Azure AD Writeback Problem Event ID: 33007 (The password given does not specify the user's current password)


A Microsoft 365 Business setup and Azure AD P1 subscription. If i set at the Microsoft 365 portal a new password to the user and "make this user change their password when they first sign in" it dosen't work though at the admin portal it seems to work. For example, if the user (off shore worker) the goes to http://mail.office365 (or and tryes to login he/she will get "Update your password" window  (old password and the fields where to put the new one) he will get an error:

"Try again—that's not your current password."

Attached my Azure AD Connect Settings

At the OnPremises AD server's Event viewer I can see this:

Log Name:      Application
Source:        PasswordResetService
Date:          3.4.2018 9.37.06
Event ID:      33007
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      MyDC-01.MyDomain.local
TrackingId: zzzzzzzzzzzz-38da-499c-994c-zzzzzzzzzzzz, Reason: Synchronization Engine returned an error hr=8023061A, message=The password given does not specify the user's current password., Context: cloudAnchor: User_zzzzzzzzzzz-99fd-428e-97e8-zzzzzzzzz, SourceAnchorValue: zzzzzzzzzzzzzzzzvbwnpIw==, UserPrincipalName:, Details: Microsoft.CredentialManagement.OnPremisesPasswordReset.Shared.PasswordResetException: Synchronization Engine returned an error hr=8023061A, message=The password given does not specify the user's current password.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Vasil Michev (MVP)Commented:
That's the expected behavior, password writeback does NOT include admin-forced password changes. From the documenation:

Passwords are not written back in any of the following situations:
•Unsupported end-user operations
◦Any end user resetting their own password by using PowerShell version 1, version 2, or the Azure AD Graph API

•Unsupported administrator operations
◦Any administrator-initiated end-user password reset from the Office management portal
◦Any administrator-initiated end-user password reset from PowerShell version 1, version 2, or the Azure AD Graph API
RimFire007Author Commented:
Ah, thanks. So I must do the same thing via ADUC?
RimFire007Author Commented:
Actually. When I forced a password reset to a user via ADUC and checked "user must change passord at next logon" it doesn't work either. At the o365 portal login he/she gets an error saying:

"Your email or password is incorrect. If you don't remember your password, reset it now"

How to make this work (for off Shore workers)?
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

Vasil Michev (MVP)Commented:
Are you actually setting a new password or just toggling the flag? If changing the password, he will need to provide the new one in order to reset it.
RimFire007Author Commented:

No, I didn't just toggle the flag - I also provided the new password.
Vasil Michev (MVP)Commented:
So you are again hitting an "unsupported" scenario. Temporary passwords are NOT synced to Azure AD as detailed here:

Currently, Azure AD Connect does not support synchronizing temporary passwords with Azure AD. A password is considered to be temporary if the Change password at next logon option is set on the on-premises Active Directory user.
RimFire007Author Commented:

Is it so that there is no way to set a temporary password to a user? Not via ADUC or Azure / M365 portal?

What can I do inorder to force users (specially off shore) to change their passwords? I'm plannin to send the passwords to user asap. And I can skip ticking the "user must change passord at next logon" box. Just want that they will change the password lets say within one week.
Vasil Michev (MVP)Commented:
Try setting the "user must change password" flag on O365 directly, without changing the user password, via the following cmdlet:

Set-MsolUserPassword -UserPrincipalName -ForceChangePasswordOnly $true -ForceChangePassword $true

Open in new window

He will still be able to use his old password, but will have to change it once he logs in.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
RimFire007Author Commented:

It worked for Off Shore user. How ever not for Domain User who sits in the AD LAN. I mean, if the Domain User Logs on the Computer it won't force him/her to change the password. Only if he/she goes to it will force the password change.

But this is better all ready. Is there any PowerShell comman to set pewd change to a OU or Group? Need to be carefull though.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Office 365

From novice to tech pro — start learning today.