Recently Microsoft added new password policy features in Azure AD Connect, and it kills off one of the last arguments to stay on ADFS or Azure Pass-Through Authentication.
The two new features that have been introduced into public preview are:

• Force password reset at login.
• Enforce cloud password policy for synced users

According to Microsoft, the following password policies and complexity requirements in AAD, associated with an Office 365 tenant, apply to all users.

The Gaps

Until now, there has been a gap, and you weren’t able to get the “User must change password at next logon” attribute value synchronized to request the user to change the password when logging on Microsoft cloud services that impact the logon process when logging on Windows 10 Azure AD Joined device.
Another issue is with password policies: you’ve one defined in your Active Directory and another one specified in your Azure AD.
The configuration should match, but the cloud password policy did not apply to synchronized users, making it difficult to comply with password expiration as end-users would not be requested to change their password when logged in only with Windows 10 Azure AD Joined.
Well, it makes no sense to enforce password expiration for users on-prem accounts and then sync them straight into Azure AD and have all that go away.
The same goes for enforcing a temporary password the first time a user signs in or after a password reset by the helpdesk.

Configure Policies

The Azure AD policies for the “Force password reset at logon” and “Enforce cloud password policy for synced users” need to be done from the PowerShell with few commands.

Enforce a Password Policy

Note: this will enforce a Password Policy for Cloud-Synced Accounts.
The following command will disable Azure AD’s typical behavior, which will set the password policy on the users to cloud identity never to expire. It would help if you connected via Connect-MsolService from Azure AD Connect server or Azure Cloud Shell.

Set-MsolDirSyncFeature -feature EnforceCloudPasswordPolicyForPasswordSyncedUsers -Enable $true

When requested to enable the feature, type Yes and confirm the execution.

Syncing a Temporary Password

To enable the “ForcePasswordResetOnLogonFeature,” you execute the following command on your Azure AD Connect server:

Set-ADSyncAADCompanyFeature -ForcePasswordResetOnLogonFeature $true

The Microsoft DOCS got seems to be a bit confused on this one, so that you may run the following command in some scenarios:

Set-ADSyncAADCompanyFeature -ConnectorName "M365BSLAB01.onmicrosoft.com - AAD" -ForcePasswordResetOnLogonFeature $true

Because the parameter “ConnectorName” does not exist on this Cmdlet, and I tested on the latest auto-updated version.
Tips: You can use the following command to determine the connector name:

(Get-ADSyncConnector | where{$_.ListName -eq "Windows Azure Active Directory (Microsoft)"}).Name

Warning: Forcing a user to change their password on the next login requires a password change simultaneously.
AD Connect will not pick up the force password change flag by itself. It is supplemental to the detected password change that occurs during password hash sync.

Change Password at Next Logon

If you plan to use this capability, it is highly recommended to enable Self-Service Password Reset (SSPR) and password write-back to allow updated user’s password to be synced back to your Active Directory.
To enable this capability, you need to run the below PowerShell command from the Azure AD Connect server:

Set-ADSyncAADCompanyFeature -ForcePasswordChangeOnLogOn $true

NOTE if synchronized users need to have the password never to expire, you will need to manually reassign the DisablePasswordExpiration value to the PasswordPolicies after enabling this feature

Set-AzureADUser -ObjectID <User Object ID> -PasswordPolicies “DisablePasswordExpiration”

Some Warnings

Make sure to know some warning that mentions o Microsoft DOCS.
Setting a permanent password from the cloud – Users that sign in with their temporary password through a cloud service will be asked to select their permanent password. This will be set in Azure AD but not directly back to your on-prem AD. This is unless you have password writeback and self-service password reset (SSPR) enabled for your tenant.
Expired users – There is still the issue of disabled accounts signing in to their cloud services, even though IT has set the account expiration attribute on their on-prem account. If you don’t need user account expiration but plain disable terminated users, then you are golden. Azure AD Connect will sync the “disabled” state to Azure AD.
Service accounts – Service accounts will now get their password expired, which might be less than desirable.
Password policy misalignment – Your local password policy will NOT be synced to Azure AD. For example, if you have a local password policy that expires a user’s passwords after, let’s say, 120 days, and you never aligned the Azure AD policy to match that. Then the Azure AD policy will still be at its default of 90 days.
More Azure AD blog-posts