password change operation. Specify the correct current password and try again.|
 
@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: tutorial
-ms.date: 02/18/2020
+ms.date: 04/24/2020
 
 ms.author: iainfou
 author: iainfoulds
@@ -66,7 +66,7 @@ To set up the appropriate permissions for password writeback to occur, complete
 1. From the **Permissions** tab, select **Add**.
 1. For **Principal**, select the account that permissions should be applied to (the account used by Azure AD Connect).
 1. In the **Applies to** drop-down list, select **Descendant User objects**.
-1. Under *Permissions*, select the boxes for the following options:
+1. Under *Permissions*, select the box for the following option:
     * **Reset password**
 1. Under *Properties*, select the boxes for the following options. You need to scroll through the list to find these options, which may already be set by default:
     * **Write lockoutTime**
@@ -78,7 +78,7 @@ To set up the appropriate permissions for password writeback to occur, complete
 
 When you update permissions, it might take up to an hour or more for these permissions to replicate to all the objects in your directory.
 
-Password policies in the on-premises AD DS environment may prevent password resets from being correctly processed. For password writeback to work most efficiently, the group policy for *Minimum password age* must be set to 0. This setting can be found under **Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies** within `gpedit.msc`. 
+Password policies in the on-premises AD DS environment may prevent password resets from being correctly processed. For password writeback to work most efficiently, the group policy for *Minimum password age* must be set to 0. This setting can be found under **Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies** within `gpedit.msc`.
 
 If you update the group policy, wait for the updated policy to replicate, or use the `gpupdate /force` command.