UCS O365 connector conceptual questions

Looking at O365 connectivity/replication from the MS AD point of view I’ve tried to understand how the O365 connector works in UCS and wanted to ask if I’ve understood certain aspects correctly.

Am I right that (by default) the UCS O365 connector takes over the Directory Synchronization part of Azure AD Connect by writing the users and their attributes from OpenLDAP to Azure AD as soon as a user is enabled for O365 via UDM?

As no passwords are synchronized, authentication is done through SAML via the UCS portal. The equivalent in Windows would be AD FS and Azure AD is configured for the equivalent in the Windows world would thus be AD FS? If so, is the Azure tenant configured to federated (as in Convert-MsolDomainToFederated)

Does the UCS SSO portal need to be exposed to the internet only through the master, nor can it be load-balanced to a UCS slave or backup? (like AD FS can have a AD FS “farm” of servers)

I’ve seen others have come up with a way to havepasswords synchronized (with both benefits and disadvantages) using AADconnect with UCS, but it’s not otherwise mentioned in the official documentation so I have some hesitations in terms of “supportability” from Univention.

Are there any references as to how user licenses (Office 365 etc.) are configured - on the UCS or the Azure AD side via Web or PowerShell?