This issue is observed after configuring the Azure AD Password Changer feature according to the Azure AD password changer guide.Â
The following error appears in the GUI during the password rotation process:
The issue was identified after validating the Troubleshooting steps.
For further investigation, collect the following debug logs while reproducing the issue:
diagnose debug reset
diagnose debug console timestamp enable
diagnose wad debug enable category pwdchg
diagnose wad debug enable category secret
diagnose wad debug enable level verbose
diagnose debug enable
After reproducing the issue, stop the debug process:
diagnose debug disable
The following debug excerpt shows the main error messages related to the password changer operation:
[V]2026-05-02 20:23:57.510893 wad_pwd_chg_web_handle_resp :525 Body str: {"error":"invalid_grant","error_description":"AADSTS50126: Error validating credentials due to invalid username or password. Trace ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx Correlation ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
[E]2026-05-02 20:23:57.552596 wad_pwd_chg_web_proc_result :2357 secret: TEST-PASSWORD-ROTATION pwd chg failed:Web-api request failed at step 1: incorrect code 400
The issue is triggered when FortiPAM generates passwords containing certain special characters such '+'Â and '&'.
According to the Password policies and account restrictions in Microsoft Entra ID, these characters are supported by Microsoft Entra ID password policies.
This behavior has been identified in Bug ID 1273260. The fix is planned for FortiPAM v1.8.3 and FortiPAM v1.9.0.Â
As a temporary mitigation method, disable password rotation until upgrading to a firmware version containing the fix.Â
| 
