When users change their passwords of their on-premise AD account, these changes are not replicated to Office365 (Azure AD). In the event log of the server running AD Sync, event 611 is logged:

Event ID 611

Password synchronization failed for domain: constoso.com.

Details:
System.DirectoryServices.Protocols.LdapException: The operation was aborted because the client side timeout limit was exceeded.

To resolve the issue, a registry setting has to be changed on the server running AD Sync, followed by a reboot:

1. On the server running AD Sync, open regedit.
2. Navigate to the key:
   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Ldap
3. Set the value of LdapClientIntegrity to 0.
4. Restart the server.
5. After the restart, trigger a new sync by manually running the task scheduler or by running the directory synchronization command DirectorySyncClientCmd.exe. A full sync is not required.

Configuration changes

Certain configuration changes, such as changing rules or "containers" (= OUs) also results in the passwords (of the new OUs) not being synced properly. In this case, you need to force a full password sync, followed by a full sync (DirectorySyncClientCmd.exe initial).