AZURE ADDS & 365: How to selectively sync passwords

I have a client that would like to use Azure Active Directory Domain Services (Azure ADDS) AND Office 365.  

The problem I see

1. For Office 365: AD Connect would sync 5,000 users to Office 365 (SSO with ADFS or PING or OKTA)
2. This would populate the Azure directory that would be used for Azure ADDS
3. Azure ADDS requires Password Hash Sync set in AD Connect for Kerberos authentication
4. Client doesn't want 5,000 users to all have Passwords in the Azure ADDS domain (where SID histories are synced from On Premise)

Can I selectively enable Password Sync for a select users - by attribute perhaps - in AD Connect?
OR is there some way to limit the Azure ADDS instance to a subset of users?

I would set up a separate tenant for just Azure but "The Azure AD Connect sync servers must be configured for filtering so each have a mutually exclusive set of objects to operate on".  So the users in Azure ADDS would not be synced to Office 365 and that would be bad.

I recognize it is only supported to have a 1:1 relationship between Forests and AD Connect Servers.

Thank you!