It is becoming easier to manage user risk in hybrid environments with Entra ID Protection (formerly known as Azure AD Identity Protection).
Indeed, user risk policy requires to change the password when the user is identified at risk. However, the change of password was not detected by Entra Protection signals when the change was performed from Active Directory.
This situation would have let risky users in a blocked state as could not self-remediating it state.
Good news, you can now enable the password change detection for Entra Protection signals from on-premises (Active Directory).
It requires that you have enabled password-hash synchronization in Azure AD Connect.
The corresponding setting – Allow on-premises password change to reset user risk – is available from the Identity Protection\Settings blade