We run a hybrid environment with accounts being generated on-premise and synced to AAD for Office365.
We also have Password writeback working to allow password changes from AAD to replicate locally for consistency.
The issue we have is with sign-in blocked/disabled accounts.
If an account is disabled on-premise, the status is synced to AAD to prevent logins, which is the desired result ... BUT if an account is disabled in AAD, the next sync between on-premise and cloud will re-enable to account in AAD, restoring sign-in access for the account.
This poses an issue as we occasionally need to lock down an account (typically a compromised email account, attempting to spam others).
How can the sign-in allowed/blocked status be synced from AAD to on-premise (or bi-directionally)?