The newest approach is the Pass-through Authentication (PTA) mechanism. It does not require saving the passwords in the cloud. As there is an option to have more than one PTA agent, it is highly available out of the box, without any additional resources:

PTA is designed to work with a queuing mechanism. Each authentication request is queued in the cloud. Each server that is running the PTA agent connects from the on-premises network to the cloud, looking for authentication requests. It takes the next one in the queue and authenticates the request in the on-premises environment by returning the directory response to Azure, in order to complete the sign-in process.

From a user perspective, this technology is as easy as synchronizing password hashes to the cloud, but with the security enhancement that the authentication stays on-premises.