I'm currently researching how to set up a banned password list in Active Directory. I'm doing this in a hybrid environment. Unfortunately, right now we're only licensed for Azure AD Free, which is cloud only -- syncing the banned password list is only available for Premium P1 or P2; I don't have the budget for those.
I would like to implement whatever password protection that I can. What happens if I turn on cloud based AD password protection, but don't sync the banned password list? Does this cause horrible headaches with user experience, or is it simply less secure?
The next article in the documentation you linked:
The DC Agent service needs to pull policy for the filters to be in sync. Naturally, the documentation says it must be running on all writable domain controllers.
Test password change on a DC. Banned passwords will not be allowed. Successful changes will not be synced to Azure AD.