What causes AADSTS120012?

On-premises Active Directory password has expired for a synced/federated user account. Hybrid identity setup with AD Connect where on-prem AD remains the authoritative source for credentials. Self-Service Password Reset (SSPR) writeback is not enabled, so cloud password change is not propagated. Service account used for a Power BI / ADF / Fabric data source has an expired domain password. Account is in a federated domain (ADFS) where credential changes cannot be initiated from the cloud

How do I fix AADSTS120012?

Reset the user's password directly in on-premises Active Directory (ADUC or via a domain-joined machine with Ctrl+Alt+Del → Change Password). Wait for Azure AD Connect sync to propagate the new password hash (default cycle 30 minutes, or force with `Start-ADSyncSyncCycle -PolicyType Delta`). For service accounts powering Power BI gateway / ADF linked services / Fabric connections: update the stored credential in the Power BI gateway, ADF linked service, or Fabric connection after the on-prem reset. Enable Password Writeback in Azure AD Connect and SSPR if you want users to be able to reset from the cloud in the future. If the account is federated via ADFS, verify ADFS health and that the user can authenticate against the on-prem STS before retrying the Entra ID sign-in

Low severityauthentication

Power BI Error:
AADSTS120012

What does this error mean?

The user's password has expired and must be changed on the on-premises Active Directory, not in Entra ID (Azure AD).

Common causes

1On-premises Active Directory password has expired for a synced/federated user account
2Hybrid identity setup with AD Connect where on-prem AD remains the authoritative source for credentials
3Self-Service Password Reset (SSPR) writeback is not enabled, so cloud password change is not propagated
4Service account used for a Power BI / ADF / Fabric data source has an expired domain password
5Account is in a federated domain (ADFS) where credential changes cannot be initiated from the cloud

How to fix it

1Reset the user's password directly in on-premises Active Directory (ADUC or via a domain-joined machine with Ctrl+Alt+Del → Change Password)
2Wait for Azure AD Connect sync to propagate the new password hash (default cycle 30 minutes, or force with `Start-ADSyncSyncCycle -PolicyType Delta`)
3For service accounts powering Power BI gateway / ADF linked services / Fabric connections: update the stored credential in the Power BI gateway, ADF linked service, or Fabric connection after the on-prem reset
4Enable Password Writeback in Azure AD Connect and SSPR if you want users to be able to reset from the cloud in the future
5If the account is federated via ADFS, verify ADFS health and that the user can authenticate against the on-prem STS before retrying the Entra ID sign-in

Frequently asked questions

What does AADSTS120012 mean?

PasswordChangeNeedsToHappenOnPrem

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes