Azure AD Password Protection and Smart Lockout are now in Public Preview!

Lonnard:   on your password examples, be aware that the current algorithm does take into account complexity that is present even once a banned token is detected.    In your example, "frogs" was detected but "1234" gave it enough extra complexity to allow it to be accepted.   The algorithm tries to strike a balance between security and usability in this regard.  The algorithm is tuned fairly often so nothing should be regarded as set in stone.

On your lockout issues, I am not aware of any potential interaction between onpremises Azure AD Password Protection DC agents and the Default Domain policy - from AD's perspective, AADPP is just another installed password filter dll.   Would you please contact me offline so I can get a few more details from you on this?