Do you have Entra ID Password Hash Synchronization activated?

Microsoft Entra ID - formerly Azure Active Directory, Password Hash Synchronization (PHS) is one of the methods you can use if you want to have your identities synced to the cloud, alongside Pass-through Authentication (PTA) and Federation with AD FS. If you have a hybrid identity in place with Entra ID, chances are you are already synchronizing password hashes to the cloud with Microsoft Entra Connect formerly Azure AD Connect.

Entra ID PHS synchronizes the password in on-premises Active Directory with Entra ID so you can use your on-premises password to login to cloud services, like Azure or Office 365. It also allows you to implement Seamless Sign-On for domain-joined machines, so users don't need to login twice when opening their emails in a browser, for example.

Entra ID PHS also allows you to have an absolute lean infrastructure on-premises, as the only needed moving part is Entra Connect to be installed in a server or Domain Controller. No agents or internet-facing machines necessary.

The web requests don't even come to your server, they are server by Microsoft's big pool of servers around the globe!

You can check out a deep dive of Entra ID PHS in official Microsoft documentation at What is password hash synchronization with Microsoft Entra ID?