@AscendForward-3747 Thanks for reaching out. This is indeed a common scenario now a days and all depends how are you approaching on this.
1) Brand new laptop getting shipped to users location with Hybrid AAD Join AUTOPILOT configuration.
If that is the scenario you are in, you will have to consider the White Glove Hybrid AAD Join off corporate network path. Which needs a corresponding VPN profile so that your end users can connect to Corporate network and complete the joining process.
2) Users already have a Hybrid AAD join devices from office, in this scenario it will just work normally like the way you would expect it to. If you have a password writeback enabled, then any user who changes the password over internet eventually triggers a password reset at on-prem where the new password is updated. You might see a little bit of delay and then you can login using your new password. (Provided the client machine has proper connectivity to your corp network)
Let me know if you have any questions.
If the suggested response helped you resolve your issue, do click on "Mark as Answer" and "Up-Vote" for the answer that helped you for benefit of the community.