Edit the Password Policy - Azure AD - 5 Attempt lockout, Password History at least 5
Right now if a device is Azure AD joined there is no lockout policy and the password history is only compared to the most recent password set.
In regular Microsoft Active Directory there are many more options you are given for a more secure password practice:
-If 5 incorrect attempts are made into a device login it should lock for 1-2 minutes and there should be an option in Administrator to be able to unlock
-Compare new password to past 5 passwords