I'm looking for guidance on preventing (filtering) "emergency access" users from syncing to on-prem AD when using AD Connect. From the reference doc Manage emergency access accounts in Azure AD:
"Create two or more emergency access accounts. These accounts should be cloud-only accounts that use the .onmicrosoft.com domain and that are not federated or synchronized from an on-premises environment.*"
I've only found documentation on using Synchronization Rules to filter from on-prem Active Directory to AAD.