Hi Keith,
I will answer the questions one by one.
Q1: Can I synchronise passwords only, and leave the management of groups etc. in the cloud?
A1: Yes. Password sync is available within the latest DirSync tool. We can configure an organizational-unit-based filter. Please refer to this article: Configure filtering for directory synchronization.
================================================
Q2: If yes to above, if we perform a sync does it immediately make the existing 365 user account password invalid?
A2: Since you have users already created prior to the DirSync, please read this article to make an SMTP matching for the existing online users: How to use SMTP matching to match on-premises user accounts to Office 365 user accounts for directory synchronization.
As a tip, once the user is matched, many attributes will be overwritten by the on-premise user. The DirSync attributes can be found here: List of attributes that are synced by the Windows Azure Active Directory Sync tool (DirSync).
Best Regards,
Bruce Zhou