Microsoft has indicated it will make changes to reduce the risk around what a security vendor says is a vulnerability that lets attackers run brute-force credential attacks against Azure Active Directory. The issue was reported to Microsoft by SecureWorks on June 29 although at least one other researcher, Dirk-jan Mollema, reported it to Microsoft last year. The vulnerability is wrapped into a complex authentication flow using the Kerberos protocol. Microsoft initially told SecureWorks that Azure AD was working by design, but a proof-of-concept attack has emerged.”]
Source: https://www.govinfosecurity.com/microsoft-will-mitigate-brute-force-bug-in-azure-ad-a-17646