Unable to change passwords after deactivation of DirSync

We came across an interesting issue recently with a tenant after deactivating DirSync.

The issue was that users could not change their own passwords in Office 365, and were given the following error message:

“Sorry, you can’t change your password here. Follow the steps recommended by your organization or ask your admin for help.”

This is the kind of message you’d expect to see when DirSync is still enabled, as your on-premises Active Directory should remain as the master of all identities and password.

So what causes this?

Unfortunately when the issue was raised with Microsoft and further investigation was done nothing stood out as an attribute on the user account to explain the difference between a sync’d user and a cloud user. The only recourse was to escalate this to engineering and get in line.

What was clear was that any users that were created directly in Office 365 after DirSync was deactivated didn’t have the issue.

What was interesting was that we had noticed that one of the pre-DirSync users had reset their own password by choosing the “Unable to sign-in” method on the sign-in screen, and after doing so was able to go into their profile and change their password at will.

So we tried a quick and simple approach – we reset all the affected users passwords. Immediately they were able to log in and change their passwords at will in the usual manner.

While not exactly a great solution on a large scale – at least it’s a quick win that didn’t require further escalation or time being spent to diagnose it.

1 comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: