Microsoft and Microsoft Exchange admins have seen a huge increase in credential stuffing attempts during the last few months. No doubt Microsoft decided that this is one good step towards tamping down these attacks. It is not 100% fool proof. It still allows for users to elect MFA in the form of SMS and back up email unless exclusively enforced by the admins in organizations. Personal Office 365 users can still use MFA/2FA email or phone OTP/authentications.
"Common attacks such as phishing, password spray, and credential stuffing rely on one unchanging truth: when it comes to passwords, human behavior is predictable. Armed with this predictability, bad actors still succeed most of time when attempting these types of attacks, even though the tools they’re using are 30 years old.
Starting today, we’re excited to announce that anyone using a consumer Microsoft account can go completely passwordless! You can now delete your password from your Microsoft account—or set up a new account with no password—and sign-in using other more secure and convenient authentication methods such as the Microsoft Authenticator app, Windows Hello, or physical security keys." As always discuss it here.
Read Microsoft blog post