What causes AADSTS120015?

On-premises AD admin enabled 'User must change password at next logon' on the account. Account password expired in on-premises AD and forced-change flag was set during reset. Self-Service Password Reset (SSPR) writeback is not configured, so the user cannot change the password via the Microsoft sign-in page. Password hash sync delay between on-prem AD and Entra ID after the admin-forced reset. Hybrid identity scenario where federated/synced user hits Entra ID before completing the AD-side password change

How do I fix AADSTS120015?

Have the user sign in to a domain-joined Windows workstation on the corporate network — Windows will prompt them to set a new password directly against on-prem AD. If no domain-joined device is available, ask the AD admin to reset the password in Active Directory Users and Computers and uncheck 'User must change password at next logon', then communicate the new password securely. Wait for Azure AD Connect / Entra Connect to sync the new password hash (default cycle ~2 minutes for password hash sync) before retrying sign-in. Enable SSPR with password writeback in Entra ID so users can self-serve the change from the sign-in page next time (Entra admin center → Protection → Password reset → On-premises integration). Verify the account is not also blocked by 'pwdLastSet = 0' lingering after the change by running `Get-ADUser -Properties pwdLastSet, PasswordExpired` on a DC

Low severityauthentication

Power BI Error:
AADSTS120015

What does this error mean?

Sign-in blocked because the on-premises Active Directory admin requires the user to change their password before next logon.

Common causes

1On-premises AD admin enabled 'User must change password at next logon' on the account
2Account password expired in on-premises AD and forced-change flag was set during reset
3Self-Service Password Reset (SSPR) writeback is not configured, so the user cannot change the password via the Microsoft sign-in page
4Password hash sync delay between on-prem AD and Entra ID after the admin-forced reset
5Hybrid identity scenario where federated/synced user hits Entra ID before completing the AD-side password change

How to fix it

1Have the user sign in to a domain-joined Windows workstation on the corporate network — Windows will prompt them to set a new password directly against on-prem AD
2If no domain-joined device is available, ask the AD admin to reset the password in Active Directory Users and Computers and uncheck 'User must change password at next logon', then communicate the new password securely
3Wait for Azure AD Connect / Entra Connect to sync the new password hash (default cycle ~2 minutes for password hash sync) before retrying sign-in
4Enable SSPR with password writeback in Entra ID so users can self-serve the change from the sign-in page next time (Entra admin center → Protection → Password reset → On-premises integration)
5Verify the account is not also blocked by 'pwdLastSet = 0' lingering after the change by running `Get-ADUser <user> -Properties pwdLastSet, PasswordExpired` on a DC

Frequently asked questions

What does AADSTS120015 mean?

PasswordCh

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes