I'm currently researching how to set up a banned password list in Active Directory. I'm doing this in a hybrid environment. Unfortunately, right now we're only licensed for Azure AD Free, which is cloud only -- syncing the banned password list is only available for Premium P1 or P2; I don't have the budget for those.
I would like to implement whatever password protection that I can. What happens if I turn on cloud based AD password protection, but don't sync the banned password list? Does this cause horrible headaches with user experience, or is it simply less secure?