Isn't password writeback a security risk with multiple tenancies?

Question

Think of a consulting company with domain @Company updates .de that does not have any azure tenancy (uses a Google universe). However their customers cust1, cust2 and cust3 all have azure active directory and added user1@Company updates .de each as a guest to it's tenancy. That is working fine. However when one of those customers has password writeback enabled, wouldn't that lead to this password being written back to the local active directory of cust1 with a neglictable security net of a md4 hash? If an evil admin@cust1 would decode this password he could sign in to the azure active directory account? The issue can obviously be migitated if cust2 and cust3 have 2fa setup, but nevertheless this doesn't sound good to me.

Or is this not possible due to some security mechanisms in place that I'm not aware of? And password writeback works only for the primary domain of a user (@Company updates .de)?

There is a section on B2B in https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworks#password-reset-for-b2b-users but I'm not sure if this covers the above scenario - especially if there is no "main tenancy".

Answer 1

Guest accounts cant use SSPR in another tenant- so no writeback. Writeback would only happen if it was enabled for consulting.de syncing from its on-prem AD forest to its validated Azure tenant.

Answer 2

Ihttps://techcommunity.microsoft.com/t5/azure-active-directory-identity/how-do-guest-users-change-passwords/m-p/56132

When they use your resources as guests, they are authenticated back to their source directory, not your Azure AD. So, the user must manage/chnage the password in their source environment.

ALso:
https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworks