Our on-prem AD is the source of our identity and authorization management.
(your comment about SAML for email access is interesting - I'll be looking at that for the future)
Before I came on board, we moved from an on-prem exchange server to hosted o365 email and Office subscriptions. As part of that, we have a one way sync into o365/azure, including password sync for email access. The on-prem exchange was retired after the mailboxes were migrated.
Right now most mail enabled AD items (user accounts, most DLs) are in our on-prem AD, but some have been created in the cloud either by accident or because I could not achieve what I needed without an on-prem EMC / Exchange server. My desire is to sync all the cloud created mail items (some DLs, shared mailboxes, etc) back into our on-prem AD. My (very un-)educated guess is that a sync would be less problematic than deleting the cloud items and trying to manually recreate all the items, rights & delivery attributes locally to be re-pushed back to our hosted mail system.