You have a single Active Directory Domain Services (AD DS) domain operating at the Windows Server 2016 domain functional level. Account synchronization is configured between AD DS and your corporate Azure Active Directory (Azure AD) tenant. All user workstations run Windows 10 Enterprise Edition.
The support desk informs you that they regularly receive support requests from users who changed their Azure AD password and are no longer able to log onto the local AD DS domain.
You need to configure the environment to allow users to change their password either locally or in the cloud, and have the passwords remain in sync.
What should you do?
You should upgrade Azure AD to a premium pricing tier. You need either the Premium P1 or Premium P2 stock-keeping unit (SKU) to enable both self-service password reset as well as password writeback from Azure AD to AD DS. Azure AD Basic Edition supports the former, but not the latter, feature. You upgrade your Azure AD edition by logging into the Office 365 Admin Center (portal.office.com), and clicking Purchase services from the navigation menu.
You should not enable Azure AD conditional access. This feature enables you to write policy that constrains which users, and from which locations, can authenticate to Azure AD-connected applications. Azure AD conditional access is not related to password reset and/or writeback.
You should not configure Azure AD Join for all Windows 10 workstations. Windows 10 Enterprise Edition computers can be joined to Azure AD to support Microsoft Intune-based device management. However, you still need to upgrade your Azure AD edition to meet the requirements.
You should not deploy Active Directory Federation Services (AD FS) in the local AD DS domain. AD FS facilitates token-based authentication across different identity providers and is unrelated to the issues of password reset and writeback.