Hey all thanks for the comments. Challenging format for threaded replies, but:
Adi Hafiskadic It is pretty hard to get all the way out to the edges, because of services that still require legacy auth and because of the need for unattended service accounts. One should still minimize exposure here (CA is our tool for this). We are working feverishly to make this easier.
Steve Hernou yes absolutely agree. We are doing a variety of things to help block this. Keep pressure on users to update clients and keep pressure on vendors (including us) to eliminate legacy auth endpoints. In meantime, scope use of legacy auth to users who absolutely need it.
Craig Chambers (hopefully the right one) 20 hours to break one password puts this at prohibitive levels already, but we are planning AAD password configuration controls so you can increase minimum as needed. That said - length really doesn't matter. Remember by the time you are here, there's an 80% chance that the user is already compromised. Length requirements tend to increase other bad behavior and hurt more than they help - see https://aka.ms/passwordguidance for more on this.