You cannot turn off Active Directory synchronization

This issue seems to be popping up on the different communities, so I though it’s time to put a blog post on it out there. In short, you try to enable (or disable) Directory synchronization in Office 365, and you are greeted by the following error message:

PS C:\> Set-MsolDirSyncEnabled -EnableDirSync $false

Set-MsolDirSyncEnabled : You cannot turn off Active Directory synchronization.
At line:1 char:1
+ Set-MsolDirSyncEnabled -EnableDirSync $false
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   + CategoryInfo          : OperationStopped: (:) [Set-MsolDirSyncEnabled], MicrosoftOnlineException
   + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.DirSyncStatusChangeNotAllowedException,Microsoft.Online.Administration.Automation.SetDirSyncEnabled

The DirSyncStatusChangeNotAllowedException error in particular means that you have changed the status recently, and the service is simply preventing you from changing it back too soon. The bad news is – there’s nothing you can do about it but wait. There is a preset window on the service side which you cannot bypass, even if the previous change you made has already successfully propagated (as in, you can see the correct status via Get-MSOLCompanyInformation | select DirectorySynchronizationStatus).

Microsoft does not disclose the amount of time you have to wait, but in my testing it seems to be around 12 hours or so. Note that the “propagation” delay is still a factor, as described in this support article, and in large tenants can take a day or more! The error message detailed above is different and will occur even if the DirSync status has been updated. It’s a simple block on Microsoft’s side to prevent you from changing the status too often.

And if you are troubleshooting issues with DirSync activation for a test/trial tenant, don’t forget that you need to have at least one domain validated!

This entry was posted in Azure AD, Office 365, PowerShell. Bookmark the permalink.

9 Responses to You cannot turn off Active Directory synchronization

  1. Caden says:

    Just called MS Premier Support. Can confirm there is nothing they can do to stop this process once it is executed. The process has to complete, then you can enable/disable. The tech did say that it depends on how many objects you have and on average it does take about 72 hrs. He has seen it less and he has seen it more.

    TLDR; Nothing you can do but wait it out.

  2. Patrick Loner says:

    In my experience this has never been less that 24 hours and in most cases is all the way to 72+ hours. I’ve had tickets with Microsoft in this regard, and they won’t even force the issue on the back end to reset until its been “at least” 72 hours according to them.

  3. Christian Taveras says:

    Im at 14hrs and counting….Unitl this is up I cant maake any changes to local AD that need to go to Azure/O365.

  4. Daniel says:

    Same. I stopped the sync. I’ve already waited more than 24 hours and I still get this error.

  5. Jacob says:

    Unfortunately, I’ve stopped syncing my directory, tried to resync, and am at 20+ hours and counting trying to reenable the sync now and still being met with this error. ~600 tenants. No dice!

  6. G says:

    Had the same issue, thank you for being the only blog on the internet documenting it! That said its Sep 2019 and I had the issue, only took a couple hours for it to allow me to run the command again. So maybe this is down to 2 hours?

    • Vasil Michev says:

      It depends on the size of the tenant/number of objects synchronized. It’s also very likely that Microsoft has made some improvements over the past few years.

  7. Mike says:

    Yes, not very helpful if you are trying to troubleshoot DirSync errors with some users accounts. Having to wait a whole day to stop a service and restart it, is a bit of a pain in the backside.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.