This issue seems to be popping up on the different communities, so I though it’s time to put a blog post on it out there. In short, you try to enable (or disable) Directory synchronization in Office 365, and you are greeted by the following error message:
PS C:\> Set-MsolDirSyncEnabled -EnableDirSync $false Set-MsolDirSyncEnabled : You cannot turn off Active Directory synchronization. At line:1 char:1 + Set-MsolDirSyncEnabled -EnableDirSync $false + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OperationStopped: (:) [Set-MsolDirSyncEnabled], MicrosoftOnlineException + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.DirSyncStatusChangeNotAllowedException,Microsoft.Online.Administration.Automation.SetDirSyncEnabled
The DirSyncStatusChangeNotAllowedException error in particular means that you have changed the status recently, and the service is simply preventing you from changing it back too soon. The bad news is – there’s nothing you can do about it but wait. There is a preset window on the service side which you cannot bypass, even if the previous change you made has already successfully propagated (as in, you can see the correct status via Get-MSOLCompanyInformation | select DirectorySynchronizationStatus).
Microsoft does not disclose the amount of time you have to wait, but in my testing it seems to be around 12 hours or so. Note that the “propagation” delay is still a factor, as described in this support article, and in large tenants can take a day or more! The error message detailed above is different and will occur even if the DirSync status has been updated. It’s a simple block on Microsoft’s side to prevent you from changing the status too often.
And if you are troubleshooting issues with DirSync activation for a test/trial tenant, don’t forget that you need to have at least one domain validated!
18 thoughts on “You cannot turn off Active Directory synchronization”
I received the dreaded “You cannot turn off Active Directory synchronization.” error when trying to re-enable.
In order to avoid waiting for 24-72 hours as per “https://docs.microsoft.com/en-us/office365/troubleshoot/active-directory/pending-state-issue-with-directory-synchronization?WT.mc_id=365AdminCSH_SupportCentral”, run the following command on your sync source server:
Start-ADSyncSyncCycle -PolicyType Delta
The following command kept returning “PendingDisabled”
After the delta sync, it returned “Disabled”, and I was able to bring everything back into operation without issues.
I have just spoken with Microsoft. If you get to them ASAP and the sync has not completed 10%, they can cancel it. Otherwise we just have to wait. I have asked that they add a warning about this when the command is run
My tenant took 20 hours to disable and less than 1 hour to re-enable
Check App Event log for warnings/errors, you may need to restart the Microsoft Azure AD Sync service
Last point, while you are waiting, you can check the Synchronization Service Manager, when the ‘stopped-server-down’ status messages stop, you will be able to execute the command again.
The key is not to panic. Objects will change status but nothing gets deleted. If users require password changes, they need to be done both on premise and in the Cloud.
I received no calls/incidents during the outage
I have raised a Feature Request with Microsoft to display a warning about this before the command is executed.
I waited 3 hours and it worked.. Jeff
Just called MS Premier Support. Can confirm there is nothing they can do to stop this process once it is executed. The process has to complete, then you can enable/disable. The tech did say that it depends on how many objects you have and on average it does take about 72 hrs. He has seen it less and he has seen it more.
TLDR; Nothing you can do but wait it out.
In my experience this has never been less that 24 hours and in most cases is all the way to 72+ hours. I’ve had tickets with Microsoft in this regard, and they won’t even force the issue on the back end to reset until its been “at least” 72 hours according to them.
I’ve read this elsewhere as well.. I’ll be 48h in shortly and still encounter the problem.
Im at 14hrs and counting….Unitl this is up I cant maake any changes to local AD that need to go to Azure/O365.
Same. I stopped the sync. I’ve already waited more than 24 hours and I still get this error.
Unfortunately, I’ve stopped syncing my directory, tried to resync, and am at 20+ hours and counting trying to reenable the sync now and still being met with this error. ~600 tenants. No dice!
Had the same issue, thank you for being the only blog on the internet documenting it! That said its Sep 2019 and I had the issue, only took a couple hours for it to allow me to run the command again. So maybe this is down to 2 hours?
It depends on the size of the tenant/number of objects synchronized. It’s also very likely that Microsoft has made some improvements over the past few years.
Vasil hi am desperate here, happy new year I ran the exact same command to Set-MsolDirSyncEnabled -EnableDirSync $false in a hybrid environment and yes there is a delay to revert get I get the same error in post when i try to re-enable, ok so we wait and the re-run….BUT i am freaking out as after running this command all the users in the 0365 admin portal show as Sync status -in cloud! will this disable command have actually converted the on premises accounts to full cloud?irreversible? or can i just revert back to the way things were before by enabling the DIRsync when possible and synching?
Curious…what happened with this?
Yes, not very helpful if you are trying to troubleshoot DirSync errors with some users accounts. Having to wait a whole day to stop a service and restart it, is a bit of a pain in the backside.
But why would you disable entire sync for troubleshooting. It’s not recommended to play & disable sync like that.
To simply stop automatic sync cycle , you can disable sync scheduler but no need to disable the tenant wide sync and convert all object to be cloud only.
It’s an extreme steps and that’s why take upto 72 hours to complete and should be taken in absolute required situations.
Well Most Case if you want to remove the AD sync on premises. You need to disable AD connect otherwise you won’t be able to delete it, also same thing apply if you want to delete user were synced on Premises AD to Office 365.
So the solution is you will need to wait until the process completed