Using the Azure AD Connect (not cloud sync) tool to synchronise passwords with Azure AD, Samba returns blank password values as the user is not a domain administrator or DC. We should honour the GET_ALL_CHANGES right instead of using a crude filter based on the user account "security level".