- The administrator account that's used to set up Azure AD Connect does not have the appropriate license.
- The time on the server on which Azure AD Connect is installed is out of sync.
Method 1: Make sure that you use the correct administrator accountMake sure that the administrator account that you use to enable password writeback is a cloud administrator account (created in Azure AD) and not a federated account (created in the on-premises Active Directory and synchronized to Azure AD). Also, make sure that the account has the appropriate Azure AD subscription license.
For more information about Azure AD subscriptions, see https://www.microsoft.com/en-us/cloud-platform/azure-active-directory-pricing.
Method 2: Make sure that the time isn't skewedOn the authoritative time server, perform the steps in the “Configuring the Windows Time service to use an external time source” section of the following Microsoft Knowledge Base article:
Make sure that the time on the server on which Azure AD Connect is installed matches the time on the authoritative time server.
you may see the following entries in the Azure AD Connect sync logs. The logs are located in the %appdata%\Local\AADConnect folder.
Error <Date> <Time> ADSync 6306 Server "The server encountered an unexpected error while performing an operation for the client.
Error <Date> <Time> ADSync 6800 MA Extension "The password management extension encountered an error.
The stack trace is:
""Couldn't connect to any service bus endpoint(s)
Error <Date> <Time> PasswordResetService 32001 None TrackingId: 3f369fe9-c121-4450-8661-82b095bdbf0a,
Couldn't connect to any service bus endpoint(s), Details:
Error <Date> <Time> PasswordResetService 31044 None TrackingId: 3f369fe9-c121-4450-8661-82b095bdbf0a,
Password writeback service is not in a healthy state. No serviceHost for service bus endpoints are in
running state. Please refer aka.ms/ssprtroubleshoot, Details: Version: 126.96.36.1996
Article ID: 3185990 - Last Review: Dec 28, 2016 - Revision: 1