SSO is disabled. Synch for devices only to one tenant.
According to documentation AD Connect accounts need permissions for (password) writeback:
Reset password
Write permissions on lockoutTime
Write permissions on pwdLastSet
Extended rights for "Unexpire Password" on the root object of each domain in that forest, if not already set.
We want to limit each AD connect account to a subset of the OUs as per the filtering configured during AD connect config.
It should work but if anyone validated already a similar scenario it will be great having feedback.