The 44 million weak accounts comprised both Microsoft Services Accounts (regular users) and Azure AD accounts too, suggesting businesses are not adopting proper password hygiene.
A total of three billion user credentials were checked in a database populated from numerous sources including law enforcement and public databases.
Using the data set of three billion credentials, Microsoft was able to identify the number of users who were resuing credentials across multiple online services.
Microsoft forced a password reset for all of those users who were found to have leaked credentials during the scan which took place between January and March 2019.
"On the enterprise side, Microsoft will elevate the user risk and alert the administrator so that a credential reset can be enforced," the company said.
Microsoft also said if users are going to reuse login credentials across different services, enabling a form of multi-factor authentication (MFA) is imperative.
"MFA is an important security mechanism that can dramatically improve your security posture," it said. "Our numbers show that 99.9% of identity attacks have been thwarted by turning on MFA."
