Password source for Azure AD synchronization

Q. When I synchronize passwords to Azure AD what is the source for the passwords?

A. When synchronizing to Azure AD from on-premises one option is to synchronize the passwords to Azure AD. The source for the passwords is a domain controller local to the site of the synchronization management agent on-premises. When dealing with passwords there may be remote sites that only synchronize every few hours and its important that passwords are synchronized to Azure AD as frequently as possible.

It's important to understand how passwords are replicated when they are modified on-premises. When a password is changed, the DC that receives the password change pushes the password change to the PDC FSMO. The benefit of this is that that when a user logs in, if the DC that is performing the authentication has a different password than the one given by the user before the authentication is failed, the DC first contacts the PDC FSMO to check if a newer password is on the PDC. If there is a newer password then the password is replicated to the authenticating DC enabling the authentication with the updated password.

This means that if you want to ensure the most recent passwords are replicated to Azure AD, place the on-premises replication agent in the same AD site as the PDC FSMO (because all DCs in a site replicate near instantly so when the PDC receives an updated password it would replicate to all the other DCs in the same site very quickly). Another option would be to specify a preferred DC for the synchronization agent during installation.

Note that is password write-back is enabled from Azure AD then the PDC FSMO is targeted.