When users change their passwords of their on-premise AD account, these changes are not replicated to Office365 (Azure AD). In the event log of the server running AD Sync, event 611 is logged:
To resolve the issue, a registry setting has to be changed on the server running AD Sync, followed by a reboot:
Certain configuration changes, such as changing rules or "containers" (= OUs) also results in the passwords (of the new OUs) not being synced properly. In this case, you need to force a full password sync, followed by a full sync (DirectorySyncClientCmd.exe initial).