You cannot turn off Active Directory synchronization

This issue seems to be popping up on the different communities, so I though it’s time to put a blog post on it out there. In short, you try to enable (or disable) Directory synchronization in Office 365, and you are greeted by the following error message:

PS C:\> Set-MsolDirSyncEnabled -EnableDirSync $false

Set-MsolDirSyncEnabled : You cannot turn off Active Directory synchronization.
At line:1 char:1
+ Set-MsolDirSyncEnabled -EnableDirSync $false
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   + CategoryInfo          : OperationStopped: (:) [Set-MsolDirSyncEnabled], MicrosoftOnlineException
   + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.DirSyncStatusChangeNotAllowedException,Microsoft.Online.Administration.Automation.SetDirSyncEnabled

The DirSyncStatusChangeNotAllowedException error in particular means that you have changed the status recently, and the service is simply preventing you from changing it back too soon. The bad news is – there’s nothing you can do about it but wait. There is a preset window on the service side which you cannot bypass, even if the previous change you made has already successfully propagated (as in, you can see the correct status via Get-MSOLCompanyInformation | select DirectorySynchronizationStatus).

Microsoft does not disclose the amount of time you have to wait, but in my testing it seems to be around 12 hours or so. Note that the “propagation” delay is still a factor, as described in this support article, and in large tenants can take a day or more! The error message detailed above is different and will occur even if the DirSync status has been updated. It’s a simple block on Microsoft’s side to prevent you from changing the status too often.

And if you are troubleshooting issues with DirSync activation for a test/trial tenant, don’t forget that you need to have at least one domain validated!

This entry was posted in Azure AD, Office 365, PowerShell. Bookmark the permalink.

8 Responses to You cannot turn off Active Directory synchronization

  1. Mike says:

    Yes, not very helpful if you are trying to troubleshoot DirSync errors with some users accounts. Having to wait a whole day to stop a service and restart it, is a bit of a pain in the backside.

  2. G says:

    Had the same issue, thank you for being the only blog on the internet documenting it! That said its Sep 2019 and I had the issue, only took a couple hours for it to allow me to run the command again. So maybe this is down to 2 hours?

    • Vasil Michev says:

      It depends on the size of the tenant/number of objects synchronized. It’s also very likely that Microsoft has made some improvements over the past few years.

  3. Jacob says:

    Unfortunately, I’ve stopped syncing my directory, tried to resync, and am at 20+ hours and counting trying to reenable the sync now and still being met with this error. ~600 tenants. No dice!

  4. Daniel says:

    Same. I stopped the sync. I’ve already waited more than 24 hours and I still get this error.

  5. Christian Taveras says:

    Im at 14hrs and counting….Unitl this is up I cant maake any changes to local AD that need to go to Azure/O365.

  6. Patrick Loner says:

    In my experience this has never been less that 24 hours and in most cases is all the way to 72+ hours. I’ve had tickets with Microsoft in this regard, and they won’t even force the issue on the back end to reset until its been “at least” 72 hours according to them.

    • Michael says:

      I’ve read this elsewhere as well.. I’ll be 48h in shortly and still encounter the problem.

Leave a Reply to G Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.