Symptoms

On attempt to synchronize an Office365 subscription from CCPv1, the following error appears:

The Account is locked. Please try again later.

Cause

There could be two possible reasons:

  1. This behavior is expected. Previous synchronization attempt is not finished yet.
  2. Account could stuck in locked state indefinetely. From the sitelog, it can be seen that every synchronization attempt ends on the following action:

    2019-04-09 04:09:47,884 <5788> [ 151] INFO aps_endpoint: >User sync is started: user_id '' object id '75554e40-4bc6-42a2-96ff-1f8a3425572b' (Add)
    

    It can be seen in apilog that user with that object ID contains $ symbol in principal name:

    2019-04-09 04:09:44,540 <5788> [ 151] DEBUG apilogger   : Azure AD Graph API request GET url: 'https://graph.windows.net/135b9c28-6fdf-4558-8918-8c2bba69a4af/users?api-version=1.6&deltaLink='
    Execution time: 1313 ms
    Response status code: '200',
    Response body:
      "value": [
        {
          "objectId": "75554e40-4bc6-42a2-96ff-1f8a3425572b",
          "objectType": "User",
          "accountEnabled": false,
          "country": "UNITED STATES",
          "dirSyncEnabled": true,
          "displayName": "Contoso",
          "immutableId": "ctv7pbGtuUuzg2ikYcs9Lw==",
          "lastDirSyncTime": "2013-12-12T16:49:22Z",
          "mail": "$user@contoso.com",
          "mailNickname": "_DUPLICATE-2a75",
          "usageLocation": "US",
          "userPrincipalName": "$user@contoso.com"
        },
    

    Such behavior is considered to be reworked in scope of request APSA-20007

    Resolution

For the first case, it is required to wait until previous synchronization attempt is finished. Time of synchronization for customer highly depends on amount of users on Microsoft side.

For the second case, as a workaround it is possible to remove symbol $ from principal name of user on Microsoft side. Contact your Technical Account Manager in order to clarify the current status of APSA-20007

Internal content