Hey folks, Eric Woodruff here – Customer Engineer still living and breathing in the world of Azure Active Directory.
Today we are going to dive into the specifics of how user accounts in Active...
Updated Apr 15, 2021
Version 3.0
Blog Post
SteveTH - You are correct, if PHS is enabled, the Active Directory password will overwrite the password within Azure AD.
I have not had a chance to explore this yet, but within the latest version of Azure AD Connect we started to offer methods for selective filtering of password hash sync, which I link to below. But I would be curious if it's just from an understanding perspective or if you have a use case for wanting to exclude a user from PHS that is being synchronized from Active Directory... I could see it getting confusing to have a mixed user base where the user is seemingly sourced from on-premises, but their password is not and/or why we would want the user to effectively have two passwords that are disparate, at least if PHS is being used as the means for authentication in Azure AD.
Selective Password Hash Synchronization for Azure AD Connect | Microsoft Docs