In Azure this can be done against different API endpoints like Azure AD Graph, Microsoft Graph, Office 365 Reporting webservice, etc.
However, note that this technique is very noisy and Blue Team can easily catch it. Moreover, forced password complexity and the use of MFA can make this technique kind of useless.
You can perform a password spray attack with MSOLSpray