MIMPAM MIMMonitor Disables Accounts
And how to stop it
When implementing MIMPAM in a Bastion forest model you may eventually notice that something is disabling users within your bastion forest. If you're lucky enough to have a SIEM you'll notice that the MIMMonitor account is doing it. Premier support channels will notify you this is a standard feature, and the only way to disable it is by disabling the other functionality of the MIM Monitor. This includes shadow principle syncing, provisioning users into groups during checkout, and checking role statuses. Obviously you don't want to do this, so instead...
Simply put a deny ACE on the ACL for the OU where your bastion users reside for the attribute ms-DS-User-Account-Disabled. You will need DA/EA equivalent access to do this under normal circumstances.