If it comes to password policies, you can only configure the password expiration or enable Smart Lock-out. Speaking about studies, those also mention that password policies are not safe and will not protect you against brute force methods such as password spray attacks. If you want to secure your identities properly, make sure you implement MFA, conditional access, Identity protection etc etc.
For more info about smart lockout:
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-password-smart-lockout
For more info about conditional access:
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/overview