It has just been published (December 12th, 2017), a new potential security hole in Azure AD Connect (at least version 1.1.649.0, the advisory bulletin does not specify the impacted version(s)) which could leads the Azure AD Connect service account with insufficient restriction when Azure AD Connect automatically creates it.
See the advisory bulleting available at https://docs.microsoft.com/en-us/security-updates/securityadvisories/2017/4056318 for more details and additional actions to lockdown the service.
You are also invited to upgrade to the latest version (1.1.654.0) from http://go.microsoft.com/fwlink/?LinkId=615771