The success rate is also likely pretty high. You're not necessarily restricted to just the entropy of a single password, but depending on the attack vector it can be conditioned on also knowing the account owner's identity or username/email. Combine that property with the insane payoff of uncappable Azure access, and this starts to look more attractive.