First, you should know that Windows Server Active Directory wasn’t designed to manage web-based services.
Azure Active Directory, on the other hand, it was designed to support web-based services that use REST (REpresentational State Transfer) API interfaces for Office 365, Salesforce.com DropBox, and Google Apps etc. Unlike plain Active Directory, it uses completely different protocols (Goodbye, Kerberos, and NTLM) that work with these services–protocols such as SAML and OAuth 2.0. In a hybrid environment, it can also be integrated with existing on-prem resources to give organizations the manage access to cloud-based applications through their on-prem environment.
For organizations ready to integrate their on-premises AD structure with Azure Active Directory, Azure Active Directory Connect provides an automatic synchronization mechanism. Syncing user accounts across your local Active Directory and Azure Active Directory, users can use a unified set of credentials to access Office 365 and local network resources. If you have a hybrid environment, you can use AD Connect to sync your on-prem AD to Azure, and AD Sync to keep those directories in sync, all with a single sign-on.
For an extra layer of security, Azure Active Directory also offers native support for (MFA) multi-factor authentication when it comes to accessing your applications. This support is an additional (but small) cost.
This requires a deep understanding of the local Active Directory group and permissions configuration, which in many organizations has gradually become so complicated with overlapping permissions, old user accounts and unnecessary roles that it’s all but impossible to move forward with Azure AD Connect.