[brazzledazzle]

That wouldn't work, at least for a lot of customers, because they authenticate a user based on a chain of trust back to the customer's on-prem Active Directory instance. An agent running on the customer's infrastructure leverages Kerberos/NTLM to authenticate the user then passes a token back to the identity provider. As a result there are authentication flows where the provider never sees the password.

Many providers do have an agent that runs on the AD servers that MitM captures the passwords when the user rotates them but that's a lot more involved to get setup. They could either force use of that AD agent or remove the functionality entirely and force users to manage a password with the service but it would either make on-boarding slow/impossible or really reduce the convenience factor for users. It's something every identity provider would need to do (or be forced to do) because the ones that didn't would steal away all of their customers.