Low severityauthentication
Power BI Error:
AADSTS120004
What does this error mean?
Password change rejected because the new password does not meet the on-premises Active Directory complexity policy.
Common causes
- 1New password does not meet the on-premises Active Directory password complexity policy (length, character classes, no username, etc.)
- 2Password matches a recent entry in the on-prem AD password history and is rejected on writeback
- 3Password is blocked by an on-prem Fine-Grained Password Policy (FGPP) applied to the user's group or OU
- 4Password is filtered by a custom password filter DLL or third-party banned-password tool on the domain controller
- 5Entra Connect password writeback is enabled but the cloud policy is more permissive than the on-prem policy, causing a mismatch at sync
How to fix it
- 1Choose a new password that satisfies the on-prem AD policy: typically 8+ characters, at least 3 of 4 character classes (upper, lower, digit, symbol), and no parts of the username or display name
- 2Avoid recently used passwords — most domains enforce a password history of 24, so reuse of any recent password will fail writeback
- 3Verify with your AD administrator whether a Fine-Grained Password Policy or banned-password filter is applied to your account, and align the new password with those rules
- 4If the error persists, have an admin check the Entra Connect server event log (Directory Service / Password Hash Sync) and the DC's Security log for the exact GPO or filter that rejected the writeback
- 5Align the Entra ID password protection policy with the on-prem complexity rules (Entra admin center → Protection → Authentication methods → Password protection) to prevent future mismatches