Just an update to round this out - after the hints from a number of folk on- and off-list, I was able to direct our IT team on how to get this organized.

It is a rather different process for OAuth2 on 365 vs. classic Exchange, but Microsoft do lump macOS native apps into a so-called "Apple Internet Accounts" profile, which is a bit of a dark art to properly activate.

Thanks, all.

Mark.