One-Way or Two-way Synchronization?
Some new admins get confused with Directory Synchronization. They think that the synchornization is two-ways, which means what you change in On-Premise will be updated to Office 365 and changes you make in Office 365 will be updated back to your AD. In reality, this is NOT the case. It is only ONE-WAY PUSH.
The Directory Synchronization Tool replicates objects from the local Active Directory into Office 365. For example, if you add a user to Active Directory, that user will appear in Office 365 at the next
synchronization interval. This allows the Global Address List for Office 365 to be populated with the full list of users in Active Directory. When Office 365 users search for names in Outlook, Outlook Web App, Lync Communicator, or another service that uses the Global Address List, they see additional details about the users they are searching for. In this way, Office 365 users have experiences almost identical to those of on-premises users. Users created by the Directory Synchronization Tool must be activated before they can sign into the service. Office 365 licenses are not automatically consumed when users are first created,
either after deploying directory synchronization or adding users to Active Directory when the Directory Synchronization tool is running.
When you add changes to Office 365, they are not moved into the local Active Directory by default. For example, if you validate a new domain in Office 365, that domain will not appear automatically in
your local Exchange environment. However, you can write (and update) a limited set of Active Directory attributes from Office 365 to the local Active Directory if the directory synchronization write-back feature is enabled. For more information, see the Write-Back Capabilities section in this document.
How Passwords in AD is synchronized?
This is usually a misconception that passwords from AD are always synchronized to Office 365. On the contrary, Passwords stored in Active Directory are NOT replicated to Office 365, and passwords created in Office 365 are not moved to Active Directory. When using Cloud Identities, you must manage Office 365 passwords in addition to local sign-in credentials. If you implement single sign-on with your deployment, you do not
need to manage Office 365 passwords.