I recently ran into a situation in my lab environment that required I resync all (2000+) user accounts to Azure AD. Though this sounds complex and daunting, its actually quite simple. T
he basic steps involve disabling sync, and then removing the user objects. This can all be done with two PowerShell commands:
1) Set-MsolDirSyncEnabled -EnableDirSync $false
2) Get-MsolUser -All | Remove-MsolUser -force
The account that you are currently running the commands as will not be removed.
To enable Azure AD Sync, you simply reverse the boolean operation on the Set-MsolDirSyncEnabled cmdlet above. However, I ran into an issue when trying to enable Azure AD Sync.
After some research, it turns out you must wait a period of time (up to 12 hours in some cases) before you can make a second change to the Azure AD Sync status. This error simply means that we made a recent change to Azure AD Sync, and we must wait before making another change. To prove this, there is a "DirectorySynchronizationStatus" member for the Get-MsolCompanyInformation cmdlet. If we take a look at this member, we can see the status is "PendingDisabled".
Check the status of this periodically over the next 12 hours or so, and once it says "Enabled" or "Disabled", you should be able to change the state once more.
No comments:
Post a Comment