Forum Discussion
SSPR for synced account failed — error: OnPremisesUserNotFound
This error typically indicates that when a user attempts to reset their password in Entra ID (formerly Azure AD), the writeback service cannot find a matching on-premises object in Active Directory, resulting in a failed reset request, despite the sync itself appearing healthy. A few common causes and checks will usually solve it.
First, confirm that password writeback is really enabled in the Entra ID Connect configuration. Open Azure AD Connect and, in the optional features, verify that “Password writeback” is checked. Sometimes, people enable it in the portal but forget that it also needs to be explicitly enabled in the sync tool.
Next, check attribute matching. The writeback lookup depends on the immutableId (which maps to the on-premises objectGUID). If users are soft-matched by UPN or email instead of hard-matched, the cloud account may not have a valid immutable ID linked. You can run Get-MsolUser -UserPrincipalName email address removed for privacy reasons | fl ImmutableId or the equivalent Graph call to confirm the value. If it is blank or does not match the objectGUID in Active Directory, password writeback cannot find the on-premises user and throws OnPremisesUserNotFound.
Also, verify that the service account running Entra ID Connect has reset password rights on the OU where your user objects live. The minimum is “Reset password” and “Write lockoutTime” on descendant user objects. If you only grant read permissions, the sync will succeed, but the writeback will fail.
Check if the accounts in question are in scope of synchronization. If you filtered by OU or attribute in Azure AD Connect, but the users appear in Entra ID because they were created before the filter change, then writeback will not find them in the on-premises directory.
Finally, confirm that users are not cloud-only. SSPR writeback works only for synced users with an on-premises AD object. If you created a cloud account and later attempted to match it to AD, but it never had a proper immutable ID, writeback will fail.
Recommended next steps:
In Entra admin center, check one of the failing users → Identity → Audit immutableId and onPremisesSyncEnabled attributes.
In local AD, confirm the user exists in a synced OU and has the expected objectGUID.
Re-run the AAD Connect wizard and ensure that Password Writeback is enabled and that the account has the correct permissions.
If an immutableId mismatch is found, run Set-MsolUser -UserPrincipalName email address removed for privacy reasons -ImmutableId <correctGUID> or use the Microsoft Graph equivalent to fix the link.
With those checks, you should be able to remove the OnPremisesUserNotFound error and have SSPR successfullay reset passwords back to AD.
Hi,
Thank you,
I’ve checked the password writeback feature in the Entra ID Connect agent, and it is properly enabled. I also verified its status via the Entra ID portal—it’s healthy and showing green.
The objectGUID in Active Directory and the sourceAnchor are correctly matched. The UPNs are also aligned.
The service account has the required permissions at the root object and all its child objects, as listed below.
- Reset password
- Change password
- Write permissions on lockoutTime
- Write permissions on pwdLastSet
- Extended rights
The users are synced accounts, not cloud-only.
The users are well in the synchronization scope.
If you have further checks, please lets me know.
