Given: local AD, email hosted via 365.It seems fairly common for companies with security needs and an existing AD infrastructure to have engage in one-way replication to MS in support of cloud hosted mailboxes. With the maintenance problems this brings I'm starting to wonder about the tradeoffs of allowing two way sync. 

Has the concept of allowing an outside company to write back to your on-prem AD at will lost any of its horror? What about only allowing a two-way sync for special occasions, like getting mail items accidentally built in the cloud back into your local AD?

We do exactly what you describe in the beginning: On-prem AD synced to O365 for identities, but all mail is in O365 cloud. There is no write back to on-prem AD. We also don't store passwords in O365. It is all SAML based authentication.

What is the impetus for wanting to have two-way sync?

In our environment, even if we allowed external to modify our AD directly, it would get overwritten, because our AD is not actually the source of record. We have a different Identity Management source(s) of record which updates the user objects in AD.

Our on-prem AD is the source of our identity and authorization management. 

(your comment about SAML for email access is interesting - I'll be looking at that for the future)

Before I came on board, we moved from an on-prem exchange server to hosted o365 email and Office subscriptions. As part of that, we have a one way sync into o365/azure, including password sync for email access. The on-prem exchange was retired after the mailboxes were migrated.

Right now most mail enabled AD items (user accounts, most DLs) are in our on-prem AD, but some have been created in the cloud either by accident or because I could not achieve what I needed without an on-prem EMC / Exchange server. My desire is to sync all the cloud created mail items (some DLs, shared mailboxes, etc) back into our on-prem AD. My (very un-)educated guess is that a sync would be less problematic than deleting the cloud items and trying to manually recreate all the items, rights & delivery attributes locally to be re-pushed back to our hosted mail system.

So you want a remote system to be able to create objects within your local AD environment?  While you are researching the ramifications of setting up bi-directional replication, I would also recommend researching companies that provide retainer services for incident-response; e.g., Atlantic Data Forensics, SecureIdeas, Mandiant, etc.  (I am not affiliated with any of these companies in any way.)

I'm not big on full time 2 way sync. I'm thinking of this as a one time normalization of the environment. 

Also, this external company is one that already hosts the AD of (according to them) many companies. While I have no particular trust for Microsoft, I don't think their Azure AD sync is the automatic ticket to infiltration or local AD corruption that you are hinting at. Another path - yes. Completely stupid - maybe, maybe not.