You cannot turn off Active Directory synchronization

This issue seems to be popping up on the different communities, so I though it’s time to put a blog post on it out there. In short, you try to enable (or disable) Directory synchronization in Office 365, and you are greeted by the following error message:

PS C:\> Set-MsolDirSyncEnabled -EnableDirSync $false

Set-MsolDirSyncEnabled : You cannot turn off Active Directory synchronization.
At line:1 char:1
+ Set-MsolDirSyncEnabled -EnableDirSync $false
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   + CategoryInfo          : OperationStopped: (:) [Set-MsolDirSyncEnabled], MicrosoftOnlineException
   + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.DirSyncStatusChangeNotAllowedException,Microsoft.Online.Administration.Automation.SetDirSyncEnabled

The DirSyncStatusChangeNotAllowedException error in particular means that you have changed the status recently, and the service is simply preventing you from changing it back too soon. The bad news is – there’s nothing you can do about it but wait. There is a preset window on the service side which you cannot bypass, even if the previous change you made has already successfully propagated (as in, you can see the correct status via Get-MSOLCompanyInformation | select DirectorySynchronizationStatus).

Microsoft does not disclose the amount of time you have to wait, but in my testing it seems to be around 12 hours or so. Note that the “propagation” delay is still a factor, as described in this support article, and in large tenants can take a day or more! The error message detailed above is different and will occur even if the DirSync status has been updated. It’s a simple block on Microsoft’s side to prevent you from changing the status too often.

And if you are troubleshooting issues with DirSync activation for a test/trial tenant, don’t forget that you need to have at least one domain validated!

This entry was posted in Azure AD, Office 365, PowerShell. Bookmark the permalink.

One Response to You cannot turn off Active Directory synchronization

  1. Mike says:

    Yes, not very helpful if you are trying to troubleshoot DirSync errors with some users accounts. Having to wait a whole day to stop a service and restart it, is a bit of a pain in the backside.

Leave a Reply

Your email address will not be published. Required fields are marked *