On-premise AD sync with azure active directory using Azure connect DirSync

If you don't use Password Synchronization, Azure AD cannot authenticate the user by itself.

In this scenario, you would have an Active Directory Federation Services server that does the final authentication.

Users will go to the login page and enter their username. They will then be redirected to your ADFS login page. After successful authentication, they will be redirected back to Azure AD, which will redirect them to the app they were signing in to (O365 for example).

The users will use the username that they get in Azure AD, which should be the same as the on-prem one.

Documentation: Azure AD Connect and federation

Another option would be to use Pass-through Authentication: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication.

This would have the users login with their credentials on the Azure AD login page, and Azure AD would check the credentials with your on-prem AD in the background, without redirecting the user to ADFS.

Users no need to change their credentials after they are synced to Azure AD. During the AAD sync, commonly we will choose to sync users' UPN and ObjectID to Azure AD like below, if Password Synchronization hasn't been enabled no users passwords will be synced to the Cloud.

After you completed creating the Relying Party Trust for Office365/AzureAD, the default Issuance Transform Rules as below will send the security token which includes users' UPN to Office365/AzureAD during user login. If the UPN matches with the one previously synced to Azure AD, then the user will be allowed to login the portal using their UPNs defined in AD.