Managing Active Directory identities from the Office 365 cloud is not that complicated, but it's a difficult leap for some admins used to handling their own identity management on-premises through Active Directory for the past 15 years or so. They find it difficult to imagine having that management occur elsewhere, fearing a loss of control.
But moving to Office 365 for Active Directory administration is not an all-or-nothing proposition. There are three paths you can take.
1. Go all-cloud via Azure Active Directory
Let's say you have a new company looking to use Office 365 for all its communication and collaboration needs. You've never set up Active Directory or on-premises servers -- and you'd like to keep it that way. In that case, put your users in Office 365 only, using Azure Active Directory to manage them.
2. Sync on-premises Active Directory with the cloud
If you have on-premises Active Directory, you can start with synchronized identity between your on-premises server and Azure Active Directory. With directory synchronization, you can continue to do the management on-premises, as the changes you make to user accounts get synced to Azure Active Directory in the cloud. With this method, you can sync the passwords too, but users will still have to sign in to Office 365 -- you get password sync but not single sign-on.
3. Federate identities between on-premises and the cloud for single sign-on
If you want SSO, you can get it -- via federated identities. What's interesting about this option is that the password hash doesn't have to be synchronized with Azure Active Directory. Thus, the password is verified by the on-premises Active Directory server, but thanks to either Active Directory Federation Services (ADFS) or a third-party tool, the SSO access to Office 365 (and other supported SaaS applications) is granted.
Although ADFS is included with Office 365, you might want a third-party service instead. (Microsoft publishes a list of federated-identity providers, which include Centrify, Okta, and CA Secure Cloud.)
One reason to look beyond Microsoft: Active Directory Federation Services requires time and effort for its hardware and software configuration; several server roles must be set up (the Federation Service, the Federation Service Proxy, and the Web server agent). It's real work to set up multiple servers and get the SSL certificates in place. Then there's the time and cost of setting up redundant servers for high availability. Finally, once the ADFS trust is established, you have to determine claims rules for each supported cloud application.
If you use a third-party federated-identity service, much of that work is done for you. For one thing, the providers have catalogs of preconfigured SaaS applications already set up; you don't have to stress about making each connection. You also don't have to install additional on-premises servers and services (or worry about their availability).