Password Sync down to AD from IDN

Looking to use IdentityNow for account onboarding and then ultimately rewriting a randomized temp password in AD to the user’s entered password through registration in IdentityNow. Flow goes like this:

  1. Auth source has a newly on-boarded user.
  2. Auth source aggregation created new Identity
  3. Lifecycle state created an AD account by default, with a randomized unknown password.
  4. IDN automatically sends out invitation emails to everyone onboarded.
  5. User responds email and creates permanent password.

From the IdentityNow has the correct password, but we need that sent down to AD automatically. Would we need to use a sync group for this with only AD included? Or are there other options? Workflow maybe? Just want to make sure I’m not missing something simple. Thanks