Q. If I replicate accounts from on-premises to Azure AD do they have to use 16 character or less passwords?
A. No. The 16 character maximum password length is only for cloud-only accounts as documented at https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-policy. For accounts replicated from on-premises the policy of the source is used allowing greater than 16 characters.