Low severityauthentication
Power BI Error:
AADSTS120013
What does this error mean?
Entra ID (Azure AD) cannot reach the on-premises AD via Azure AD Connect to process a password change.
Common causes
- 1Azure AD Connect (or Cloud Sync agent) service is stopped, unhealthy, or the server is offline
- 2Password writeback is not enabled in Azure AD Connect or in the Self-Service Password Reset configuration
- 3Outbound connectivity from the AD Connect server to Service Bus / *.servicebus.windows.net is blocked by firewall/proxy
- 4The on-premises AD account used by AD Connect (MSOL_ account) lacks 'Reset password' and 'Change password' permissions on user OUs
- 5Domain controllers reachable from the AD Connect server are unavailable or the user object is in an unsynced/quarantined state
How to fix it
- 1On the Azure AD Connect server, open the Synchronization Service and confirm the service is running and the last sync succeeded; restart 'Microsoft Azure AD Sync' if needed
- 2Run AD Connect wizard → 'Customize synchronization options' and verify Password writeback is checked; in Entra portal check Protection → Password reset → On-premises integration is set to Yes
- 3Test outbound TLS connectivity from the AD Connect server to *.servicebus.windows.net on 443 (Test-NetConnection) and whitelist it on the proxy/firewall
- 4Verify the MSOL_xxxx account has 'Reset password', 'Change password', and 'Write lockoutTime/pwdLastSet' permissions on the user OUs (re-run ADSyncConfig Set-ADSyncPasswordWritebackPermissions if missing)
- 5Reproduce the password change and inspect Event Viewer → Applications and Services Logs → Microsoft → AAD Connect → Password Reset on the AD Connect server for the underlying error