As Azure AD Connect version 1.1.647.0 has been released recently, it was mentioned in the release notes, that before that version it was erroneously leaving Password synchronization enabled in Configure synchronization options window, if admin had enabled Passthrough autenthication in Change user sign in window. PTA (Passthrough authentication) means, that instead of regularly syncing hashes of passwords hashes from your local AD to Azure AD for your users able to authenticate to Office 365 apps and services, upon a user trying to authenticate, it would instead send a request to AD Connect, which will query your local AD and compare the hashes. So, in that case no passwords (or hashes of hashes of passwords as MS advertises) are stored outside of your network in the cloud. This lets you avoid complex setup of ADFS and have same functionality with a simple AD Connect service. In theory..
After reading those notes i went to check my configuration. We were using PTA for quite some time (6 or so months). It was working as intended. If a user would change his password, he won’t have to wait 30 minutes for a change to be synced to Azure AD. When authenticating it was instantly querying our local AD for a current password. On the downside, you won’t be able to authenticate, if AD Connect service was down or your network, containing local AD and AD Connect, was cut off from the internet. We have acknowledged this and decided we can leave with this risk. Using PTA is so much more convenient. Now, when i went to synchronization options, i have indeed found that Password synchronization was still enabled. So, i have disabled it and did a few tests with Office portal, email, Skype etc. Everything seemed to work fine. Until a few days later my colleague had to setup a new user. When trying to login to Skype for Business client for the first time it was giving the “wrong username, password, domain” error. At first we thought there was something wrong with that user and tried many things. Until i have tried this with another new user and got the same result. Then it dawned on me, that maybe PWS (password sync) was to blame. And it was. After enabling it again Skype was able to login just fine. So, it seems that one can’t really get rid of Password synchronization. PTA just recently has been promoted from a Preview feature to a final one. I guess MS still has some kinks to work out. Or maybe Skype team is to blame. We are one of the October versions of Office 365 (2016) – middle October most probably.