You may heard about self service password reset (SSRP) in Microsoft Azure cloud. A nice feature where your users can reset thier password and unlock their accounts on their own. But if you are implementing it and wonder if you get errors you may get stuck and wonder what the hell is going one with Azure AD Connect software. The AD connect has all permissions it need. Maybe setup has done something wrong or the powershell permission scripts are doing something wrong and not setting the required permissions properly in AD or whaterver... reading all the documented 3 times and you see nothing is wrong. MS Support beginners are also not helpful and may tell you incorrect stuff like granting domain admin permission to AD Connect service and so on and so on.
What happened? We tried to change the users password of a dummy user we typically use for testing purposes. The password change was tried with this dummy user and he received an generic error message that the password cannot changed for unknown reasons and the user should not try again and ask the administrator. The administrator reviews the logs and can see:
Synchronization Engine returned an error hr=80230626, message=The password could not be updated because the management agent credentials were denied access.
Microsoft - this is not helpful in any way! Both the user message and the admin message brings you to no solution. Change the message to a helpful message, please!
Solution: Check if the user has set "User cannot change password" in account setttings, please. Remove it and it starts working. How many hours have I searched for this... unbelievable.