That earlier reply was from me, but I was having an issue with the way my name was being displayed so I deleted the comment and was coming back now to make the same comment now that Support fixed the display name.
The only issue we've had with this approach is that we're excluding almost 10,000 AD users, and so every time the AD Import runs we get 10,000 messages in the System Log that say: Skipping import of user '<User>'. Expected required AD attribute: <Attribute>, (Okta attribute: <Attribute>) to not be null. Please consult with your Active Directory admin if you believe this user should be imported.
However, since we never use the System Log without filtering anyway, those messages can be ignored quite easily.