Active Directory account lockouts which are originating from an Active Roles server could possibly be linked to hard-coded credentials which need to be updated.
Within an Active Roles configuration, there are only a limited number of places where a credential may be stored:
If stopping Active Roles services stops the lockouts, it is related to a configuration within Active Roles. Otherwise, it may be a Windows Scheduled Task and/or an external script.
In the Active Roles Console, navigate to Configuration/Server Configuration/Managed Domains and check the General properties tab of each managed domain.
In the Active Roles Console, navigate to Configuration and click on the Server Configuration container, then open the Mail Configuration container. Check the Mail Setup tab on the properties of each mail configuration.
In the Active Roles Console, check on the Active Roles root and then select Diagnostics in the centre pane, then click on View or change diagnostic settings. On the Diagnostics tab, click the button to Export Active Roles system summary and save the .zip file to a known location. Inside the .zip file is an XML file. Search this XML for any references to the account of interest. If found, the reference will be within a script module with a DN reference to the target script. Find and edit the necessary script using the Active Roles Console.
In the Active Roles Web Interface, navigate to Directory Services | Azure | Azure Configuration | Azure Tenants and click on the name of the tenant to confirm the Azure Service Account in use. Check the box next to the Tenant and choose the option to Update Azure Admin Password.
Manually check all Automation Workflows and all instances of the O365 script execution configuration Automation Workflow activity.