Block Sign In Source-of-Authority issue
It is very confusing for customers that they have the option to change the "Block Sign In" state, when the users source-of-authority is "Windows AD Server" (Active Directory).
Why is this not disabled like all other attributes. It doesn't make any sense to have the control enabled, when the UserAccountAttribute overwrite the setting during Azure AD Connect sync.
You should at least have a popup box telling the users that this setting will be overwritten by Azure AD Connect sync, if the Azure AD Connect is configured to update the AccountEnabled value based on the UserControlControl state in the local Active Directory.
What would be the purpose to be able to disable sign for a user in the cloud for a couple of hours until the Azure Active Directory enabled sign in.
Nigel Wood commented
This also has a major issue in restricting Microsofts security tools such as identity protection and MCAS, from suspending, (setting block on signin) a hybrid azure AD account. An alternative for the tools would be to add an additional blocked attribute that wasn't overwritten by AAD Connect sync?
Peter Selch Dahl commented
Also see: accountExpires