Administrators cannot reset hybrid user passwords from the Azure Mobile App

Copper Contributor

Hi All,


After a month of back and forth with Entra tech support in a ticket, they deemed that the behaviour I am about to describe is intentional. I strongly disagree.


When attempting to reset a users password (as a global administrator) in my tenant using the iOS Azure app, there is an error message that states that I do not have permission to do so. This error message is 100% able to be replicated by anyone with a hybrid sync environment where password writeback is enabled, including the Azure support team.


The azure audit log shows:

  • Status Reason: Password reset operation request validation failed.

The error message in the app says:

  • Permissions needed: Only '%users name%' or their home directory admin can reset their password.

All normal troubleshooting steps have already taken place, such as:

  1. Ensuring I am using a global admin account
  2. Trying another global admin account
  3. Ensuring that I can reset the same users password via the Entra portal in a web browser with the same account(s)
  4. Creating a support ticket via the Entra portal and following all Microsoft advice - including the creation of this thread which concludes my Microsoft ticket as they claim this isn't an issue, but rather a design choice.

If the behaviour described is intentional, then it is very poorly executed as the error message in the app should reflect the reason why the password reset is failing, rather than telling the user that they do not have the correct permissions.


Entra support are using the fact that Microsoft do not have any documentation on the password reset feature within the mobile app as evidence that the password reset feature does not support hybrid user / writeback user password resets.


My support ticket has come to an end as they have deemed this to be a "by design" problem, hence it cannot be fixed because it is not broken. Personally, I believe this is an oversight by the mobile app development team and should be considered a bug, not a design choice. 

What do you think? How should I go about getting this recognised as something that needs fixing?

0 Replies