If I'm reading this correctly, the error response back to the client is a problem. The plain text is a generic "invalid username or password", but the error code included reveals too much. One of:
- The user does not exist
- The user exists and the correct username and password were entered, but the account is locked
- The user exists but does not have a password in Azure AD
- The user exists, but the wrong password was entered
- The user exists, but the maximum Pass-through Authentication time was exceeded
This violates a cardinal rule of authentication. A malicious actor can know from the error code if the user they are attempting to break is exists or not (that reduces the search space by quite a lot) and worse, it even tells them when they have a correct username/password combo for a locked account.
Yes, attempts can be throttled, but once the attacker knows a valid username/password, they can just wait.
