Microsoft has indicated it will make changes to reduce the risk around what a security vendor says is a vulnerability that lets attackers run brute-force credential attacks against Azure Active Directory. The issue was reported to Microsoft in June by SecureWorks’ Counter Threat Unit.
https://www.inforisktoday.co.uk/microsoft-will-mitigate-brute-force-bug-in-azure-ad-a-17646