Why do accounts disabled by O365 remediation become re‑enabled after 30 minutes?

What is happening?

When RocketCyber disables a Microsoft 365 (Entra ID) user via O365 Remediation, the account may automatically become re‑enabled within 30 minutes.

Why is it happening?

Most affected environments are using Microsoft Entra Connect Sync to synchronize identities between on‑premises Active Directory (AD) and Microsoft Entra ID.

When directory sync is enabled:

The on‑prem AD becomes the source of authority.
Any changes made only in the cloud (such as disabling a user in Entra ID) are overwritten at the next sync cycle.
Entra Connect’s default sync interval is every 30 minutes, which is why accounts re‑enable shortly after RocketCyber remediation.

RocketCyber cannot control or override the customer's local AD or Entra ID synchronization configuration.

Does this affect all tenants?

No. Only hybrid identity environments using Entra Connect Sync experience this behavior. Cloud‑only tenants are not affected.

What is the impact?

Cloud‑only disable actions may not persist in hybrid (synced) environments.

Security/IR workflows that expect a lasting disable in the cloud must be aligned to directory sync behavior.

How can I prevent accounts from becoming re‑enabled?

To ensure that remediation actions “stick,” partners must adjust their Entra Connect configuration:

1. Modify Microsoft Entra Connect filtering

Configure filtering so only the required accounts sync from on‑prem AD to the cloud. If a user is excluded from sync, Entra ID will no longer overwrite cloud‑side changes. Refer to Microsoft Entra Connect Sync – Configure Filtering.

2. Disable the user in on‑prem AD

If the user exists in on‑prem AD, you must disable them in on‑prem AD, not only in Entra ID.

What are best practices?

Confirm whether the customer is using hybrid AD before relying on cloud‑only remediation.
Align remediation workflows with Entra Connect Sync behavior.

In sum, this behavior is expected in hybrid identity environments. If O365 Remediation disables an account but Entra Connect Sync is active, the on‑prem AD will restore the account to its previous state at the next sync cycle. To ensure the disable action persists, partners must adjust Entra Connect Sync filtering or disable the account in on-prem AD.

	Need help? Submit a Kaseya Helpdesk request.
	Want to talk about it? Head over to Kaseya Community.
	Have a new feature idea? Visit the Kaseya Ideas portal.
	Provide feedback for the Documentation team.