The last days I have been troubleshooting Azure AD password writeback error in customer environment.
The environment has two on-premises forest and one Azure AD tenant. On-premises forests doesn’t have trust relationship between them but all required network ports were opened between the forests.
Port list from docs.microsoft.com.
When user from forest A tries to reset password via “Self-Service Password Reset” service it works like a charm. Worth to mention is that password change via cloud works and AAD Connect server has been installed to forest A.
When user from forest B tries to reset password from Self-Service Password Reset service reset fails with “hr=80004005, unspecified error” code with event ID 6329 & 33001. Password change works as expected.
Yesterday we found the reason for this error. For some reason AAD Connect server wants to communicate with TCP 445 (SMB) port with Forest B domain controllers during password reset interaction. Port is not mentioned in official documentation but it’s definitely needed, at least in multi-forest environment. After TCP 445 was added to firewall configuration password resets started to work immediately to Forest B also, event IDs 31001 & 31002 reporting password reset successful.
Hope this helps 🙂