Just an update to round this out - after the
hints from a number of folk on- and off-list, I was able to direct
our IT team on how to get this organized.
It is a rather different process for OAuth2 on 365 vs. classic
Exchange, but Microsoft do lump macOS native apps into a so-called
"Apple Internet Accounts" profile, which is a bit of a dark art to
properly activate.
Thanks, all.
Mark.