Low severityauthentication
Power BI Error:
AADSTS120021
What does this error mean?
Internal service error in the Self-Service Password Reset (SSPR) partner service during an Entra ID / Azure AD sign-in or password reset flow.
Common causes
- 1Transient outage or backend failure in Microsoft's SSPR partner service — verify on the Microsoft 365 / Entra service health dashboard
- 2Password Writeback / Microsoft Entra Connect agent on-prem is offline, unhealthy, or has expired credentials, breaking the SSPR partner call
- 3Federated identity provider (ADFS, Okta, Ping) is unreachable or returning errors during the SSPR flow
- 4SSPR is enabled in Entra ID but the on-prem AD account lacks the required permissions for password writeback (Reset password, Change password, Write lockoutTime, Write pwdLastSet)
- 5Conditional Access or a recent tenant policy change is blocking the SSPR partner service callback
How to fix it
- 1Retry the password reset / sign-in after 5–15 minutes — AADSTS120021 is frequently transient and clears itself once Microsoft's SSPR backend recovers
- 2Check the Microsoft 365 Service Health dashboard (admin.microsoft.com → Health → Service health) and the Entra ID status page for active SSPR or Authentication incidents
- 3In the Entra admin center, open Protection → Password reset → On-premises integration and verify that Password Writeback is enabled and the Microsoft Entra Connect agent reports Healthy
- 4On the Entra Connect server, run the Azure AD Connect Health agent check and confirm the service account still has the Reset password / Write pwdLastSet / Write lockoutTime permissions on the target OU
- 5Review the Entra ID Audit and Sign-in logs (filter on the affected user and correlation ID from the error) to confirm whether the failure is consistent or intermittent, and open a Microsoft support case with that correlation ID if it persists