If you use express settings for the AD Connect setup, by default, it enables password synchronization as well. This allows users to use the same AD password to authenticate to cloud-based workloads. It simplifies the user login experience and reduces helpdesk involvement.

As we discussed in Chapter 15, Active Directory Security Best Practices, AD uses hash values, which are generated by a hash algorithm, as passwords. They are not saved as clear text, and it is almost impossible to revert it to the original clear text password. There is misunderstanding about this as some people think Azure AD password sync uses clear text passwords. Every two minutes, the Azure AD connect server retrieves password hashes from the on-premises AD and syncs with Azure AD on a per user-basis in chronological order. This also involves an encryption and decryption process to add extra security to the password sync process. In the event of a password change, it will sync to Azure AD on the next password sync interval. In a healthy environment, the maximum delay to update password will be two minutes.

If the password was changed while the user has an open session, it will take effect on the next Azure authentication attempt. It will not log out the user from the existing session. Also, password synchronization doesn't mean SSO. Users always have to use corporate login details to authenticate to Azure services.