More or less, it uses API calls to check the NTLM hash of an AD account to known hashes in the Have I Been Pwned database.
There are two API versions which can be found here:
https://haveibeenpwned.com/API/v2
https://haveibeenpwned.com/API/v3
In ManageEngine, when the user submits the password change request, it kicks off an API call to the Have I been Pwned database, and the API returns a response code, if the response code is 200, this confirms a match, a 404 response code means there was no match and the password is safe to use.