Hi BilalelHadd, thank you for the response!

- Did you enable inheritance for the AD account(s)
-- Yes, did check this also. The AD DS connector account has all the rights:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/troubleshoot-sspr-writeback#v...
- Did you enable Password writeback in the Azure AD Connect configuration?
Yes
- Did you enable SSPR in the Azure AD Portal?
Yes
- Do you have a valid Azure AD Premium license?
Yes

It just stopped working since (2/7/22) Monday this week, and only for action 'Reset password (self-service)'.
'Change password (self-service)', works like it supposed to be. So users can change password via account settings in de M365 user portal. But cannot reset it on passwordreset.microsoftonline.com. Both used the OnPremisesAgent ->> AADConnect .

@BilalelHadd 

Thanks for trouble shooting with me!

* Do you know that there is a difference between AD DS connect permissions and inheritance permissions? If so, then I assume that the user object rights are configured correctly.

Yes, please check below screenshot

Inheritance = enabled and MSOL_xxxx have all the right to reset password on object.

* Do you have a screenshot of the current Domain Policy where the password policy is stated?

Hi BilalelHadd,

Thank you for this, unfortunately no luck. Had a call about this with MS support last Friday, we did set the AD DS connector have the default permissions and set password write back permissions with the trouble shoot tool within AD connect.

I assume that to regarding the message we get from event viewer from event id 33004. I face the same error many times, and is was always the AD DS connector account. The strange thing is that as mentioned SSPR (change action) still is working and it goes over the same connector as SSPR (reset action). So with setting all the default permissions and seeing that the AD DS connector account can change or reset the passowrd of the the object, Both MS support and I cross it off that it concerns this account.

MS support told me to change the Default domain policy GPO to Maximum password age: 30 or 42 days. But the policy is not managed with this GPO but with using fine-grained password policies (FGPP) in ADAC which set maximum password age to 90 days. And also here, we did not change anything, it just begun on Monday 7/2/22 without us to change anything.

I ask the team if they can clarify this.

Hi Bilal, had a call yesterday with Microsoft regarding the issue. Microsoft told me to check the “Network access: Restrict clients allowed to make remote calls to SAM” GPO. However this GPO is not defined on both Domain or Domain Controller GPO policies. But the reg key ‘RestrictRemoteSam’ that is tied to that GPO setting, is listed in the DC's that talks with AD connect, this interesting. I propose a change to delete the REG key on 1 domain controller first and let AD Connect talk with that DC only that has not the REG key ‘RestrictRemoteSam’.

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network...

But it remains strange that the SSPR reset function has suddenly stopped since Monday 7/2/22, but this is an interesting progression.

Will update this post ASAP.