What causes AADSTS120003?

The new password contains the user's sAMAccountName or UPN prefix (e.g. 'jsmith' inside 'Jsmith2026!'). The new password contains a 3+ character substring of the user's displayName / first or last name. Self-service password reset (SSPR) or change-password flow enforcing Entra ID password complexity policy. On-prem AD password policy 'Password must meet complexity requirements' propagated via Entra Connect rejecting the same pattern. Automated/scripted password rotation generating values derived from the account identity

How do I fix AADSTS120003?

Choose a new password that does NOT contain the username, UPN prefix, first name, or last name (no 3+ character substring of any of these). Have the user retry via https://aka.ms/sspr or Ctrl+Alt+Del → Change password, using a password unrelated to their identity. If rotating service/automation accounts, update the password generator to exclude account-name tokens and meet length ≥ 8 + 3 of 4 character classes. For hybrid tenants, verify the on-prem AD complexity policy and Entra Connect password writeback are aligned — fix the source where the change originates. If the block persists with a clearly compliant password, check Entra ID Audit logs (Sign-ins → User-initiated password change) for the exact policy evaluation and escalate to the Entra ID admin

Low severityauthentication

Power BI Error:
AADSTS120003

What does this error mean?

Password change rejected because the new password contains part of the user's account or display name.

Common causes

1The new password contains the user's sAMAccountName or UPN prefix (e.g. 'jsmith' inside 'Jsmith2026!')
2The new password contains a 3+ character substring of the user's displayName / first or last name
3Self-service password reset (SSPR) or change-password flow enforcing Entra ID password complexity policy
4On-prem AD password policy 'Password must meet complexity requirements' propagated via Entra Connect rejecting the same pattern
5Automated/scripted password rotation generating values derived from the account identity

How to fix it

1Choose a new password that does NOT contain the username, UPN prefix, first name, or last name (no 3+ character substring of any of these)
2Have the user retry via https://aka.ms/sspr or Ctrl+Alt+Del → Change password, using a password unrelated to their identity
3If rotating service/automation accounts, update the password generator to exclude account-name tokens and meet length ≥ 8 + 3 of 4 character classes
4For hybrid tenants, verify the on-prem AD complexity policy and Entra Connect password writeback are aligned — fix the source where the change originates
5If the block persists with a clearly compliant password, check Entra ID Audit logs (Sign-ins → User-initiated password change) for the exact policy evaluation and escalate to the Entra ID admin

Frequently asked questions

What does AADSTS120003 mean?

PasswordChangeIn

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes