When a user synchronizes files in OneDrive for Business, the Access Control Lists (ACLs) on those files are lost, and permissions become enforced only through OneDrive itself. In a world with Azure Active Directory, this makes little sense, and makes securing files unnecessarily complicated (and makes security breaches unnecessarily likely).
For OneDrive for Business when origin files have ACLs within a Windows Active Directory Domain, the administrator should have the ability to use Azure Active Directory to extend the application of those original ACLs to all places to which OneDrive for Business syncs the files. If a OneDrive for Business client would (try to) sync the files to a computer not in that Active Directory Domain, the administrator should have the option to prohibit the sync, or to map the Office 365/ Azure AD authenticated user to a user or group in the origin AD Domain.