What causes AADSTS120002?

New password is shorter than the minimum length or lacks required character classes (uppercase, lowercase, digit, symbol). Password matches an entry on the Microsoft global banned password list (e.g. variants of 'Password', 'Welcome', season+year). Password is on the tenant's custom banned password list configured in Entra ID Password Protection. Password is too similar to the user's username, display name, or a recently used password (password history). Tenant has on-premises AD password policy synced via Entra Connect with stricter rules than the user expected

How do I fix AADSTS120002?

Choose a new password of at least 8 characters (Microsoft recommends 12+) combining uppercase, lowercase, digits and symbols, avoiding the user's name, company name, or common words. Avoid predictable patterns like 'Company2026!', 'Welcome123', or season+year — these are blocked by Microsoft's global banned password list. If the change is forced at sign-in (force-change-on-next-login), have the user retry from a clean browser session at https://account.activedirectory.windowsazure.com/ChangePassword.aspx. Admins: review banned password lists and lockout settings in Entra admin center → Protection → Authentication methods → Password protection. For hybrid tenants, verify that on-prem AD password complexity policy (GPO) and Entra password protection are consistent so users get the same rules everywhere

High severityauthentication

Power BI Error:
AADSTS120002

What does this error mean?

Password change rejected because the new password does not meet Entra ID (Azure AD) password complexity or banned-password policy.

Common causes

1New password is shorter than the minimum length or lacks required character classes (uppercase, lowercase, digit, symbol)
2Password matches an entry on the Microsoft global banned password list (e.g. variants of 'Password', 'Welcome', season+year)
3Password is on the tenant's custom banned password list configured in Entra ID Password Protection
4Password is too similar to the user's username, display name, or a recently used password (password history)
5Tenant has on-premises AD password policy synced via Entra Connect with stricter rules than the user expected

How to fix it

1Choose a new password of at least 8 characters (Microsoft recommends 12+) combining uppercase, lowercase, digits and symbols, avoiding the user's name, company name, or common words
2Avoid predictable patterns like 'Company2026!', 'Welcome123', or season+year — these are blocked by Microsoft's global banned password list
3If the change is forced at sign-in (force-change-on-next-login), have the user retry from a clean browser session at https://account.activedirectory.windowsazure.com/ChangePassword.aspx
4Admins: review banned password lists and lockout settings in Entra admin center → Protection → Authentication methods → Password protection
5For hybrid tenants, verify that on-prem AD password complexity policy (GPO) and Entra password protection are consistent so users get the same rules everywhere

Frequently asked questions

What does AADSTS120002 mean?

PasswordChangeInvalidNewPasswordWeak

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes