Low severityauthentication
Power BI Error:
AADSTS120005
What does this error mean?
Password was changed successfully in on-prem AD, but the new password failed to sync to Entra ID (Azure AD).
Common causes
- 1Azure AD Connect / Entra Connect Sync service is stopped, errored, or hasn't run since the password change
- 2Password Hash Sync (PHS) is disabled or misconfigured on the Entra Connect server
- 3Password Writeback agent is unhealthy or the service account lost the Reset Password permission in on-prem AD
- 4Connectivity issue between the Entra Connect server and Entra ID (firewall, proxy, expired certificate)
- 5User object is filtered out of sync scope or stuck in a sync error state in Entra Connect Health
How to fix it
- 1On the Entra Connect server, open the Synchronization Service Manager and confirm the most recent Password Hash Sync run completed without errors — force a sync with `Start-ADSyncSyncCycle -PolicyType Delta` if it's stale
- 2In the Entra admin center, go to Entra Connect → Connect Health and check for Password Hash Sync or Password Writeback alerts on the affected tenant
- 3Verify the AD DS connector account still has the 'Reset password' and 'Change password' extended rights on the user OU (required for Password Writeback)
- 4Have the user reset their password again from a domain-joined device (or via SSPR) once sync is healthy — the previous change won't replay automatically
- 5If the issue persists, run `Invoke-ADSyncDiagnostics` on the Entra Connect server and review the password sync diagnostic report for the specific user