Environment:
On-premises Active Directory 2012 R2
Azure AD Connect with Directory Synchronization Enabled
Federated Domain Shared Name Space for Skype for Business and Exchange
AD FS with Web Application Proxy
Office 365 Tenant Subscription w/ E5 Licenses
Description of Issue/Error Encountered:
In performing an AD health check and attempting to cleanup user objects with corrupted AD attributes, we found ourselves in a situation where we needed to disable directory synchronization between on-premises AD & Office 365 Azure AD in order to clear cloud attributes in the user object that cannot be changed from the O365 Admin Center since the on-premises AD owned the management scope. Under the direction of Microsoft Technical Support referencing case number 30126-5865017, I disabled directory synchronization using the following command:
Set-MsolDirSyncEnabled –EnableDirSync $false
After running that command, we waited the 72 hours that Microsoft states it could take up to and it still had not finished deactivating.
Cause:
The root cause remains unknown. Microsoft stated that this could be due to environments that have over 50,000 objects in Active Directory; however, that was not applicable in our environment.
Resolution:
From my perspective, we had to wait over 120 hours for deactivation to finish. I am told (which I have no evidence to prove or any cmdlets that were executed to validate) that the solution was applying a few internal synchronizations for your organizations to resolve the issue in the backend that can be applied by frontline in the future if it's needed.
References:
Directory synchronization for Office 365, Azure, or Intune can't be activated or deactivated
https://support.microsoft.com/en-us/help/2654338/directory-synchronization-for-office-365,-azure,-or-intune-can-t-be-activated-or-deactivated
Active Directory Synchronization
https://msdn.microsoft.com/en-us/library/azure/dn144766.aspx